search

plone / plone.app.iterate

Checkin/ checkout procedure for content editing (working copy) for Plone
https://pypi.python.org/pypi/plone.app.iterate
3 stars 12 forks source link

Use package permissions to protect views instead of more general ones #120

Closed pbauer closed 8 months ago

pbauer commented 8 months ago

This was previously part of https://github.com/plone/plone.app.iterate/pull/96

These permissions are so far only used in Volto via plone.restapi but for some reason not in Classic-UI. We might also add checks for these permissions to the actions via browser/control.py.

mister-roboto commented 8 months ago

@pbauer thanks for creating this Pull Request and helping to improve Plone!

TL;DR: Finish pushing changes, pass all other checks, then paste a comment:

@jenkins-plone-org please run jobs

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.

Happy hacking!

pbauer commented 8 months ago

Should we also change the rolemap-setup by adding profiles/default/rolemap.xml where we assign these to the respective roles and add a upgrade-step for that? It will make it easier to change them.

pbauer commented 8 months ago

@jenkins-plone-org please run jobs

jensens commented 8 months ago

Should we also change the rolemap-setup by adding profiles/default/rolemap.xml where we assign these to the respective roles and add a upgrade-step for that? It will make it easier to change them.

Yes! Sure.

pbauer commented 8 months ago

While implementing this I ran into something worth mentioning:

The permissions were previously setup and assigned to during startup even when plone.app.iterate is not installed. By switching to rolemap.xml the permission are setup but not assigned to any roles unless the package is installed. Existing sites will get the rolemap installed by the upgrade-step.

With this change a site in which plone.app.iterate was not installed has different permissions than before (before with roles, after without roles). I don't think that has a negative effect in any scenario but I thought it is worth spelling it out here.

plone.app.iterate is in the list of core-addons so the upgrade-step will be triggered by a plone-upgrade.

pbauer commented 8 months ago

@jenkins-plone-org please run jobs

pbauer commented 8 months ago

Test and merge together with https://github.com/plone/Products.CMFPlone/pull/3907

https://jenkins.plone.org/job/pull-request-6.0-3.8/3098/ https://jenkins.plone.org/job/pull-request-6.0-3.11/1052/ https://jenkins.plone.org/job/pull-request-6.1-3.8/159/ https://jenkins.plone.org/job/pull-request-6.1-3.12/172/