[Zope-CMF] Can I prevent anonymous access to only some of the files on a site

[Paul Winkler]

On Tue, Apr 12, 2005 at 12:00:09PM +0100, Barbara Harris wrote:
> A small number of the files and documents on a Zope 2.6.4 CMF site,
> running through Apache, should be available only to Zope members
> (managers and owners).  I have placed all these objects in a
> portal_folder called 'restricted'.  On the restricted folder I have
> deselected 'Acquire permission settings?' and selected Manager, Member,
> and Owner roles only on the following permissions:
> 
> - Access contents information 
> 
> - View
> 
> All the files and documents in the restricted folder have been published
> via the default_workflow (Simple Review / Publish Policy) i.e. on the
> View permission each object's 'Acquire permission settings?' is
> deselected and the Anonymous, Manager and Owner roles are selected.

Which means that if they can find it, anonymous users will be able to
view all this content, regardless of the security settings of
the container. 

In Zope's security policy, you can view objects based on their
own (possibly acquired) security settings. If you turn off
"Acquire permission settings", the container cannot control 
whether the content is viewable.
  
> If a document elsewhere on the site contains a hypertext link to a
> DOCUMENT in the restricted folder, anonymous users are prompted to login
> to the site when they select the link - this is what I want.  However, a
> hypertext link to a FILE published in the restricted folder triggers the
> Windows file download window and allows an anonymous user to download
> the file.  NB if I add '/view' to the end of a file hypertext link
> anonymous users are prompted to login to the site when they select the
> link.

Given what I said about security policy above,
I suspect that Documents being restricted in your case is a bug.
Maybe something in the default view is calling a method of the
container or something like that.
As I understand it, all content should be anonymously viewable
in your setup.
 
> It would appear that removing anonymous access to the 'Access contents
> information' permission on a folder prevents anonymous users accessing
> the folder, documents, and DTML methods 

DTML methods?  What DTML methods?
Is this a really really ancient version of CMF?

But no, removing "Access contents information" should prevent you from 
finding out what's in a folder. It should not prevent you from
actually viewing a sub-object if you happen to know where it is.
That's left to the "View" permission on each object.

> Is it possible to set the permissions on only one of many site folders,
> to prevent the file download function being triggered by anonymous
> users?

In CMF you don't normally set permissions directly, you let workflow
do it.  But then, workflow by default is not applied to folders.
You might have to change that, see below.
 
> Is there a way to apply a workflow that deselects the anonymous role and
> selects the member role on the objects in only one of many folders on a
> site?

No, DCWorkflow is not placeful: it applies a single workflow to
all content of a certain content type regardless of location.
 
> Is there another solution to preventing anonymous access to only some of
> the files on a site?

I haven't had to do that yet, so, not sure. But I suspect you could do
something like (untested):

* add a new workflow associated only with Portal Folders
* add a "private" state, and a "Make Private" transition to your workflow
* have the "Make Private" transition call a simple script that does this:
  - for all sub-Folders, kick off their Make Private transition
  - for all non-Folder content objects, kick off the "retract" transition
    or whatever it is in your workflow that puts them in the "private"
    state.

Or something like that. You could use a new state for this purpose
if you don't want to re-use "private".

Once this is done, go to the folder in question and do the "Make
Private" action on it and hopefully it should work as intended.

-- 

Paul Winkler
http://www.slinkp.com