Shows the can_delete key in the users and groups serializer only if the

user has "Plone Site Setup: Users and Groups" permission

src/plone/restapi/permissions.py

@@ -2,3 +2,4 @@
 # permissions. Granted to Anonymous (i.e. everyone) by default via rolemap.xml
 
 UseRESTAPI = "plone.restapi: Use REST API"
+ManageUsers = "Plone Site Setup: Users and Groups"

src/plone/restapi/serializer/group.py

@@ -1,7 +1,8 @@
-from AccessControl import getSecurityManager
 from plone.restapi.batching import HypermediaBatch
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.interfaces import ISerializeToJsonSummary
+from plone.restapi.permissions import ManageUsers
+from plone.restapi.serializer.utils import check_permission
 from Products.CMFCore.permissions import ManagePortal
 from Products.PlonePAS.interfaces.group import IGroupData
 from zope.component import adapter
@@ -17,7 +18,11 @@ def __init__(self, context, request):
 
     @property
     def is_zope_manager(self):
-        return getSecurityManager().checkPermission(ManagePortal, self.context)
+        return check_permission(ManagePortal, self.context)
+
+    @property
+    def can_manage_users(self):
+        return check_permission(ManageUsers, self.context)
 
     def can_delete(self, roles):
         if self.is_zope_manager:
@@ -29,16 +34,18 @@ def __call__(self):
         portal = getSite()
         roles = group.getRoles()
 
-        return {
+        result = {
             "@id": f"{portal.absolute_url()}/@groups/{group.id}",
             "id": group.id,
             "groupname": group.getGroupName(),
             "email": group.getProperty("email"),
             "title": group.getProperty("title"),
             "description": group.getProperty("description"),
             "roles": roles,
-            "can_delete": self.can_delete(roles),
         }
+        if self.can_manage_users:
+            result["can_delete"] = self.can_delete(roles)
+        return result
 
 
 @implementer(ISerializeToJsonSummary)

src/plone/restapi/serializer/user.py

@@ -1,10 +1,11 @@
-from AccessControl import getSecurityManager
 from plone.app.users.browser.userdatapanel import getUserDataSchema
 from plone.restapi.batching import HypermediaBatch
 from plone.restapi.bbb import safe_text
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.interfaces import ISerializeToJsonSummary
+from plone.restapi.permissions import ManageUsers
 from plone.restapi.serializer.converters import json_compatible
+from plone.restapi.serializer.utils import check_permission
 from plone.restapi.services.users.get import getPortraitUrl
 from Products.CMFCore.interfaces._tools import IMemberData
 from Products.CMFCore.permissions import ManagePortal
@@ -23,7 +24,11 @@ def __init__(self, context, request):
 
     @property
     def is_zope_manager(self):
-        return getSecurityManager().checkPermission(ManagePortal, self.context)
+        return check_permission(ManagePortal, self.context)
+
+    @property
+    def can_manage_users(self):
+        return check_permission(ManageUsers, self.context)
 
     def can_delete(self, roles):
         if self.is_zope_manager:
@@ -45,8 +50,9 @@ def __call__(self):
             "id": user.id,
             "username": user.getUserName(),
             "roles": roles,
-            "can_delete": self.can_delete(roles),
         }
+        if self.can_manage_users:
+            data["can_delete"] = self.can_delete(roles)
 
         schema = getUserDataSchema()
 

src/plone/restapi/serializer/utils.py

@@ -1,9 +1,10 @@
-from plone.dexterity.schema import lookup_fti
+from AccessControl import getSecurityManager
 from plone.app.uuid.utils import uuidToCatalogBrain
+from plone.dexterity.schema import lookup_fti
 from plone.restapi.interfaces import IObjectPrimaryFieldTarget
 from zope.component import queryMultiAdapter
-from zope.i18n import translate
 from zope.globalrequest import getRequest
+from zope.i18n import translate
 
 import re
 
@@ -43,7 +44,7 @@ def resolve_uid(path):
 
 
 def uid_to_url(path):
-    path, brain = resolve_uid(path)
+    path, _brain = resolve_uid(path)
     return path
 
 
@@ -53,3 +54,7 @@ def get_portal_type_title(portal_type):
     if request:
         return translate(getattr(fti, "Title", lambda: portal_type)(), context=request)
     return getattr(fti, "Title", lambda: portal_type)()
+
+
+def check_permission(permission, context):
+    return getSecurityManager().checkPermission(permission, context)

src/plone/restapi/tests/http-examples/users_authorized_get.resp

@@ -3,7 +3,6 @@ Content-Type: application/json
 
 {
     "@id": "http://localhost:55001/plone/@users/noam",
-    "can_delete": true,
     "description": "Professor of Linguistics",
     "email": "[email protected]",
     "fullname": "Noam Avram Chomsky",

src/plone/restapi/tests/test_serializer_group.py

@@ -1,4 +1,5 @@
 from plone import api
+from plone.app.testing import setRoles
 from plone.app.testing import TEST_USER_ID
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.interfaces import ISerializeToJsonSummary
@@ -58,3 +59,24 @@ def test_summary(self):
         self.assertEqual("Plone Team", group.get("title"))
         self.assertEqual("We are Plone", group.get("description"))
         self.assertNotIn("users", group)
+
+    def test_serialize_group_with_member(self):
+        setRoles(self.portal, TEST_USER_ID, ["Member"])
+        group = self.serialize(self.group)
+        self.assertEqual(
+            {
+                "@id": "http://nohost/plone/@groups/ploneteam",
+                "id": "ploneteam",
+                "groupname": "ploneteam",
+                "email": "[email protected]",
+                "title": "Plone Team",
+                "description": "We are Plone",
+                "roles": ["Authenticated"],
+                "members": {
+                    "@id": "http://nohost",
+                    "items_total": 1,
+                    "items": ["test_user_1_"],
+                },
+            },
+            group,
+        )

src/plone/restapi/tests/test_serializer_user.py

@@ -1,5 +1,7 @@
 from DateTime import DateTime
 from plone import api
+from plone.app.testing import setRoles
+from plone.app.testing import TEST_USER_ID
 from plone.app.users.browser.schemaeditor import applySchema
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.testing import PLONE_RESTAPI_DX_INTEGRATION_TESTING
@@ -49,7 +51,6 @@ def test_serialize_roles(self):
         self.assertNotIn("Anonymous", user["roles"])
 
     def test_serialize_custom_member_schema(self):
-        from plone.app.users.browser.schemaeditor import applySchema
 
         member_schema = """
             <model xmlns="http://namespaces.plone.org/supermodel/schema"
@@ -79,6 +80,32 @@ def test_serialize_custom_member_schema(self):
         self.assertIn("twitter", res)
         self.assertEqual(res["twitter"], "TheRealDuck")
 
+    def test_serialize_user_with_member(self):
+        setRoles(self.portal, TEST_USER_ID, ["Member"])
+        user = self.serialize(self.user)
+        self.assertEqual(
+            {
+                "@id": "http://nohost/plone/@users/noam",
+                "id": "noam",
+                "username": "noam",
+                "roles": ["Member"],
+                "fullname": "Noam Avram Chomsky",
+                "email": "[email protected]",
+                "home_page": "web.mit.edu/chomsky",
+                "description": "Professor of Linguistics",
+                "location": "Cambridge, MA",
+                "portrait": None,
+                "groups": {
+                    "@id": "http://nohost",
+                    "items_total": 1,
+                    "items": [
+                        {"id": "AuthenticatedUsers", "title": "AuthenticatedUsers"}
+                    ],
+                },
+            },
+            user,
+        )
+
 
 class TestSerializeUserCustomSchemaToJsonAdapter(unittest.TestCase):