Plone Intranet工作流程和组权限 [英] Plone Intranet workflow and group permissions
问题描述
现在,理所当然的,这可能是由于对Plone中的角色/权限模型的误解,因为它与我过去使用过的许多系统有些不同,但是这是情况和我要去的地方卡住了.
Now, granted, this may be due to a misunderstanding of the roles/permissions model in Plone, as it's a little different than many systems I've worked with in the past, but here's the situation and where I'm getting stuck.
-客户端需要将Plone站点(4.3.3)限制为仅登录用户,并且可以选择使未登录用户可见所选内容. Intranet工作流程很容易满足此目的,使他们可以在外部发布所需的内容,并将其余内容保留在内部.没问题!
-- Client needs a Plone site (4.3.3) to be restricted to logged-in users only, with the option to make selected content visible to not logged in users. Easy enough, the Intranet workflow suits this purpose, allowing them to publish externally what they wish, and keep the rest internal. No problem here!
-现在,该站点大约有2K用户,并且将它们组织成十几个组.某些页面和文件夹(显示在顶部导航栏以及侧边栏导航Portlet中)应仅对某些组的成员可见,为只读状态,而对除站点管理员以外的所有其他登录用户则完全不可见.我进入了相关文件夹和页面的共享"选项卡,取消选中从更高级别继承权限"框,然后添加了所需的组,并选中了可以查看"权限框. 已登录的用户"未显示任何复选框,也没有显示其他组.但是,这似乎没有效果-所有登录的用户,无论组的隶属关系如何,都可以在导航栏中看到这些项目,也可以访问它们,等等.
-- Now, this site has roughly 2K users, and a dozen or so groups they're organized into. Certain pages and folders (appearing on the top nav bar as well as a sidebar nav portlet) should only be visible to members of certain groups, read-only, and not visible at all to any other logged in users other than site admins. I have gone in to the "Sharing" tab of the folders and pages in question, unchecked the "Inherit Permissions From Higher Levels" box, and added the desired group, checking the "Can View" permission box. "Logged-In Users" shows no boxes checked, and no other group is shown. However, it seems to have no effect -- all logged in users, regardless of group affiliation can see the items in nav bars, visit them, and so forth.
-我试图创建一个复制Intranet工作流的新工作流而感到沮丧,但是它具有其他发布状态,该状态删除了Member角色的查看"和访问内容"权限,但结果可预期-无论群组共享设置如何,非管理员用户都无法看到该项目.
-- I've attempted in frustration to create a new workflow that copies the intranet workflow, but has an additional publication state that removes the 'view' and 'access contents' rights of the Member role, but that has predictable results -- regardless of group sharing settings, no user who is not an Admin can see the items at that point.
那么...我想念什么?理想情况下,这是我们正在努力的权限模型:
So...what am I missing? Ideally, this is the permissions model we're striving for:
1.)默认情况下,创建的项目对登录用户可见(只读).这里的草稿/内部发布状态对也很好.
1.) By default, created items are visible to logged in users, read-only. A draft/internally publish state pair here is fine also.
2.)某些项目应有选择地在外部发布,任何访问该网站的人都可以访问.
2.) Certain items should be selectively published externally, accessible to anyone hitting the site.
3.)在内部发布的项目中,某些项目仅应允许某些组的成员访问和看到.写入/添加权限在这里无关紧要-只有一小部分站点管理员将处理此问题,我们仅在选择视图权限下使用/进行努力.
3.) Of the items published internally, certain ones should only be accessible and visible to the members of certain groups. Write/add permissions are not relevant here -- there is a small group of site admins who will be handling that, we're only working with/struggling with selective view permissions.
我敢肯定,这只是我对Plone安全模型的结构性误解,但是如果有人可以给我一些指导,说明从何处着手或如何构建新的工作流程以实现我们正在努力实现的目标, 那太好了.预先谢谢你!
I'm sure this is just a structural misunderstanding I have on the Plone security model, but if anyone can give me some pointers on where to start looking or how to structure a new Workflow to achieve the goal we're working towards, that would be great. Thank you in advance!
推荐答案
继续使用Intranet工作流程.对于您希望使其对特定组可读的页面和文件夹: 1.使页面或文件夹保持私有工作流程状态,而不在内部发布. (我认为这是您所缺少的步骤.) 2.在页面或文件夹的共享"选项卡上,将可以查看"授予要共享的组,就像您已经尝试过的那样.您不必更改更高级别的继承权限"复选框.
Keep using the intranet workflow. For pages and folders that you want to make readable to a particular group: 1. Leave the page or folder in the private workflow state, NOT published internally. (I think this is the step you were missing.) 2. On the Sharing tab for the page or folder, grant 'Can view' to the group you want to share with, just like you already tried. You don't have to change the "inherit permissions from higher levels" checkbox.
换句话说,将项目置于内部发布状态会向具有成员角色的所有用户授予查看权限,正如您所发现的那样.如果您将该项目保留为私有,则可以使用共享"标签更选择性地授予该项目.
In other words, putting an item in the internally published state grants the View permission to all users with the Member role, as you discovered. If you leave the item private you can then grant it more selectively using the sharing tab.
这篇关于Plone Intranet工作流程和组权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
