Is it possible to make the personal folder only readable for the owner?

Context

  • Plone 5.2
  • Python3

Use case

I want a group of users, namely the students of our university department, to be able to only read their personal folders since:

  • I don't want them to be able to store anything on the site,
  • but I want them to be able to read the details of their scores at the exams that I plan to upload on their personal folder.

Current behavior for such a user, say "John Doe" (john-doe)

In .../Members/john-doe/@@sharing, if:

  • "Inherit permissions from higher levels" is disabled,
  • permissions for John Doe:
    • "Can view": enabled
    • "Can review": disabled
    • "Can edit": disabled
    • "Can add": disabled

it turns out John Doe is still able to add pages, files, news, etc. in his personal folder.

Question

Is it possible to make the personal folder only readable for the owner?

By default the personal folder is a normal folder with its default workflow. Making an item private is one way, but maybe not what you want. To make its permissions different from the default (whatever permission you need), you best assign a custom/different workflow to this folders.

One way is to duplicate the portal-type (FTI) of this folder and create a custom one. (like MyMemberFolder) and assign it to be used as the type for member-folders in ZMI in portal_membership (or in code with api.portal.get_tool('portal_membership').setMemberAreaType('MyMemberFolder')).

The other way (never tried it, but should be simple) is to utilize CMFPlaceFulWorklfow (which is part of the Plone Distribution) and configure it to apply custom permsiiosn using an own simple workflow for all under /Members.

notifyMemberAreaCreated is automatically called on creating the Memberfolder. You could leverage that to run code that disables inheriting permission on the Memberfolder, leaving only the Owner with Permissions. See Products.PlonePAS.tools.membership.MembershipTool.createMemberarea for the code that calls it. I think it was mostly intended for Python-Scripts in acl_users whcih is kinda ugly.

Otherwise you could use a eventhandler that listens on IObjectAddedEvent and checks if it the container is /Members and does that change there.

On the other hand I also like @jensens idea to change the memberarea_type and use a custom workflow.

Thanks for your suggestions (sigh, not that easy for me :woozy_face:), I'll look at them.

Just note that I don't want all the members to have on their personal folders only read permission: it must be the case only for the members of a given group (here the "Students" group) and e.g. the members of the "Teachers" group should have all permissions on their personal folders.

Not a problem with additional roles and a workflow. The Zope/Plone user/group/role/permission system is very powerful.

Plone Foundation Code of Conduct