Closed tomgross closed 2 years ago
sorry, maybe offtopic but for plone 4.x i always use https://pypi.python.org/pypi/collective.deletepermission ... this enables permissions for single folder objects to be deleted by an editor without being able to delete the folder, maybe this is related to this issue ?
Here is a workaround for this issue.
https://gist.github.com/adrianschulz/5c4ae747781674288ce1ad9dc95f43b0
I think this is working as designed. The Zope "Delete objects" permission is assigned to a container to allow deletion of the container's subitems. Removing the permission from a subitem does not prevent it from being deleted because the permission is checked in the context of the container.
A separate permission to control deletion of an item itself seems like a reasonable feature request. In the meantime, collective.deletepermission is a way to get this in an addon.
In Plone (5.0.2) there is a "Delete objects" permissions for assign the deleting of objects to certain roles. Using this permissions works only in 2 of 3 tested scenarios:
Scenario 1: Delete object via portal action in tool bar -> OK Scenario 2: Delete object(s) in a list of folder contents -> OK Scenario 3: Delete a folder with objecs which don't have the necessary permission set. -> DOES NOT WORK!
As an integrator I want a consistent behavior of deleting objects and the security of not having deleted objects which an editor is not allowed to.