Scenario:
In the folder 'CAR' I am having two sub folders 'CAR1' and 'CAR2' . I am having 2 user 'A' and 'B" of group 'Dealer' .Here the folder CAR1 belongs to 'A' and 'CAR2' belongs to 'B'. When I assign 'view' permission to the folder 'CAR' it is inherited to the sub folders.
A,B(View)---->CAR
A(VIew)------->CAR1
B(VIew)------->CAR2
If I give disable_role_aquisition() the roles that I assign via program is not applying
Kindly help me wit this query.
Have you tried just using the Sharing/Local Roles functionality? It's way
simpler and often quite sufficient.
No I am setting it via program . It dosent work because of the disable_role_aquisition(). How can I recify it
You can use local roles programmatically -
https://docs.plone.org/develop/plone/security/local_roles.html. The beauty
is that you can test your use case in the browser before trying to code it
up.
ya it works but if I uncheck 'Inherit permissions from higher levels' The roles doesnot apply. I donot want that button to be checked.
The sharing tab has its own set of permissions. Customize your workflow so that the sharing tab is only available to the site administrator. This way your users can not access the sharing form.
You can use different states (Shared: Group A, Shared: Group B, Shared: All) for each folder so you can control which group will have access to each one. Workflows allow you to change the role of the group in a particular state.
How about particular user of same group . can i assign to particular subfolder to a member of particular group where others are revoked from viewing
Yes. If you are using the sharing tab, then just provide a particular role to that user in a sub-folder and block permission inheritance.
Thank you but When I try to remove the inherit permission via program The roles that I assigned also gets removed
Then it only means that the permission granted came from its parent container. You need to customize the permission applied to your object such that if you block permission inheritance, the custom permissions set in your object is the one that is followed.
The way Plone checks security is it reads the users permission applied on the object or context first but it does not stop there if inherit is allowed. With acquisition, it will also consult the permissions applied on its container tree until the site root. Inheritance is partly the reason why site administrators can access everything by default.
When I try to remove it programatically the permissions That i apply also gets erased
From the code I have seen in your posts, you use the Plone API so it may be a feature or a bug that the removal of the permission is also applied to its container tree.
Can u give me a solution for it
I have rectified the problem . I am so thankful to everyone who spared time to reply to me.
@AnanthaBalaji can you explain the solution and problem in case others with a similar problem find this thread?
Before assigning the roles via program, I have assigned it manually via the sharing tab and workflow.
When I used disable_roles_acqusition() in the program. I just unchecked the "Inherit permissions from parent" checkbox. but the roles aquired previously were present.
I removed roles in all the pages manually and ran the python script again