I have a requirement where a content type is submitted by an anonymous user. However, I need the content type to be editable by the same user until it is transitioned to the received state. What is a good strategy to employ for this requirement so that the form is protected and only the contributor is able to edit the form?
My initial idea is to have Plone set a cookie (time limited) after submission and have the edit view check for the presence of the cookie. But this will limit the user to using the same browser. As an alternative, I am also thinking of requiring the user to enter a passcode in the edit view, and if correct, allow the user to edit the form.
The cookie idea seems good. There's no magic bullet if you want to let anonymous users come back and have special access.. either you ask them to identify themselves or they have to come back from the same browser. You could try to record their IP address and trust that no one else at that IP address was trying to access the content item.
You might want to look at tokenrole. You'd need some code to create the token but that worked well for us for a related usecase. - https://pypi.python.org/pypi/redomino.tokenrole/0.10
Thanks @djay and @tkimnguyen. I will try this out first and do the cookie route if this turns out to be more complicated. I really do not need high level security since the content type is not that important. But I am glad to know of this add-on.
I would suggest you can forcefully create a session for each anonymous users after that you could use tihis created session for edit purpose of submitted content time.
Code Snippet :
sdm = self.context.session_data_manager
# Create Session if it's not created
session = sdm.getSessionData(create=True)