Temporarily elevating user permission to add content

Esoth · February 15, 2023, 8:08pm

For my use case, users do not normally have permission to create content type Foobar anywhere on the site. I want to provide a form that lets a user provide some information and then creates Foobar content behind the scenes. The problem is that the API, down to a low level, checks for permission to create that content type and fails.

I'd like to use plone.api.env.adopt_roles to temporarily grant an appropriate role within that form's button method. That seems very simple to do, but I've only ever seen adopt_roles and adopt_user used in testing and thus am a bit nervous there are some gotchas that make this a "DO NOT USE IN PROD" type of feature.

There are other ways around this I can think of, but they seem way less convenient.

zopyx · February 15, 2023, 8:45pm

The approach is completely fine for certain use cases.

Here is a good example:

https://docs.plone.org/develop/plone.api/docs/env.html#env-adopt-user-example

djay · February 16, 2023, 1:01am

We did something similar with GitHub - collective/redomino.tokenrole: This product allows you to share roles about a specific Plone content to an unregistered user through a link..
I forget the exact details but what we did was allow users to read a protected pdf by filling out a form. We used PFG or easyform with a script action adapter. This then use the tokenrole api to create a new token role for a short time and redirected the user to that url.