User edits only its own post.Using Plone permisisons

StackOverflow https://stackoverflow.com/questions/16340915

  •  14-04-2022
  •  | 
  •  

Question

I have a Plone website and create a menu item.

In the sharing tab I add each user that can post a topic.

How can I prevent that user1 edits posts owned by user2? Currently user1 can edit user2 posts.

Previously I try creating a group, assign each user to this group and add the group using the sharing tab, but in this way one user edit posts from another user.

Was it helpful?

Solution

Just subtract (uncheck) the 'Can edit'-permission of the sharing-tab. The creator of an item is by default also owner, owners have edit-permission, thus users can edit their own items but not the ones of others.

Update (according to the new comment):

To inhibit the add-privilege on subfolders you'll need to break the inheritage of the Contributors-role, to which the 'Can add'-permission is assigned to.

However this seems not to be possible, yet. Quoting Martin Aspeli from his article "Understanding permissions and roles":

"Currently (until Plone 2.1, most likely), local roles can be added at a lower level in the acqusition tree, but not taken away".

So you need to look for another approach and, as Martijn already suggested, you'll most likely want to go with a custom workflow for your - assumingly folderish - contenttype and to all types that should be allowed to add in it (fortunately by default, Images and Files inherit the state of its parent, otherwise you probably have to think of a multi-chained workflow, but that's worth a new post even, or - ugly - create copies of contenttypes only to give them another workflow).

In that case, do as follows:

  • Create a workflow as adviced in http://developer.plone.org/content/workflow.html (I updated it lately, please let us know, if you have suggestions for improvements or contribute yourself).

  • Add the 'Add portal content'-permission to your workflow (in ZMI clickon your workflowname andhit the permissions-tab, select it from the dropdown).

  • For each state in your workflow (click on the state's name), uncheck 'Aquire permission settings', this way you break the inheritage of the Contibutors-role. Then check the 'Add portal content'-permission for each role you want to grant it, which would be at least the Owner-role in your case, and you might also Managers be able to access everything.

Update2:

Another, more challenging but IMHO much better, approach could be:

On your contenttype's inititialization (=your ct's class is called) trigger a script (f.e. with a contentrule/eventhandler/subscriber or in you ct's class-definition, itself), which looks up the inherited sharing-permissions on the parent, blocks them (__ac_local_roles_block__ = True) and reassign all roles again, but the Contributor's one, for the new born object (your folderish contenttype). This would avoid creating a whole new workflow just to solve this case.

To do this, please read the docs (just updated, comments always welcome), to see how an event-handler is registrated:

http://developer.plone.org/components/events.html?highlight=events#example-register-an-event-handler-on-your-contenttype-s-creation

The executed python-script could contain s.th. like:

from Acquisition import aq_parent

def inhibit_parent_inherited_contributor_role(self, event):
    """ Blocks local-roles on freshly created children in our
        contenttype and re-assigns all its parent's local-roles but
        'Contributor' to the child.
    """

        # Block all inherited local-permissions, also of grand-parents:
        self.__ac_local_roles_block__ = True

        # Get local-roles assigned to parent and only to parent:
        parent_roles = self.aq_parent.get_local_roles()

        # Iterate over each assigned user and group to get their roles:
        for userid, roles in parent_roles:

            # Provide a list variable, to collect the new roles:
            # of a group or user:
            new_roles = []

            # Iterate over the user's, respectively group's, roles:
            for role in roles:

                # Exclude 'Contributor' of new role-list:
                if role != u'Contributor':

                    # Add all other roles to list of new roles:
                    new_roles.append(role)

            # Finally assign new roles to the child for each found user and group:
            self.manage_setLocalRoles(userid, new_roles)

Disclaimer:

I have tested this with IObjectEditedEvent, which works fine. Whereas the IObjectAddedEvent is fired four times (why?) and I wasn't able to tame that quickly, but plone.app.contentrules.handlers.py, does :) Have a closer look at it, maybe including a contentrule in the solution can be even better.

For an in-depth code-example about roles, see Andreas Jung's lovely zopyx.plone.cassandra and its computeRoleMap.py .

And I haven't looked at collective.subtractiveworkflow, yet. In case you do, please tell us about it :)

OTHER TIPS

You need to restrict editing to the Owner role if you only want to have users edit their own content.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top