Protects inactive plone content from unauthorized access.
ftw.protectinactive protects inactive content from unauthorized access.
Plone provides fields to set publication and expiration dates. If the publication date is in the future or the expiration date is in the past the content is inactive. This inactive state determines if the content should appear on the site or not.
The problem is that this check is only performed on the catalog.
It works for listings and all other instances where catalog queries are used. But it does not protect the content from beeing accessed directly via the url. An unauthorized user is able to access the content whether it is inactive or not. This behaviour is highly unintuitive and is often met with incomprehension.
ftw.protectinactive was created to protect inactive content and provide the expected behaviour. It performs the check for inactive content in a IPubAfterTraversal hook. If the content is inactive and the user has no permission to see it, ftw.protectinactive raises an exception.
- check if content is inactive
- supports Archetypes and Dexterity content
- respects Access inactive portal content and Access future portal content permissions (on site root)
- configurable exception type
- Add ftw.protectinactive to your buildout configuration:
[instance] eggs += ftw.protectinactive
- Install the generic import profile.
The exception raised by ftw.protectinactive can be configured in the plone registry. It will raise an Unauthorized exception by default. This, however, confirms the existence of the content, which is a potential unwanted information disclosure. To avoid this the exception can be changed to a NotFound exception in the registry.
Installation local development-environment
$ git clone firstname.lastname@example.org:4teamwork/ftw.protectinactive.git $ cd ftw.protectinactive $ ln -s development.cfg buildout.cfg $ python2.7 bootstrap.py $ bin/buildout $ bin/test
Runs with Plone 4.3.9.
This package is copyright by 4teamwork.
ftw.protectinactive is licensed under GNU General Public License, version 2.
- Improve traversal hook in order not block authorized users from viewing content they should be allowed to view. [mbaechtold]
- Fix failing tests because of recent changes in “ftw.testbrowser”. [mbaechtold]
- Test against Plone 4.2. [mbaechtold]
- plone.api 1.4.11 is needed at least: See https://github.com/plone/plone.api/blob/1.4.11/docs/CHANGES.rst#1411-2016-01-08 [mathias.leimgruber]
- Updated description in setup.py. [lknoepfel]
- Specify required plone.api version. [lknoepfel]
- Initial implementation and first release. [lknoepfel]