Access to resource by filling out a form -> Mail -> Access Link

We have a usecase where a customer wants to provide videos/webinars to website visitors.
The visitor must fill out a form with name and email address. An email with access link will be send to the vistor. The access link will contain some kind of token for authorizing the video access.
Is there already something available as add-on?

We have used redomino.tokenrole in the past. redomino.tokenrole · PyPI

1 Like

I created collective.depositbox about ten years ago, and still use it for a few customers I think. Last release was 2015, so I am not sure about Python 3 support, but the package is small, so should be easy to fix if needed.

It is more low level, requiring an integrator to do some work, including figuring out if and how this could fit your use case. But integrating can be as simple as adding a few lines in a PloneFormGen/easyform template.

It does not use PAS, but is similar to how the password reset tool works. See sample usage.

An interesting sample use case, is collective.confirmableforms which integrates PloneFormGen and depositbox to let visitors fill in a form, send them a confirmation link via email, and only after confirmation do we really store the filled-in form in the PloneFormGen data adapter (or mail it, or whatever you do).

If the Redomino add-on fits your use case, it is probably the better choice, needing less integration work. If it tries to do too much for your taste, then you can play with collective.depositbox.

1 Like

@zopyx did you settle on a solution? It looks like I will need something similar for a project soon.

I am thinking about to generate a JWT and pass it as access token through an URL.
The JWT payload would contain:

  • a list of paths or UIDs for which the token is valid
  • a lifetime
  • user identification (e.g user email)

The token will be generated using a secret on the Plone site and decode using the same secret at the time when the user clicks on the special link with the JWT access token.


  • minimal implementation effort to generate and verify a token
  • no need to store any kind of token information on the Plone side (no need to revoke an issued token since it has a certain lifetime)

My initial impression is that it will probably be simpler to implement this approach on a Volto site.

No idea if it is good practice, but I once saved their email, some_calculation and a timestamp to the items dictrow field (in your case the for example the video content type). Then the user had a 'time limit to visit' and it was possible to see who had seen the item (watched the video). The content was only accessible by the url in the email.

I used the dict row to get statistics of who had 'visited'. (in fact, it was outputted as a PDF using a pp.client template)

Update: It looks like I one (old) version of the code is still here: medialog.bikebooking/ at master · espenmn/medialog.bikebooking · GitHub