Reputation: 11
Multilevel security in Plone?
is there any way to accomplish the following?
I would like for each object in Plone would be associated with one more security classifications (e.g. 'alpha', 'bravo', 'zulu'). These classifications would be part of the content type's schema. At runtime, the user's security credentials would be compared against the object, and if and only if the user had all the credentials of the object would the object be viewable. I can't see any way of doing this in workflow.
Open to suggestions. Thanks!
Stan
Upvotes: 1
Views: 218
Answers (3)
Reputation: 2248
Bear in mind that CMFWorkflow allows for an object to have more than one workflow associated with it. It might be possible for you to implement the various levels of your scheme as individual workflows and then attach them to your objects.
Upvotes: 2
Reputation: 13105
Here is also how you could do it with workflow. Note I am not saying you should do it with workflow, just that you can ;) You would need a (large) number of states. How large depends on the combinations (!=permutations) of your security states. The combinations of choosing m things among n things is given by:
n!/(m!(n-m)!),
where ! is the factorial.
For instance for the example you give you have 3 security states alpha, bravo and zulu. This gives:
3!/(1!2!) + 3!/(2!1!) + 3!/(3!0!) = 3 + 3 + 1 = 7
The sum is the combinations of having 1, 2, or 3 of them together. So there you go, seven states all in all;)
The transitions are a different beast. If you do need to be able to go from any of these combined states to any other then you would have to calculate permutations as going from a to b is different to going from b to a. Permutations are given by:
n!/(n-m)!
i.e. for the 7 states above you would have 7!/(7-2)!=7*6=42 (!!!) transitions. You could of course simplify the transitions by only allowing adding/removing one security state each time. There you go, I hope you have as much fun reading this as I had writing it :)
Upvotes: 1
Reputation: 2254
You need a localrole adapter that can examine the user's credentials (presumably you already have some one to give them such credentials, as - beyond the basic concept of roles - they don't exist in base Plone), and grant a local_role based on the result.
See: http://plone.org/products/plone/roadmap/208.
It might be as simple as providing an __ac_local_roles() method, but if not, borg.localrole is now part of Plone and that link should get you started.
Upvotes: 2
Related Questions
- Change Plone workflow
- Plone Intranet workflow and group permissions
- Custom Workflows in plone 4
- How do I implement a dynamic role in Plone 3?
- The Holy Grail of Plone workflow
- Plone 4: restricting published content
- about security settings of plone control panel
- Authentication from multi source in Plone 4?
- Redefining security for a browser view in Plone 4
- Plone 4.0.5 workflow and permission