Allowing normal users to download PloneFormGen CSV - csv

We are using PloneFormGen's SaveDataAdapter, and would like users who are not site admins to be able to download the CSV. The normal permissions don't seem to allow this. Is this possible in PloneFormGen?

You're right, there is a custom permission made for the download-view named "PloneFormGen: Download Saved Input", and Products/PloneFormGen/config.py defines that Managers, Owners and Site-admins get this permission by default.
In one of your add-on's profile-folder add a file named rolemap.xml to additionally assign roles (the default-roles will remain untouched, as they are assigned via a Python-script, not a GenericSetup-file):
<?xml version="1.0"?>
<rolemap>
<permissions>
<permission name="PloneFormGen: Download Saved Input" acquire="True">
<role name="Member" />
</permission>
</permissions>
</rolemap>
Note: This will set the permission globally, meaning you cannot restrict it to locations. For finer control per location, create a role "Downloaders", assign the download-permission to it in rolemap.xml and make the permission assignable locally via the sharing-tab of an item. For the last step one could give https://pypi.org/project/collective.sharingroles/ a try.
An alternative solution for the case that exactly one user needs to get the additional privilege for downloading the content of a save-adapter:
Append /ownership_form to the URL of the save adapter, choose new owner and save.

Related

Object to object ACL with xattr in Security Namespace

I want to create an access rule in Linux so that only files with a certain eXtended attribute can be moved, copied or created in a certain directory regardless of my priviledges in that directory.
The xattr should be created in system or security Namespace, so that I cannot change it as a user.
To my understanding, almost all ACL systems are focused around "subject to object" access control (i.e user/process to file/directory), but what I want is "object to object" (i.e file to directory) access control.
Perhaps SELinux?
Is this even possible?
Cheers,
Kalle

JasperReports Server permissions doesn't work

I created new user - 'exampleuser' and new role - 'examplerole' in JasperReports Server version 5.6.
The new user - 'exampleuser' has 2 roles: 'examplerole' and 'ROLE_USER' that is attached to the user by default in the JR Server.
For every folder in jasper I gave the 'examplerole' and 'ROLE_USER' the permissions - Execute only.
According to my understanding, if I will login with the 'exampleuser' user I won't be able to see any folder, of course not be able to delete any file inside that folder.
What actually happens is that I'm able to see all the files inside any folder, add and delete files as I wish and change permissions to the files.
Could not find any information about it - according to the JasperReports Server manual I'm not doing anything wrong or do I?
The 'exampleuser' doesn't have any permissions to the folder e.g. 'NO ACCESS' permission.
And there were no errors in the logs.
Is someone ran into this situation before? Is it fixable or it is some bug of JasperReports Server?
-----------------------------EDIT---------------------------------------
I've found out that this situation happens only in Google chrome browser. If I use IE for example, everything is as it should be.
Anyone? Any idea?
Edit user(exampleuser) and assign only new role(examplerole) which you created for new user remove ROLE_USER and save.
Now right click on the folder on which you want to give permission to new user(exampleuser) and select "Permission" , there you can see all the roles and there access permission.
Change permission No Access to Read only for examplerole and remove the access form other roles i.e. select No Access option.
Now after that you need to check remaining other directories whether they have ROLE_USER access or not , if they have remove permission from ROLE USER i.e set it to No Access.

Google Cloud Storage AllUsers permission doesn't work

I'm trying to make a bucket with Read/Write permissions for bucket/objects for particular users and Read permissions for objects only for AllUsers.
I've:
created a bucket,
added this to default acl list:
<Entry>
<Scope type="AllUsers"/>
<Permission>
READ
</Permission>
</Entry>
via: gsutil setdefacl <f> gs://bucket
added an object (test.png)
Now I'm trying to access this from browser with the url http[s]://storage.cloud.google.com/bucket/test.png but it takes me to the google account sign in page. When I signing in with another google acc (not that I've used to create project/bucket/object), which has no explicit rights set, it shows the pic.
gsutil getacl on the new object shows that READ permission is in place for AllUsers, but it works like AllAuthenticatedUsers.
Any ideas on what to do with permissions to work as expected?
When you say you added that Entry to the default ACL, you mean you added it as an element within AccessControlList.Entries, correct?
It's somewhat difficult to know what happened without seeing the full ACL text.
But also, since you're making objects publicly readable (READ permission grated for scope AllUsers), you don't need additional scopes in the bucket's default object ACL; you could simply do:
gsutil setdefacl public-read gs://bucket
and then upload objects to the bucket.
I realize you want to grant read/write permission for particular users, but write permission is controlled by the bucket ACL, not the object ACL (and thus also not by the default object ACL on the bucket).
Please try the above and let us know if you're still unable to access objects via a browser without first authenticating.
Mike Schwartz,
Google Cloud Storage team

Can I add some public meta data to an encrypted Access 2010 database?

My application stores its data in an Access 2010 database (accdb) file. It's password protected, which means it's encrypted w/ AES-128.
I'd like to add some meta data to the file that's publically available. This way older verisons of my application can investigate the file to see if it's even worth trying to open. Otherwise, they'll just get the dreaded "Unrecognized Database Format" error, which is usually associated with file corruptions.
In Windows, you can right-click on a file, click "Properties" and see attributes under the Details tab. I'd love it if I add attributes like the version of my application that last touched the file, and maybe other details. I'd like to avoid having a different file extension for each version of my app!
Is it possible to add some public meta data to an encrypted Access 2010 database?
You can add custom database properties : http://support.microsoft.com/default.aspx?scid=kb;en-us;q178745
You can change the file extension of an encrypted Access database and change the properties for that extension. The extension .enc is fairly descriptive and does not seem to be widely used.
The file will open normally when clicked and ask for the password. The icon will be recognizably Access and the description, "Encrypted MS Access" in this case, will appear under Type in a directory listing.
With NTFS, you can add an alternate data stream (ADS):
notepad.exe z:\docs\testde.enc:Extra.txt
Reading the stream:
more < testde.enc:extra.txt
More information: http://www.think-techie.com/2010/04/alternate-data-streams.html
http://www.irongeek.com/i.php?page=security/altds
This is a tough nut to crack! An application must read information about the ACCDB, but that information can't be stored in the ACCDB because you want the read without opening the ACCDB. And you can't use the suggested file system methods because this must work under Wine on Mac (I assume from another of your questions).
The only solution I can see is to create a companion file (with same base name but different extension) to hold the metadata. So if your application wants to know about SomeDb.accdb, it would look for a file named SomeDb.metadata and read that instead.
I suggested a kludge for your earlier question ... unfortunately this is another. :-) However, it's a simple kludge and it should work ... even on Mac.

Plone3: How export changes on a permission of a portal_type

I went to the address of zope manage:
localhost:8000/manage
Entered my plone_site named 'foo', than clicked on the portal_types link.
Went through the content type named 'MyContentType', and there clicked on the tab Permissions.
Changed some permissions to assign than to some roles, and so on...
Now, I went to the portal_setup to try to export this changes, but didn't find an option to export that. I only found Role/Permissions, which is responsible for export changes on the 'main' tab Security, under the root of the plone_site.
So, how can I export my configuration on the permissions of specified content type under the portal_type tool?
What you've described is changing access to the Factory Type Information (FTI) of MyContentType, which is probably not what you want.
Assuming you have a custom permission 'Add MyContentType' controlling who can add instances of that type, then you can assign that permission to the right roles at the Plone site object level. You should do that with the rolemap.xml GenericSetup file. The 'Role/Permission Map' step you've found in portal_setup will export a rolemap.xml for you.
If you want more finegrained control than that, you'll need to give MyContentType a workflow. Have a look at how your other types are setup in portal_workflow. Make your settings change with workflows.xml.
The Import/Export button in the ZMI can be useful to move pieces of content between matching (i.e. identical) Plone sites in ZEXP files, but generally I'd steer clear. The XML import/export there was broken last time I checked.
Well, as nobody answered, I will:
On the ZMI, on the plone_types page, there's an option (a button) on the bottom of the page, to Import/Export changes.
The solution is click that button.
Although it's not possible to export the changes in a .xml format, you still can export for .zexp format (if that fixes for you).
For me it was not sufficient. So I started working with portal_workflow's permissions, because workflow permissions are preferred to other permissions.