Do not allow Site Administrator to delete group with Manager role

plone · Sep 22, 2023 · b6eff1d · b6eff1d
1 parent f6f8dbf
commit b6eff1d
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/plone/restapi/services/groups/delete.py b/src/plone/restapi/services/groups/delete.py
@@ -1,4 +1,6 @@
+from AccessControl import getSecurityManager
 from plone.restapi.services import Service
+from Products.CMFCore.permissions import ManagePortal
 from Products.CMFCore.utils import getToolByName
 from zExceptions import NotFound
 from zope.component.hooks import getSite
@@ -19,6 +21,10 @@ def publishTraverse(self, request, name):
         self.params.append(name)
         return self
 
+    @property
+    def is_zope_manager(self):
+        return getSecurityManager().checkPermission(ManagePortal, self.context)
+
     @property
     def _get_group_id(self):
         if len(self.params) != 1:
@@ -38,6 +44,9 @@ def reply(self):
         if not group:
             raise NotFound("Trying to delete a non-existing group.")
 
+        if not self.is_zope_manager and "Manager" in group.getRoles():
+            return self.reply_no_content(status=403)
+
         delete_successful = portal_groups.removeGroup(self._get_group_id)
         if delete_successful:
             return self.reply_no_content()

diff --git a/src/plone/restapi/tests/test_services_groups.py b/src/plone/restapi/tests/test_services_groups.py
@@ -236,3 +236,10 @@ def test_siteadm_not_add_group_with_manager_role(self):
 
         fwt = self.gtool.getGroupById("fwt")
         self.assertIsNone(fwt)
+
+    def test_siteadm_not_delete_group_with_manager_role(self):
+        self.set_siteadm()
+        self.api_session.delete("/@groups/Administrators")
+        transaction.commit()
+
+        self.assertIsNotNone(self.gtool.getGroupById("Administrators"))