[Community] Security: Layer Visibility and Workflow

[Sean Gillies]

On Apr 26, 2006, at 6:15 AM, Ludwig M Brinckmann wrote:

> I am just in the process of putting the final touches to my plone  
> site before making it public and so I am tightening up security and  
> workflow (much too late, some might say)...
>
> I have an issue with the visibility of Primagis layers. With the  
> standard plone workflow if I publish a layer, I automatically also  
> allow an anonymous user to see the layer definition, which I do not  
> want.
> (Anon users still cannot change anything, so it does not really  
> compromise my site, but I do not like them to see things they  
> should not)
>
> E.g. I have a layer 'counties'. If I make it visible to the  
> anonymous user I also allow him to open
> www.mysite.com/map/counties.
>
> I tested some other sites for this (apologies), such as http:// 
> www.centralfrontenac.com/yc/township/departments/it/maps/map/,  
> which exhibits the same behaviour, so obviously the normal workflow  
> maybe exposes more than it should.
>
>
> One way to make the primagis layer inaccessible would be to give it  
> a cryptic name ('security' by hiding it in a haystack), obviously a  
> hack, which I do not like.
>
> I guess the right way is through workflows and I have added a  
> primagis_workflow, which allows anonymous users to 'view'  
> something, but not to 'access contents information' (in plone  
> speak). This primagis_workflow now controls the primagis layers.
>
> I am not too familiar with plone workflows and their implications,  
> so: is this the right way forward?
>
> The demo hosted at primagis.fi does not seem to exhibit problem, so  
> I wondered how you did it.
>
>
> Ludwig

Ludwig,

Yes, you're on the right track. If I remember correctly, the  
permissions on the primagis.fi demo site are managed simply through  
the ZMI Security tab, not through a workflow. Hopefully Kai will  
correct me if I'm wrong.

cheers,
Sean

---
Sean Gillies
http://zcologia.com