Plone 4.2 User Management - member view internal draft created by another user

Question

Overview

I need to be able to utilise a role, as you would a group. What I mean is as follows:

We have a customer that has a site, people are freely able to register themselves on it. The site is set to the Intranet/Extranet Workflow. When a user signs up, they are able to see Internally Published documents, but not internal draft documents. The manager of this site, once he has made correspondance with said user can then "Tick a box next to their name, to show they are 'trusted'".

I need to be able to go to mysite.com/plone_control_panel, select Users and Groups, hit 'show all' and next to the roles, have another custom role that I can tick which will enable the user to have access to a particular folder on my site.

Research

I've been doing a lot of Googling and from what I can see this is possible, funily enough I have tried this on another site about a year ago on Plone 3.2.1 and it works well. Problem is I can't seem to replicate it on my new Plone 4 site (my documentation seems to have been lost).

What I did

• Create a group under the "Users and Groups" in mysite.com/plone_control_panel named "Trusted Users".
• Create a custom role (called "TrustedRole") under mysite.com/manage_main (Security tab)
• Using mysite.com/acl_users/portal_role_manager add the "Trusted Users" group to my "TrustedRole" role.
• Now under mysite.com/acl_users/portal_role_manager I can tick boxes in order to grant certain privilladges to the "TrustedRole" role.

NOTE: I added the "TrustedRole" role because I then it appears as an option next to the other roles when viewing users and groups under plone_control_panel.

This is as far as I have been able to get without my old documentation and I've hit a wall. It seems no matter what combinations of permissions I give to the "TrustedRole" role, I am unable to let them merely view internal draft documents. I have tried ticking every single box, and sure enough that works but then they are able to add, delete etc.

Currently under portal_role_manager I have the following permissions ticked for my "TrustedRole":

• Access contents information
• Allow sendto
• View

I can assign my Group ("Trusted Users") to 'View' the document in question, by assigning them under the "Sharing" tab, but this isn't ideal as the manager wants to be able to simply tick a box next to each user under the "Users and Groups" section of plone_control_panel for them to have access. (He doesn't want to have to go into the group and assign users individually). Currently there are around 200 users and they tend to leave and rejoin quite a lot. So we're trying to cut down on the overhead of keeping the site running.

If anyone has any thoughts on what permissions I can tick to let the "TrustedRole" see internal draft documents I would greatly appreciate it.

NOTE I have also tried giving my "TrustedRole" role the same permissions as "Site Administrator", then by a process of elimination going through and unticking permissions to get it down to the bare minumum, this has also failed me and I fear I have missed some important step that my missing documentation would have contained.

I have a feeling that I only Owners can view content they have created that is set to an Internal Draft.. Is that correct?

Answer 1

Luckily I remembered (after much faffing around) how do do this, I've listed the steps below:

What this will do

The Role we will create has access to view items of a particular state. This means that if you have someone managing the site with a lot of users and they want to 'bulk grant access' for certain users to see items that have a particular state.

How to

Create a new Group in plone_control_panel called whatever you want.

Go to portal_workflows in the ZMI, copy & paste the workflow and then under plone_control_panel, under the "Types" heading, update the sites workflow to the new one.

Go to the ZMI and select the "Security" tab.

At the bottom type a name for the custom role you want and hit "Add Role".

Depending on your workflow you may need to remove most of the "Members" permissions (default group for people). - (THIS WAS SPECIFIC TO MY USE CASE, AVOID THIS STEP IF NEEDS BE)

Tick the boxes giving your new role the permissions you want, currently I've found the following to work (although these will differ from site to site as requirements change):

• Access contents information
• Access inactive portal content
• Allow sendto
• List portal members
• List undoable changes
• Manage properties
• Set own password
• View
• View Groups

After updating these settings (and any others regarding workflow), you need to go to portal_workflow/manage_selectWorkflows and press "Update security settings" at the bottom.

Then go to acl_users/portal_role_manager and select the role you have created, then Assign your group (the one created under plone_control_panel earlier).

Go to portal_workflow/manage_selectWorkflows, select the "Contents" tab, select your custom workflow want and hit "States".

Click on the state you want the Role to be able to see and select the "Permissions" tab.

Add the necessary permissions for your custom role for that state.

When those have been saved remember to "Update security settings" as mentioned above for them to be applied.

If you have any questions or see anything is incorrect please comment below and I will amend this post.

Answer 2

I think you added your group and role correctly, although it's very tricky to keep them separate when they have the same name, as Roles and Groups are not the same and, for me anyway, it's easy to confuse the two. You might consider assigning a role already in the workflow to your group, like "Member."

If you haven't customized the workflow then the default description for an internal draft should be "Visible to all intranet users, editable by the owner." In the ZMI, within Intranet/Extranet workflow and under the state, Internal Draft, the default roles with permissions (under the Permissions tab) are Editor, Manager, and Site Admin. From what you described, your role, TrustedRole, should be listed there. Do you have both "View" and "Access contents information" checked?

You said you already have "View" checked in the Security tab at the root of your site (yoursite.com/manage_access). Do you have the "Acquire?" box next to "View" checked?