-
-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access Contents Information is not respected for Navigation and Listings #260
Comments
+1 but i think i can be a bit risky, since existing code is made under the assumption that the "View" permission is deciding weather an element is shown or not. But for Plone 5 no problem I believe, just putting a remark in the release notes. |
This would affect everything that uses the catalog, ie navigation portlets, contenttree popups, collections, folder contents etc. Most of this probably doesn't check if it should render a link or just the title, so the impact is really bigger than just the indexer. So because of this, I'd like to see a PLIP or impact analysis first :) |
I've created a custom indexer within my project for this. So far only listings that try to wake the object are acting up. This has worked before and was repaired to not work anymore at some point. |
i always was the opinion Access Contents Information was meant to look at metadata/catalog brains only, while view is for object access. I'am sure this worked at some point in past. |
Any update on this? Closing for now as this enhancement request is quite stale. |
Adding
in https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/CatalogTool.py#L145 would fix this. If something shouldn't be listed, 'Access contents information' should be turned off anyway. I ran into this again and if no one speaks out against it, I'll fix this for 5.2 at the https://alpinecity.tirol sprint. |
After further discussion with @jensens, we came to the conclusion that 'Access contents information' is the correct permission to check if an item should appear in listings and navigation. Since we use 'View' and 'Access contents information' in all Plone workflows, this change shouldn't have any effect on any existing Plone site but furthermore frees up the 'View' permission to make that differentiation in more complex usecases. |
Access Contents Information:
This permission allows access to an object, without necessarily
viewing the object. For example, a user may want to see the object's
title in a list of results, even though the user can't view the
contents of that file.
Objects with this permission are neither listed in collections or listings.
Furthermore if i want a private object to appear in the navigation (for example a link to an intranet, which the requires a login) it isn't shown either.
I think the indexer should also check for this ^ permission.
https://github.com/plone/Products.CMFPlone/blob/master/Products/CMFPlone/CatalogTool.py#L124
The text was updated successfully, but these errors were encountered: