Mustapha Benali (Headnet), in collaboration with Matt Hamilton (Netsight) and Roel Bruggink (Four digits), made a nice plone package called plone.app.changeownership. Since we are using plone ‘as a service’ at our university for a lot of different sites with a lot of different users, this was something we were waiting for… so time for a small test…
What happens to content created (owned) by a certain user on a plone site when he/she leaves the organisation? Will they be able to still access the content when they are gone? even when we’ve taken away all their plone rights? Unfortunately our test showed us the answer is yes! In plone a lot of permissions are given to you because you are the owner of a piece of content. When you create a piece of contents that automatically sets you as the owner of this object. We had the situation where we had almost a whole site created by someone who then left after a year of the site being live, so we decided to just go to the plone_control_panel and take away all the rights that this user had (contributor, editor, member, reader, reviewer). To our surprise this didn’t help a bit, when that users who has no rights what so ever in the plone site, he/she can still change everything. Since we use ldap and shibboleth for authentication and authorisation it doesn’t pose a big problem when a person really leaves, since they just can’t log in anymore. But of course, when a person changes position within the organisation, the user account is still active so then it could become a serious problem.
In general, being an owner means having more permissions than the assigned roles indicate. This “priviledged” dealing with ownership is confusing and even sometimes dangerous for testing other functionalities.
So we needed a solution that would make it possible to change the ownership of all (or part of the) content on a plone site with just the click of a button basically. And from what I’ve seen plone.app.changeownership does just that.
Note1: There is an option in the ZMI, tab Ownership which allows you to ‘Take ownership’ for an object and optionally all its sub-objects. The problem with this option for us is that no one (besides a couple of people from the development team) is allowed in the zmi, so we can only give ownership to the zope-admin. Also we would have to do this manually for each item of the plone site which is just way too time consuming in our setup.
Note2: Along with the ‘Take ownership’ option in zmi there is a possibility to replace the owner via Security tab -> Local roles. The major insufficiency of both options though is that they work on one object only. There is no way to change ownership recursively or in batch on a site. (Thanks Yulia)
What plone.app.ownership does?
- It adds an option to the Control Panel called ‘Change Ownership’:
- It automically shows you all available users in your site and allows you to limit your changes to a given path.
- You can do a dry run of the change in ownership which shows you what items will be adjusted:
- The results are easily visible when you use the Standard View in your site/folders.