Skip to main content
Help us improve Python packaging – donate today!

Protects inactive plone content from unauthorized access.

Project Description

ftw.protectinactive

ftw.protectinactive protects inactive content from unauthorized access.

Plone provides fields to set publication and expiration dates. If the publication date is in the future or the expiration date is in the past the content is inactive. This inactive state determines if the content should appear on the site or not.

The problem is that this check is only performed on the catalog.

It works for listings and all other instances where catalog queries are used. But it does not protect the content from beeing accessed directly via the url. An unauthorized user is able to access the content whether it is inactive or not. This behaviour is highly unintuitive and is often met with incomprehension.

ftw.protectinactive was created to protect inactive content and provide the expected behaviour. It performs the check for inactive content in a IPubAfterTraversal hook. If the content is inactive and the user has no permission to see it, ftw.protectinactive raises an exception.

Features

  • check if content is inactive
  • supports Archetypes and Dexterity content
  • respects Access inactive portal content and Access future portal content permissions (on site root)
  • configurable exception type

Installation

  • Add ftw.protectinactive to your buildout configuration:
[instance]
eggs +=
    ftw.protectinactive
  • Install the generic import profile.

Configuration

The exception raised by ftw.protectinactive can be configured in the plone registry. It will raise an Unauthorized exception by default. This, however, confirms the existence of the content, which is a potential unwanted information disclosure. To avoid this the exception can be changed to a NotFound exception in the registry.

Installation local development-environment

$ git clone git@github.com:4teamwork/ftw.protectinactive.git
$ cd ftw.protectinactive
$ ln -s development.cfg buildout.cfg
$ python2.7 bootstrap.py
$ bin/buildout
$ bin/test

Compatibility

Runs with Plone 4.3.9.

Changelog

1.0.2 (2018-01-09)

  • Improve traversal hook in order not block authorized users from viewing content they should be allowed to view. [mbaechtold]
  • Fix failing tests because of recent changes in “ftw.testbrowser”. [mbaechtold]
  • Test against Plone 4.2. [mbaechtold]
  • plone.api 1.4.11 is needed at least: See https://github.com/plone/plone.api/blob/1.4.11/docs/CHANGES.rst#1411-2016-01-08 [mathias.leimgruber]
  • Updated description in setup.py. [lknoepfel]

1.0.1 (2016-07-25)

  • Specify required plone.api version. [lknoepfel]

1.0.0 (2016-07-20)

  • Initial implementation and first release. [lknoepfel]

Release history Release notifications

This version
History Node

1.0.2

History Node

1.0.1

History Node

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
ftw.protectinactive-1.0.2.tar.gz (9.4 kB) Copy SHA256 hash SHA256 Source None Jan 9, 2018

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging CloudAMQP CloudAMQP RabbitMQ AWS AWS Cloud computing Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page