Skip to content

Commit

Permalink
Add can_delete key to the users endpoint
Browse files Browse the repository at this point in the history 
Used to backend hide remove user button if user cannot be removed by
currently authenticated user
  • Loading branch information
@wesleybl
wesleybl committed Sep 25, 2023
1 parent 8918a1f commit ec00f34
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 3 deletions.
29 changes: 26 additions & 3 deletions src/plone/restapi/services/users/get.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
from plone.namedfile.utils import stream_data
from plone.restapi.interfaces import ISerializeToJson
from plone.restapi.services import Service
from Products.CMFCore.permissions import ManagePortal
from Products.CMFCore.utils import getToolByName
from Products.CMFPlone.utils import normalizeString
from Products.PlonePAS.tools.memberdata import MemberData
Expand Down Expand Up @@ -60,6 +61,10 @@ def __init__(self, context, request):
self.query = parse_qs(self.request["QUERY_STRING"])
self.search_term = self.query.get("search", [""])[0]

@property
def is_zope_manager(self):
return getSecurityManager().checkPermission(ManagePortal, self.context)

def publishTraverse(self, request, name):
# Consume any path segments after /@users as parameters
self.params.append(name)
Expand Down Expand Up @@ -165,7 +170,13 @@ def has_permission_to_access_user_info(self):
"plone.restapi: Access Plone user information", self.context
)

def can_delete(self, is_zope_manager, roles):
if is_zope_manager:
return True
return "Manager" not in roles

def reply(self):
is_zope_manager = self.is_zope_manager
if len(self.query) > 0 and len(self.params) == 0:
query = self.query.get("query", "")
groups_filter = self.query.get("groups-filter:list", [])
Expand All @@ -180,7 +191,11 @@ def reply(self):
serializer = queryMultiAdapter(
(user, self.request), ISerializeToJson
)
result.append(serializer())
user_serializer = serializer()
user_serializer["can_delete"] = self.can_delete(
is_zope_manager, user_serializer["roles"]
)
result.append(user_serializer)
return result
else:
self.request.response.setStatus(401)
Expand All @@ -196,7 +211,11 @@ def reply(self):
serializer = queryMultiAdapter(
(user, self.request), ISerializeToJson
)
result.append(serializer())
user_serializer = serializer()
user_serializer["can_delete"] = self.can_delete(
is_zope_manager, user_serializer["roles"]
)
result.append(user_serializer)
return result
else:
self.request.response.setStatus(401)
Expand All @@ -216,7 +235,11 @@ def reply(self):
self.request.response.setStatus(404)
return
serializer = queryMultiAdapter((user, self.request), ISerializeToJson)
return serializer()
user_serializer = serializer()
user_serializer["can_delete"] = self.can_delete(
is_zope_manager, user_serializer["roles"]
)
return user_serializer
else:
self.request.response.setStatus(401)
return
Expand Down
16 changes: 16 additions & 0 deletions src/plone/restapi/tests/test_services_users.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,22 @@ def test_list_users(self):
self.assertEqual("web.mit.edu/chomsky", noam.get("home_page")) # noqa
self.assertEqual("Professor of Linguistics", noam.get("description")) # noqa
self.assertEqual("Cambridge, MA", noam.get("location"))
self.assertTrue(noam.get("can_delete"))

def test_siteadm_can_delete(self):
self.set_siteadm()
api.user.create(
email="[email protected]",
roles=["Manager"],
username="manager",
password="managerpassword",
)
transaction.commit()

response = self.api_session.get("/@users")

manager = [x for x in response.json() if x.get("username") == "manager"][0]
self.assertFalse(manager.get("can_delete"))

def test_list_users_without_being_manager(self):
noam_api_session = RelativeSession(self.portal_url, test=self)
Expand Down

0 comments on commit ec00f34

Please sign in to comment.