Access Contents Information is not respected for Navigation and Listings

[agitator]

Access Contents Information:
This permission allows access to an object, without necessarily
viewing the object. For example, a user may want to see the object's
title in a list of results, even though the user can't view the
contents of that file.

Objects with this permission are neither listed in collections or listings.
Furthermore if i want a private object to appear in the navigation (for example a link to an intranet, which the requires a login) it isn't shown either.

I think the indexer should also check for this ^ permission.
https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/CatalogTool.py#L124

[bosim]

+1 but i think i can be a bit risky, since existing code is made under the assumption that the "View" permission is deciding weather an element is shown or not. But for Plone 5 no problem I believe, just putting a remark in the release notes.

[jaroel]

This would affect everything that uses the catalog, ie navigation portlets, contenttree popups, collections, folder contents etc. Most of this probably doesn't check if it should render a link or just the title, so the impact is really bigger than just the indexer.

So because of this, I'd like to see a PLIP or impact analysis first :)

[agitator]

I've created a custom indexer within my project for this. So far only listings that try to wake the object are acting up.

This has worked before and was repaired to not work anymore at some point.

[jensens]

i always was the opinion Access Contents Information was meant to look at metadata/catalog brains only, while view is for object access. I'am sure this worked at some point in past.

[vangheem]

Any update on this? Closing for now as this enhancement request is quite stale.

[agitator]

Adding

    allowed.update(rolesForPermissionOn('Access contents information', obj))

in https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/CatalogTool.py#L145 would fix this.

If something shouldn't be listed, 'Access contents information' should be turned off anyway.

---

I ran into this again and if no one speaks out against it, I'll fix this for 5.2 at the https://alpinecity.tirol sprint.

[agitator]

After further discussion with @jensens, we came to the conclusion that 'Access contents information' is the correct permission to check if an item should appear in listings and navigation.

Since we use 'View' and 'Access contents information' in all Plone workflows, this change shouldn't have any effect on any existing Plone site but furthermore frees up the 'View' permission to make that differentiation in more complex usecases.