I am working on something now (slowly, but with confidence ) based on zc.beforestorage and event-based audit logging of change events (modification, deletion, addition, move/rename -- all stored in annotations on the site, in ZODB, with various pruning options). I might have something suitable for review and testing at "proof of concept" level within the next week or two.
My slides on the idea from the conference:
Very limited work so far is only dealing with audit logging backend:
If anyone who has permission could create a repository for this in github.com/plone I would appreciate it.
The actual restoration is all science-fiction at this point, excepting the fact that I've fixed customer human error a handful of times using beforestorage programmatically with both reasonable results and remarkably repetitive patterns. Making this user facing ought to be doable, with security caveats and a few fun technical gotchas .
My goal is to deliver proof of concept as an add-on that is easily installable, uninstallable without mess. If the approach and implementation seem reasonable, which I hope they will, I will PLIP for future release.
As far as UX: making this "user friendly" is a bit tricky, there are lots of things to consider -- right now, I'm starting on making this a power user tool for Site Administrators. Idea is FIFO log of changes, presented in view, filterable by user, date range, path base, and change type); restorable items (deletions, modifications, move/rename) would have check boxes allowing restoration of one or more items of content; confirmations for special cases would intervene between selection and complete restoration, if necessary.
But my storage is (loosely) placeful (I store paths and UIDs, and will support restoration to new/old locations for moved items; we can restore items even when parents are deleted, but with care and possibly into a holding area); we might later be able to enable users to restore their own deletions (e.g. in a folder they have add permission on, for an item they previously had permission to modify) in certain circumstances.
That plus DAV, but I have a fair guess that plone.server (or any other future re-implementation that eliminates ZServer/ZPublisher) might kill WebDAV, which saddens me a bit if we lose that by starting over. Maybe I'm just sentimental.
At minimum, content ought to be importable/exportable from trees of folders and files, or zip files thereof. It ought to be possible to import/export file-like content without loss of metadata, and it ought to be possible to represent structured/fielded content as JSON, with filename reference to exported BLOBs.
Aligning ZODB timestamp/TID with datetime stored by event subscribers before tpc_begin() is a bit tricky, and involves seeking a one to a few transactions from the storage starting at a time boundary near-before the logged date, iterating over transaction records in order, and checking if OIDs involved are modified in that transaction. Once you have the right TID, you can construct the date you need to put in your zc.beforestorage (ZConfig) configuration (necessary to open storage and time travel). There is also the matter of how much history one keeps; in the ideal future implementation, time-travel beyond this into FileStorage backups ought to be considered.
Indexing permission to modify deleted items might require some kind of shadow-tree approach or an alternate index of local roles and permission maps for deleted items. I just don't want to deal with that yet.