Hello,
often times there are strong use-cases for fine-granular permission levels via (placeful) workflows, local roles (w/ and w/o inheriting permissions) and add-ons like collective.workspace. These are typically needed to map client's real world workflows into the Plone world.
One problem arises, when looking into folder_contents view and its functionalities. There are often actions offered, the user cannot do. Like for example the user has no permission to edit the object, but the edit button is still offered. The user has no permission for getting the folder's listing, but they yet can click it which is yielding into an error message. This applies both to Classic and Volto, since both rely on the information given by the catalog (side remark: I know plone.restapi offers the "fullobjects" parameter for the @search
endpoint if needed).
Now I was wondering, if there are efforts make the permissions directly accessible in the ZCatalog? We have already something like this with the allowedRolesAndUsers
index that contains all the eligible principals for the View
permission. In one issue on the editLink (in Classic UI) I proposed to introduce another index just for the Modify portal content
permission. But thinking about it, we should need more indexes too like one for Listing folder contents
that tells, if the user can browse into a folderish object.
The action points would be to add the needed indexes, that also gets updated whenever object.reindexObjectSecurity()
is being called and using the brain's index data for new attributes like "can_view", "can_edit", "can_browse", etc. Do you think, that this way is viable when doing this for the most-needed permissions? This also could be made configurable, when the integrator wishes to have more permissions indexed at hand for the brains.
Downside: This bloats obviously the reindexing process and requires a full reindex upon introduction. I haven't looked into experimental.securityindexing, but it might be useful in that regard. Alternatively, we could also retrieve the objects for just the brains, we wish to interact with (like just on the current page in folder_contents) and get the permissions as we wish.
What do you think?