From 1b6c014cafb6a2c232d2d1de46ab85e7a4e18b03 Mon Sep 17 00:00:00 2001 From: davisagli Date: Mon, 25 Nov 2024 05:52:55 -0800 Subject: [PATCH] [fc] Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T11:22:46+01:00 Author: Yuri (yurj) Commit: https://github.com/plone/plone.app.users/commit/0a7d5f025c419a5a03f6aace88ded353091dfd99 Protect `@@member-fields` additional traversal to the edit schema Protect `@@member-fields` additional traversal to the edit view of the schema context with the `plone.app.controlpanel.UsersAndGroups` permission, as the `@@member-fields` view itself. See https://community.plone.org/t/member-fields-browser-view-unprotected/20103 Files changed: M plone/app/users/browser/configure.zcml Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T11:25:19+01:00 Author: Yuri (yurj) Commit: https://github.com/plone/plone.app.users/commit/6ef247cc5582f8a296b93d1e37131fda201fa9b7 news Files changed: A news/125.bugfix Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T08:51:52-05:00 Author: David Glick (davisagli) Commit: https://github.com/plone/plone.app.users/commit/ee4aadd5a1f9353330eea09e2f6aeccf7c6e6089 Update news/125.bugfix Files changed: M news/125.bugfix Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T08:52:14-05:00 Author: David Glick (davisagli) Commit: https://github.com/plone/plone.app.users/commit/d6abfdf26a341ce283a5eef17ac6370691d55146 Update 125.bugfix Files changed: M news/125.bugfix Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T05:52:55-08:00 Author: David Glick (davisagli) Commit: https://github.com/plone/plone.app.users/commit/b7ba13ccd9a17b4289d46d37fbefeaeebe01e4c3 Merge pull request #130 from plone/yurj-member-fields-permission Fix view @@member-fields is public Files changed: A news/125.bugfix M plone/app/users/browser/configure.zcml --- last_commit.txt | 87 +++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 73 insertions(+), 14 deletions(-) diff --git a/last_commit.txt b/last_commit.txt index bdac74ae44..f92b61e290 100644 --- a/last_commit.txt +++ b/last_commit.txt @@ -1,22 +1,81 @@ -Repository: plone.restapi +Repository: plone.app.users -Branch: refs/heads/main -Date: 2024-11-24T15:02:01-08:00 -Author: Steve Piercy (stevepiercy) -Commit: https://github.com/plone/plone.restapi/commit/9403ec481704d89b96d072e85134e132ff6d80a8 +Branch: refs/heads/master +Date: 2024-11-25T11:22:46+01:00 +Author: Yuri (yurj) +Commit: https://github.com/plone/plone.app.users/commit/0a7d5f025c419a5a03f6aace88ded353091dfd99 -Fix linkcheck (#1846) +Protect `@@member-fields` additional traversal to the edit schema -* Fix linkcheck -- html_use_opensearch value must not have a trailing slash -- Clean up comments - -* news +Protect `@@member-fields` additional traversal to the edit view of the schema context with the `plone.app.controlpanel.UsersAndGroups` permission, as the `@@member-fields` view itself. +See https://community.plone.org/t/member-fields-browser-view-unprotected/20103 Files changed: -A news/1846.documentation -M docs/source/conf.py +M plone/app/users/browser/configure.zcml -b'diff --git a/docs/source/conf.py b/docs/source/conf.py\nindex 5bc2f084a2..4282d26b9f 100644\n--- a/docs/source/conf.py\n+++ b/docs/source/conf.py\n@@ -290,7 +290,7 @@ def patch_pygments_to_highlight_jsonschema():\n # base URL from which the finished HTML is served.\n # Announce that we have an opensearch plugin\n # https://www.sphinx-doc.org/en/master/usage/configuration.html#confval-html_use_opensearch\n-html_use_opensearch = "https://plonerestapi.readthedocs.org/"\n+html_use_opensearch = "https://plonerestapi.readthedocs.org"\n \n \n # This is the file name suffix for HTML files (e.g. ".xhtml").\ndiff --git a/news/1846.documentation b/news/1846.documentation\nnew file mode 100644\nindex 0000000000..d46a5b6816\n--- /dev/null\n+++ b/news/1846.documentation\n@@ -0,0 +1 @@\n+`html_use_opensearch` value must not have a trailing slash. Clean up comments. @stevepiercy\n' +b'diff --git a/plone/app/users/browser/configure.zcml b/plone/app/users/browser/configure.zcml\nindex 3aa1203..63d6592 100644\n--- a/plone/app/users/browser/configure.zcml\n+++ b/plone/app/users/browser/configure.zcml\n@@ -80,7 +80,7 @@\n name="edit"\n for=".schemaeditor.IMemberSchemaContext"\n class=".schemaeditor.SchemaListingPage"\n- permission="zope2.View"\n+ permission="plone.app.controlpanel.UsersAndGroups"\n />\n \n +Commit: https://github.com/plone/plone.app.users/commit/6ef247cc5582f8a296b93d1e37131fda201fa9b7 + +news + +Files changed: +A news/125.bugfix + +b'diff --git a/news/125.bugfix b/news/125.bugfix\nnew file mode 100644\nindex 00000000..fa905b1c\n--- /dev/null\n+++ b/news/125.bugfix\n@@ -0,0 +1 @@\n+[yurj] fix for https://github.com/plone/plone.app.users/issues/125 (view @@member-fields is public)\n' + +Repository: plone.app.users + + +Branch: refs/heads/master +Date: 2024-11-25T08:51:52-05:00 +Author: David Glick (davisagli) +Commit: https://github.com/plone/plone.app.users/commit/ee4aadd5a1f9353330eea09e2f6aeccf7c6e6089 + +Update news/125.bugfix + +Files changed: +M news/125.bugfix + +b'diff --git a/news/125.bugfix b/news/125.bugfix\nindex fa905b1..c58e148 100644\n--- a/news/125.bugfix\n+++ b/news/125.bugfix\n@@ -1 +1 @@\n-[yurj] fix for https://github.com/plone/plone.app.users/issues/125 (view @@member-fields is public)\n+Check plone.app.controlpanel.UsersAndGroups permission for the @@member-fields edit view. @yurj \n' + +Repository: plone.app.users + + +Branch: refs/heads/master +Date: 2024-11-25T08:52:14-05:00 +Author: David Glick (davisagli) +Commit: https://github.com/plone/plone.app.users/commit/d6abfdf26a341ce283a5eef17ac6370691d55146 + +Update 125.bugfix + +Files changed: +M news/125.bugfix + +b'diff --git a/news/125.bugfix b/news/125.bugfix\nindex c58e148..4525a82 100644\n--- a/news/125.bugfix\n+++ b/news/125.bugfix\n@@ -1 +1 @@\n-Check plone.app.controlpanel.UsersAndGroups permission for the @@member-fields edit view. @yurj \n+Check `plone.app.controlpanel.UsersAndGroups` permission for the `@@member-fields` edit view. @yurj \n' + +Repository: plone.app.users + + +Branch: refs/heads/master +Date: 2024-11-25T05:52:55-08:00 +Author: David Glick (davisagli) +Commit: https://github.com/plone/plone.app.users/commit/b7ba13ccd9a17b4289d46d37fbefeaeebe01e4c3 + +Merge pull request #130 from plone/yurj-member-fields-permission + +Fix view @@member-fields is public + +Files changed: +A news/125.bugfix +M plone/app/users/browser/configure.zcml + +b'diff --git a/news/125.bugfix b/news/125.bugfix\nnew file mode 100644\nindex 00000000..4525a82c\n--- /dev/null\n+++ b/news/125.bugfix\n@@ -0,0 +1 @@\n+Check `plone.app.controlpanel.UsersAndGroups` permission for the `@@member-fields` edit view. @yurj \ndiff --git a/plone/app/users/browser/configure.zcml b/plone/app/users/browser/configure.zcml\nindex 3aa12036..63d65929 100644\n--- a/plone/app/users/browser/configure.zcml\n+++ b/plone/app/users/browser/configure.zcml\n@@ -80,7 +80,7 @@\n name="edit"\n for=".schemaeditor.IMemberSchemaContext"\n class=".schemaeditor.SchemaListingPage"\n- permission="zope2.View"\n+ permission="plone.app.controlpanel.UsersAndGroups"\n />\n \n