The Problem

We have a couple of files that we are not allowed to make accessible for the world just for our students. At the same time it would obviously be silly to make them own the objects in questions lest they will delete or publish them.

Research

We found a good hint in the right direction on tomster.org which does however contain an ugly ZMI part that is inherent to the solution advanced. Luckily we had been confronted with the portal_workflow thingy in Plone before so we merged the knowledge at hand and created the fine solution set out below.

Our nice Solution

There are three steps to take to get it right. Read it to the end it won't do no harm to your objectives:

1. Go to the ZMI root and access the Security tab. At the very bottom of the page you can add user defined roles to the ones already available. Add a role ReadOnly (or choose any other appropriate name you fancy, say "ReadAccess" or whatever).
2. Next, go to the portal_workflow section of your portal's ZMI.
   • Hit the Contents tab and go to plone_workflow which should be the default workflow applicable for most Plone objects including files, documents, etc. Now hit the States tab and click on the private state to edit it.
   • Just in cae you're confused the breadcrumb should now read something like that: Workflow State at /Plone/portal_workflow/plone_workflow/states/private.
   • Now it's getting hot. Hit the Permissions tab. There will be a ReadOnly column and you will want to tick ReadOnly permissions for Access contents information and View.
   • The result of this is that people with a ReadOnly role for a specific object may view it even though it is in the private state which is exactly what we wanted to accomplish, isn't it?
3. The only thing now that's left doing is sharing the items in question with the due members or groups. To this end go back to your Plone portal and go to the object in question.
   • Hit the Sharing tab and share it with the people you want to share it with assigning to them the ReadOnly role. That will do. Now they can view the object but importantly not fool around with it.
   • You might have to change the status of the object from private to visible and back to private for the changes in the portal_workflow to take effect.

Pitfalls

If you have your object in a private folder that is not shared with the people in question they will not be able to access the object even though they have a ReadOnly role for the object. In this case you'll have to either make the folder visible or share it with the relevant people. You might have to make the due amendments to the folder_workflow. See below.

Read Access for Folders for Certain Users

If you want to share folders with a group of people giving them read access only you will have to repeat the steps detailed above for the folder_workflow. Thereafter you may share folders with others assigning the ReadOnly role to them.