How to make a complete folder structure private?

Quote from the plone mailing list:

  I would like to add that this behaviour is 
  standard Zope behaviour due to the way zope 
  permissions work. zope permissions are 
  'addative' - by this I  mean that you can 
  always add permissions down the tree but you 
  can never remove them and have the removal 
  acquired. Its sort of hard to explain but 
  if a sub item grants new permissions, then 
  those new permissions will take precedent. 
  In your case the visible sub items grant new
  permissions to  objects from that point down. 
  It may not be what you are expecting but its
  perfectly correct behaviour for zope & plone. 
  (Tom Cameron, 2005-03-07)

Now, if we assume a folder structure like:

  - public folder
  - private folder
    - document 1
    - subfolder
      - document 2

by default the documents document1, document2 and the folder subfolder are visible and can be accessed by anonymous users even if the folder private folder has the state private.

To change this behaviour and deny access to objects of state visible that are located beneath a private folder the following changes to the default_workflow are necessary:

  • In the zmi go to the root of your plone site
  • Select portal_workflow > plone_workflow
  • In the states tab select the visible state and then the permissions tab
  • Deactivate the access portal content and view permissions for the role anonymous
  • Repeat for the folder_workflow

For anonymous users this makes all visible objects inherit the permissions from the parent object. I. e. if a parent folder is private, all objects beneath are not accessible by anonymous users.