[fc] Repository: plone.app.users

Branch: refs/heads/master Date: 2024-11-25T11:22:46+01:00 Author: Yuri (yurj) <[email protected]> Commit: plone/plone.app.users@0a7d5f0 Protect `@@member-fields` additional traversal to the edit schema Protect `@@member-fields` additional traversal to the edit view of the schema context with the `plone.app.controlpanel.UsersAndGroups` permission, as the `@@member-fields` view itself. See https://community.plone.org/t/member-fields-browser-view-unprotected/20103 Files changed: M plone/app/users/browser/configure.zcml Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T11:25:19+01:00 Author: Yuri (yurj) <[email protected]> Commit: plone/plone.app.users@6ef247c news Files changed: A news/125.bugfix Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T08:51:52-05:00 Author: David Glick (davisagli) <[email protected]> Commit: plone/plone.app.users@ee4aadd Update news/125.bugfix Files changed: M news/125.bugfix Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T08:52:14-05:00 Author: David Glick (davisagli) <[email protected]> Commit: plone/plone.app.users@d6abfdf Update 125.bugfix Files changed: M news/125.bugfix Repository: plone.app.users Branch: refs/heads/master Date: 2024-11-25T05:52:55-08:00 Author: David Glick (davisagli) <[email protected]> Commit: plone/plone.app.users@b7ba13c Merge pull request #130 from plone/yurj-member-fields-permission Fix view @@member-fields is public Files changed: A news/125.bugfix M plone/app/users/browser/configure.zcml
plone · Nov 25, 2024 · ed40439 · ed40439
1 parent 5cb92b8
commit ed40439
Showing 1 changed file with 73 additions and 14 deletions.
diff --git a/last_commit.txt b/last_commit.txt
@@ -1,22 +1,81 @@
-Repository: plone.restapi
+Repository: plone.app.users
 
 
-Branch: refs/heads/main
-Date: 2024-11-24T15:02:01-08:00
-Author: Steve Piercy (stevepiercy) <[email protected]>
-Commit: https://github.com/plone/plone.restapi/commit/9403ec481704d89b96d072e85134e132ff6d80a8
+Branch: refs/heads/master
+Date: 2024-11-25T11:22:46+01:00
+Author: Yuri (yurj) <[email protected]>
+Commit: https://github.com/plone/plone.app.users/commit/0a7d5f025c419a5a03f6aace88ded353091dfd99
 
-Fix linkcheck (#1846)
+Protect `@@member-fields` additional traversal to the edit schema
 
-* Fix linkcheck
-- html_use_opensearch value must not have a trailing slash
-- Clean up comments
-
-* news
+Protect `@@member-fields` additional traversal to the edit view of the schema context with the `plone.app.controlpanel.UsersAndGroups` permission, as the  `@@member-fields` view itself.
+See https://community.plone.org/t/member-fields-browser-view-unprotected/20103
 
 Files changed:
-A news/1846.documentation
-M docs/source/conf.py
+M plone/app/users/browser/configure.zcml
 
-b'diff --git a/docs/source/conf.py b/docs/source/conf.py\nindex 5bc2f084a2..4282d26b9f 100644\n--- a/docs/source/conf.py\n+++ b/docs/source/conf.py\n@@ -290,7 +290,7 @@ def patch_pygments_to_highlight_jsonschema():\n # base URL from which the finished HTML is served.\n # Announce that we have an opensearch plugin\n # https://www.sphinx-doc.org/en/master/usage/configuration.html#confval-html_use_opensearch\n-html_use_opensearch = "https://plonerestapi.readthedocs.org/"\n+html_use_opensearch = "https://plonerestapi.readthedocs.org"\n \n \n # This is the file name suffix for HTML files (e.g. ".xhtml").\ndiff --git a/news/1846.documentation b/news/1846.documentation\nnew file mode 100644\nindex 0000000000..d46a5b6816\n--- /dev/null\n+++ b/news/1846.documentation\n@@ -0,0 +1 @@\n+`html_use_opensearch` value must not have a trailing slash. Clean up comments. @stevepiercy\n'
+b'diff --git a/plone/app/users/browser/configure.zcml b/plone/app/users/browser/configure.zcml\nindex 3aa1203..63d6592 100644\n--- a/plone/app/users/browser/configure.zcml\n+++ b/plone/app/users/browser/configure.zcml\n@@ -80,7 +80,7 @@\n       name="edit"\n       for=".schemaeditor.IMemberSchemaContext"\n       class=".schemaeditor.SchemaListingPage"\n-      permission="zope2.View"\n+      permission="plone.app.controlpanel.UsersAndGroups"\n       />\n \n   <browser:page\n'
+
+Repository: plone.app.users
+
+
+Branch: refs/heads/master
+Date: 2024-11-25T11:25:19+01:00
+Author: Yuri (yurj) <[email protected]>
+Commit: https://github.com/plone/plone.app.users/commit/6ef247cc5582f8a296b93d1e37131fda201fa9b7
+
+news
+
+Files changed:
+A news/125.bugfix
+
+b'diff --git a/news/125.bugfix b/news/125.bugfix\nnew file mode 100644\nindex 00000000..fa905b1c\n--- /dev/null\n+++ b/news/125.bugfix\n@@ -0,0 +1 @@\n+[yurj] fix for https://github.com/plone/plone.app.users/issues/125 (view @@member-fields is public)\n'
+
+Repository: plone.app.users
+
+
+Branch: refs/heads/master
+Date: 2024-11-25T08:51:52-05:00
+Author: David Glick (davisagli) <[email protected]>
+Commit: https://github.com/plone/plone.app.users/commit/ee4aadd5a1f9353330eea09e2f6aeccf7c6e6089
+
+Update news/125.bugfix
+
+Files changed:
+M news/125.bugfix
+
+b'diff --git a/news/125.bugfix b/news/125.bugfix\nindex fa905b1..c58e148 100644\n--- a/news/125.bugfix\n+++ b/news/125.bugfix\n@@ -1 +1 @@\n-[yurj] fix for https://github.com/plone/plone.app.users/issues/125 (view @@member-fields is public)\n+Check plone.app.controlpanel.UsersAndGroups permission for the @@member-fields edit view. @yurj \n'
+
+Repository: plone.app.users
+
+
+Branch: refs/heads/master
+Date: 2024-11-25T08:52:14-05:00
+Author: David Glick (davisagli) <[email protected]>
+Commit: https://github.com/plone/plone.app.users/commit/d6abfdf26a341ce283a5eef17ac6370691d55146
+
+Update 125.bugfix
+
+Files changed:
+M news/125.bugfix
+
+b'diff --git a/news/125.bugfix b/news/125.bugfix\nindex c58e148..4525a82 100644\n--- a/news/125.bugfix\n+++ b/news/125.bugfix\n@@ -1 +1 @@\n-Check plone.app.controlpanel.UsersAndGroups permission for the @@member-fields edit view. @yurj \n+Check `plone.app.controlpanel.UsersAndGroups` permission for the `@@member-fields` edit view. @yurj \n'
+
+Repository: plone.app.users
+
+
+Branch: refs/heads/master
+Date: 2024-11-25T05:52:55-08:00
+Author: David Glick (davisagli) <[email protected]>
+Commit: https://github.com/plone/plone.app.users/commit/b7ba13ccd9a17b4289d46d37fbefeaeebe01e4c3
+
+Merge pull request #130 from plone/yurj-member-fields-permission
+
+Fix view @@member-fields is public
+
+Files changed:
+A news/125.bugfix
+M plone/app/users/browser/configure.zcml
+
+b'diff --git a/news/125.bugfix b/news/125.bugfix\nnew file mode 100644\nindex 00000000..4525a82c\n--- /dev/null\n+++ b/news/125.bugfix\n@@ -0,0 +1 @@\n+Check `plone.app.controlpanel.UsersAndGroups` permission for the `@@member-fields` edit view. @yurj \ndiff --git a/plone/app/users/browser/configure.zcml b/plone/app/users/browser/configure.zcml\nindex 3aa12036..63d65929 100644\n--- a/plone/app/users/browser/configure.zcml\n+++ b/plone/app/users/browser/configure.zcml\n@@ -80,7 +80,7 @@\n       name="edit"\n       for=".schemaeditor.IMemberSchemaContext"\n       class=".schemaeditor.SchemaListingPage"\n-      permission="zope2.View"\n+      permission="plone.app.controlpanel.UsersAndGroups"\n       />\n \n   <browser:page\n'