Best practice? workflow / sharing policy for groups

News are published for all or just for registered users.
Plus there are news only for groups.

Straight forward would be:
workflow states "private", "published" and "published for registered"

For publishing to a group the reviewer shares the private NewsItem with the group.

But how to order news? The private NewsItem has no publishing date.

What's best practice:

  • subscriber to add a publishing date to a freshly created NewsItem
  • force reviewers to first change NewsItem to a fake "maybe for groups published" workflow state
  • ?

This is a tricky combination of requirements.

  • A partial solution to the publishing workflow could be to use the intranet/extranet workflow. Then someone can internally publish an item and it becomes available for members, but is still protected from anonymous access. You basically create an 'intranet/member' group. But it doesn't scale.

  • The second challenge is when you have multiple 'dynamic' groups, where content in the group should only be visible to group members and you have many groups. The only solution I have seen so far that scales without you having to create extra workflow states for each security group is collective.workspace. This add'on was also the basis for the workgroup support in PloneIntranet/Quaive.

collective.workspace creates local rosters for each group where it's members have their own 'local' permissions on the group content inside the group folder. It had some performance issues 5> years ago but these were solved in version 1.2.

[edit/add] Off course you can create custom solutions where you can check for group membership an show/hide things, but collective.workspace is the only abstraction that 'maps' cleanly onto the default permission/role system IMHO.