Protects inactive plone content from unauthorized access.
Project description
ftw.protectinactive
ftw.protectinactive protects inactive content from unauthorized access.
Plone provides fields to set publication and expiration dates. If the publication date is in the future or the expiration date is in the past the content is inactive. This inactive state determines if the content should appear on the site or not.
The problem is that this check is only performed on the catalog.
It works for listings and all other instances where catalog queries are used. But it does not protect the content from beeing accessed directly via the url. An unauthorized user is able to access the content whether it is inactive or not. This behaviour is highly unintuitive and is often met with incomprehension.
ftw.protectinactive was created to protect inactive content and provide the expected behaviour. It performs the check for inactive content in a IPubAfterTraversal hook. If the content is inactive and the user has no permission to see it, ftw.protectinactive raises an exception.
Features
check if content is inactive
supports Dexterity content
respects Access inactive portal content and Access future portal content permissions (on site root)
configurable exception type
Installation
Add ftw.protectinactive to your buildout configuration:
[instance]
eggs +=
ftw.protectinactive
Install the generic import profile.
Configuration
The exception raised by ftw.protectinactive can be configured in the plone registry. It will raise an Unauthorized exception by default. This, however, confirms the existence of the content, which is a potential unwanted information disclosure. To avoid this the exception can be changed to a NotFound exception in the registry.
In addition you can also completaly disable the hook via the plone registry.
Installation local development-environment
$ git clone git@github.com:4teamwork/ftw.protectinactive.git
$ cd ftw.protectinactive
$ ln -s development.cfg buildout.cfg
$ python2.7 bootstrap.py
$ bin/buildout
$ bin/testCompatibility
Runs with Plone 5.1.
Links
Issues: https://github.com/4teamwork/ftw.protectinactive/issues
Continuous integration: https://jenkins.4teamwork.ch/search?q=ftw.protectinactive
Copyright
This package is copyright by 4teamwork.
ftw.protectinactive is licensed under GNU General Public License, version 2.
Changelog
2.1.0 (2021-03-08)
Implement option to disable the hook. [mathias.leimgruber]
2.0.0 (2019-10-23)
Drop Plone 4.2 compatibility. [jone]
Add Plone 5.1 support. [tinagerber]
Drop archetypes support. [tinagerber]
1.0.2 (2018-01-09)
Improve traversal hook in order not block authorized users from viewing content they should be allowed to view. [mbaechtold]
Fix failing tests because of recent changes in “ftw.testbrowser”. [mbaechtold]
Test against Plone 4.2. [mbaechtold]
plone.api 1.4.11 is needed at least: See https://github.com/plone/plone.api/blob/1.4.11/docs/CHANGES.rst#1411-2016-01-08 [mathias.leimgruber]
Updated description in setup.py. [lknoepfel]
1.0.1 (2016-07-25)
Specify required plone.api version. [lknoepfel]
1.0.0 (2016-07-20)
Initial implementation and first release. [lknoepfel]
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for ftw.protectinactive-2.1.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 9824b0d6314b104a9565fea70e8171a24d5eb7aa0c7bf5a8be010e7ea016dcba |
|
| MD5 | 21c3983df47ba371e068d53c4809f4cc |
|
| BLAKE2b-256 | d2df64ba06d574e973e345c5cc281373420e023b000b018ceb1f78dd2031d603 |
