Security

Security information for every operation is checked against three informations:

  • Code definitions
  • Local definitions
  • Global definitions

Order or priority :

  • Local
  • Global
  • Code

Locally can be defined :

  • A user/group has a permission in this object and its not inherit
  • A user/group has a permission in this object and its going to be inherit
  • A user/group has a forbitten permission in this object and its inherit
  • A user/group has a role in this object and its not inherit
  • A user/group has a role in this object and its inherit
  • A user/group has a forbitten role in this object and its inherit
  • A role has a permission in this object and its not inherit
  • A role has a permission in this object and its inherit
  • A role has a forbitten permission in this object and its inherit

Globally :

  • This user/group has this Role
  • This user/group has this Permission

Code :

  • This user/group has this Role
  • This user/group has this permission
  • This role has this permission

Roles

There is two kind of roles : Global and Local. Ones that are defined to be local can’t be used globally and viceversa. On indexing the global roles are the ones that are indexed for security plus the flat user/group information from each resource.

Python helper functions


# Code to get the global roles that have access_content to an object
from plone.server.auth import get_roles_with_access_content
get_roles_with_access_content(obj)

# Code to get the user list that have access content to an object
from plone.server.auth import get_principals_with_access_content
get_principals_with_access_content(obj)


# Code to get all the security info
from plone.server.auth import settings_for_object
settings_for_object(obj)

# Code to get the Interaction object ( security object )
from zope.security.interfaces import IInteraction

interaction = IInteraction(request)

# Get the list of global roles for a user and some groups
interaction.global_principal_roles(principal, groups)

# Get if the authenticated user has permission on a object
interaction.check_permission(permission, obj)

REST APIS

Get all the endpoints and its security

[GET] APPLICATION_URL/@apidefinition (you need plone.GetPortals permission)

Get the security info for a resource (with inherited info)

[GET] RESOURCE/@sharing (you need plone.SeePermissions permission)

Modify the local roles/permission for a resource

[POST] RESOURCE/@sharing (you need plone.ChangePermissions permission)

  {
    "type": "Allow",
    "prinrole": {
        "principal_id": ["role1", "role2"]
    },
    "prinperm": {
        "principal_id": ["perm1", "perm2"]
    },
    "roleperm": {
        "role1": ["perm1", "perm2"]
    }
  }

The different type of types are :

  • Allow : you set it on the resource and the childs will inherit
  • Deny : you set in on the resource and the childs will inherit
  • AllowSingle : you set in on the resource and the childs will not inherit
  • Unset : you remove the setting