[Community] Security: Layer Visibility and Workflow

[Ludwig M Brinckmann]

I am just in the process of putting the final touches to my plone site 
before making it public and so I am tightening up security and workflow 
(much too late, some might say)...

I have an issue with the visibility of Primagis layers. With the standard 
plone workflow if I publish a layer, I automatically also allow an anonymous 
user to see the layer definition, which I do not want.
(Anon users still cannot change anything, so it does not really compromise 
my site, but I do not like them to see things they should not)

E.g. I have a layer 'counties'. If I make it visible to the anonymous user I 
also allow him to open
www.mysite.com/map/counties.

I tested some other sites for this (apologies), such as 
http://www.centralfrontenac.com/yc/township/departments/it/maps/map/, which 
exhibits the same behaviour, so obviously the normal workflow maybe exposes 
more than it should.


One way to make the primagis layer inaccessible would be to give it a 
cryptic name ('security' by hiding it in a haystack), obviously a hack, 
which I do not like.

I guess the right way is through workflows and I have added a 
primagis_workflow, which allows anonymous users to 'view' something, but not 
to 'access contents information' (in plone speak). This primagis_workflow 
now controls the primagis layers.

I am not too familiar with plone workflows and their implications, so: is 
this the right way forward?

The demo hosted at primagis.fi does not seem to exhibit problem, so I 
wondered how you did it.


Ludwig