From 0a7d5f025c419a5a03f6aace88ded353091dfd99 Mon Sep 17 00:00:00 2001 From: Yuri Date: Mon, 25 Nov 2024 11:22:46 +0100 Subject: [PATCH 1/4] Protect `@@member-fields` additional traversal to the edit schema Protect `@@member-fields` additional traversal to the edit view of the schema context with the `plone.app.controlpanel.UsersAndGroups` permission, as the `@@member-fields` view itself. See https://community.plone.org/t/member-fields-browser-view-unprotected/20103 --- plone/app/users/browser/configure.zcml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plone/app/users/browser/configure.zcml b/plone/app/users/browser/configure.zcml index 3aa1203..63d6592 100644 --- a/plone/app/users/browser/configure.zcml +++ b/plone/app/users/browser/configure.zcml @@ -80,7 +80,7 @@ name="edit" for=".schemaeditor.IMemberSchemaContext" class=".schemaeditor.SchemaListingPage" - permission="zope2.View" + permission="plone.app.controlpanel.UsersAndGroups" /> Date: Mon, 25 Nov 2024 11:25:19 +0100 Subject: [PATCH 2/4] news --- news/125.bugfix | 1 + 1 file changed, 1 insertion(+) create mode 100644 news/125.bugfix diff --git a/news/125.bugfix b/news/125.bugfix new file mode 100644 index 0000000..fa905b1 --- /dev/null +++ b/news/125.bugfix @@ -0,0 +1 @@ +[yurj] fix for https://github.com/plone/plone.app.users/issues/125 (view @@member-fields is public) From ee4aadd5a1f9353330eea09e2f6aeccf7c6e6089 Mon Sep 17 00:00:00 2001 From: David Glick Date: Mon, 25 Nov 2024 08:51:52 -0500 Subject: [PATCH 3/4] Update news/125.bugfix --- news/125.bugfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/125.bugfix b/news/125.bugfix index fa905b1..c58e148 100644 --- a/news/125.bugfix +++ b/news/125.bugfix @@ -1 +1 @@ -[yurj] fix for https://github.com/plone/plone.app.users/issues/125 (view @@member-fields is public) +Check plone.app.controlpanel.UsersAndGroups permission for the @@member-fields edit view. @yurj From d6abfdf26a341ce283a5eef17ac6370691d55146 Mon Sep 17 00:00:00 2001 From: David Glick Date: Mon, 25 Nov 2024 08:52:14 -0500 Subject: [PATCH 4/4] Update 125.bugfix --- news/125.bugfix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/125.bugfix b/news/125.bugfix index c58e148..4525a82 100644 --- a/news/125.bugfix +++ b/news/125.bugfix @@ -1 +1 @@ -Check plone.app.controlpanel.UsersAndGroups permission for the @@member-fields edit view. @yurj +Check `plone.app.controlpanel.UsersAndGroups` permission for the `@@member-fields` edit view. @yurj