Skip to main content

Protects inactive plone content from unauthorized access.

Project description

ftw.protectinactive

ftw.protectinactive protects inactive content from unauthorized access.

Plone provides fields to set publication and expiration dates. If the publication date is in the future or the expiration date is in the past the content is inactive. This inactive state determines if the content should appear on the site or not.

The problem is that this check is only performed on the catalog.

It works for listings and all other instances where catalog queries are used. But it does not protect the content from beeing accessed directly via the url. An unauthorized user is able to access the content whether it is inactive or not. This behaviour is highly unintuitive and is often met with incomprehension.

ftw.protectinactive was created to protect inactive content and provide the expected behaviour. It performs the check for inactive content in a IPubAfterTraversal hook. If the content is inactive and the user has no permission to see it, ftw.protectinactive raises an exception.

Features

  • check if content is inactive

  • supports Dexterity content

  • respects Access inactive portal content and Access future portal content permissions (on site root)

  • configurable exception type

Installation

  • Add ftw.protectinactive to your buildout configuration:

[instance]
eggs +=
    ftw.protectinactive
  • Install the generic import profile.

Configuration

The exception raised by ftw.protectinactive can be configured in the plone registry. It will raise an Unauthorized exception by default. This, however, confirms the existence of the content, which is a potential unwanted information disclosure. To avoid this the exception can be changed to a NotFound exception in the registry.

In addition you can also completaly disable the hook via the plone registry.

Installation local development-environment

$ git clone git@github.com:4teamwork/ftw.protectinactive.git
$ cd ftw.protectinactive
$ ln -s development.cfg buildout.cfg
$ python2.7 bootstrap.py
$ bin/buildout
$ bin/test

Compatibility

Runs with Plone 5.1.

Changelog

2.1.0 (2021-03-08)

  • Implement option to disable the hook. [mathias.leimgruber]

2.0.0 (2019-10-23)

  • Drop Plone 4.2 compatibility. [jone]

  • Add Plone 5.1 support. [tinagerber]

  • Drop archetypes support. [tinagerber]

1.0.2 (2018-01-09)

  • Improve traversal hook in order not block authorized users from viewing content they should be allowed to view. [mbaechtold]

  • Fix failing tests because of recent changes in “ftw.testbrowser”. [mbaechtold]

  • Test against Plone 4.2. [mbaechtold]

  • plone.api 1.4.11 is needed at least: See https://github.com/plone/plone.api/blob/1.4.11/docs/CHANGES.rst#1411-2016-01-08 [mathias.leimgruber]

  • Updated description in setup.py. [lknoepfel]

1.0.1 (2016-07-25)

  • Specify required plone.api version. [lknoepfel]

1.0.0 (2016-07-20)

  • Initial implementation and first release. [lknoepfel]

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ftw.protectinactive-2.1.0.tar.gz (10.6 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page