Member and site admin permission issues in 3.4dev

[richardtc]

Hi,

I'm testing out 3.4dev, installed from github, and appear to have encountered two permission issues while setting up a private forum, as follows:

1. Members of the site, but not with sharing permissions to the forum, can access the forum (viewing and posting).
2. A site administrator cannot view the hidden ploneboard even if sharing permissions are given to the board.

It would be great if someone could confirm these observations.

Cheers,
Richard
Plone 4.2.3

[richardtc]

The site admin issue can be easily addressed by setting site admin permissions in portal_workflow, but uncertain about preventing access of site members into forums?

[jean]

preventing access of site members into forums?

Is the forum published or private? In the private state only Manager and
Owner has access (share the forum to give access), and no permissions are
acquired. See the state definition at:
yourplone/portal_workflow/ploneboard_workflow/states/private/manage_permissions

In the published state, Anonymous is granted access and Member acquires access
permissions:
yourplone/portal_workflow/ploneboard_workflow/states/published/manage_permissions

It looks like the private forum state should work for you.

jean . .. .... //\oo///\

[richardtc]

I have a hidden ploneboard and private forum with no sharing permissions permitted, but site members can access the forum and conversations.

[jean]

I have a hidden ploneboard and private forum with no sharing permissions permitted, but site members can access the forum and conversations.

What are the workflow states of the forum and conversations?
Check the permissions of that state at
yourplone/portal_workflow/ploneboard_forum_workflow/states/manage_main and
yourplone/portal_workflow/ploneboard_conversation_workflow/states/manage_main
respectively.
Perhaps the forum's private state will work for you.

Then correlate with the permissions which a specific user has in context:
yourplone/yourboard/this-is-a-forum/manage_reportUserPermissions?user=somesitememberid
(forum)
yourplone/yourboard/this-is-a-forum/515449099/manage_reportUserPermissions?user=somesitememberid
(conversation).

jean . .. .... //\oo///\

[richardtc]

This has proved rather tricky, taking many hours, but to prevent site members gaining access to forums and conversations, the approach that I'm taking (not finalised yet) is to:

1. Create a new role (at root of plone > security > add role e.g. boardmember)
2. modify the security settings of portal_ploneboard in the ZMI, by only giving 'View' access to Managers, Site Admin and newly created boardmember role (untick all other boxes).
3. modify workflow for boardmember for ploneboard objects at portal_workflow (working on this now, but it seems to work logically so far)

[jean]

On Wed, Apr 10, 2013 at 8:15 PM, richardtc [email protected] wrote:

1. modify the security settings of portal_ploneboard in the ZMI, by only giving 'View' access to Managers and Site Admin (untick all other boxes).

Are you modifying the workflow in /portal_workflow/ ? If not, your
work will disappear as soon as a workflow transition takes place.

1. modify workflow of ploneboard objects at portal_workflow (working on this now, but it seems to work logically so far)

This is where all changes to security should happen.

What board and forum states have you tried?
What results did you get when querying for the permissions of a member
on board/forum/conversation objects, in those forum states?

Just one other comment - I don't recall having this trouble in Plone 3.3?

DCWorkflow is one of the oldest parts of Plone ... it should work the
same now as before.

jean . .. .... //\oo///\

[jensens]

did you try using the Ploneboard with its intranet profile?