Ticket #9577 (closed PLIP: wontfix)
Increase control panel permission granularity
Reported by: | dukebody | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | Future |
Component: | Templates/CSS | Version: | |
Keywords: | Cc: |
Description
http://plone.org/products/plone/roadmap/248
Each control panel configlet provided by Plone core and/or add-on products should have an independent permission in order to make it possible for roles to grant/deny access to that control panel.
Proposed by
Jon Stahl
Seconded by
Alex Limi
Proposal type
Process
State
being-discussed
Definitions
Motivation
Right now, access to many Plone control panels are governed by the "Manage Portal Content" permission, which means that it is virtually impossible to create custom roles that allow access to some, but not all control panel configlets.
This makes it hard to create roles that give less-experienced users the control they need over their site without exposing them to switches that allow them to do accidental damage.
Assumptions
This PLIP is partially intended to support PLIP 249, which is about new user roles, but is also useful for people building custom roles.
Proposal
All Plone core control panel configlets should be guarded by a separate, individual permission in the form:
"Control Panel: access <name of configlet> configlet"
e.g.
"Control Panel: access Users & Groups configlet"
"Control Panel: access Themes configlet"
"Control Panel: access Add/Remove Products configlet"
This format is important because the only way to group items in the "Security" tab of the ZMI is to sort alphabetically.
We will also state that this is a "best practice" for add-on products, and update the add-on products developer manual accordingly.
In addition, we should probably make sure that we have explicit permissions for:
- Using the "actions" menu
- Using "display" menu to change the layout/view on a content object
Implementation
Plone 3.x provides the following configlets:
- Add/Remove Products
- Calendar
- Collection
- Content Rules
- Error Log
- HTML Filtering
- Kupu visual editor
- Language
- Maintenance
- Markup
- Navigation
- Search
- Security
- Site settings
- Themes
- Types
- Users and Groups
- Zope Management Interface
A permission will need to be created for each, and the control panel will need to check that permission before displaying the item, or allowing it to be viewed. Deliverables
Risks
Progress log
Participants
Change History
comment:2 Changed 5 years ago by rossp
- Status changed from new to closed
- Resolution set to wontfix
PLEASE READ THIS AND RE-OPEN VALID PLIPS!
As we launch the new PLIP process we'd like to see which PLIPs:
- are still appropriate/needed
- still have owners/proposers/champions
- still have available implementers
If this PLIP should still be considered for future releases of Plone please do re-open this ticket and assign an appropriate milestone. If it should be considered for the next release of Plone, use the 4.2 milestone. Also be sure to update the PLIP description, requester, owner, etc. and include a comment detailing recent progress and new plans. We will use all these details in the new continuous PLIP process.
Suitable permissions already exist for some control panels :