search

plone / Products.CMFPlone

The core of the Plone content management system
https://plone.org
GNU General Public License v2.0
246 stars 186 forks source link

Consistant usage of "Delete objects" permissions #1317

Closed tomgross closed 2 years ago

tomgross commented 8 years ago

In Plone (5.0.2) there is a "Delete objects" permissions for assign the deleting of objects to certain roles. Using this permissions works only in 2 of 3 tested scenarios:

Scenario 1: Delete object via portal action in tool bar -> OK Scenario 2: Delete object(s) in a list of folder contents -> OK Scenario 3: Delete a folder with objecs which don't have the necessary permission set. -> DOES NOT WORK!

 Folder           -> Deletion allowed -> deleted
   +--- Document1 -> Deletion allowed -> deleted
   +--- Document2 -> Deletion NOT allowed -> DELETED

As an integrator I want a consistent behavior of deleting objects and the security of not having deleted objects which an editor is not allowed to.

petschki commented 8 years ago

sorry, maybe offtopic but for plone 4.x i always use https://pypi.python.org/pypi/collective.deletepermission ... this enables permissions for single folder objects to be deleted by an editor without being able to delete the folder, maybe this is related to this issue ?

adrianschulz commented 8 years ago

Here is a workaround for this issue.

https://gist.github.com/adrianschulz/5c4ae747781674288ce1ad9dc95f43b0

davisagli commented 2 years ago

I think this is working as designed. The Zope "Delete objects" permission is assigned to a container to allow deletion of the container's subitems. Removing the permission from a subitem does not prevent it from being deleted because the permission is checked in the context of the container.

A separate permission to control deletion of an item itself seems like a reasonable feature request. In the meantime, collective.deletepermission is a way to get this in an addon.