Using plone.api.transition in anon browser view

can I use

 api.content.transition(context, transition='something')

For a browser view visited by a user not logged in (anon)

The reason for this is

  1. A mail is sent to someone with a link to /somewhere/@@someview?
  2. The browser view checks the url and then
  3. The browser view changes state of the content to 'has_been_visited' (confirmed)

Why shouldn't that work? Every transition is protected by a permission so adjust your workflow settings for this particular transition.


Yes you can!

Just use it with a context manager that gives the anonymous user enough power.

Something like this:

with api.env.adopt_roles(['Member', 'Authenticated', 'Manager']):
    api.content.transition(context, transition='something')

or this:

with api.env.adopt_user(username):
    api.content.transition(context, transition='something')

should work nicely.


This is a workaround for a misconfigured workflow.




Great that it works, but pay attention to @zopyx words.
You may want to adjust your wf definition to obtain the same result without privilege escalation.

Yeah you should be able to set the transition's guard roles to be Anonymous, ie. non-logged in users can use the transition.