fix: @querystring shouldn't list userids

docs/source/endpoints/querystring.md

@@ -21,6 +21,8 @@ The `operators` property contains additional metadata about each operation.
 If an index uses a vocabulary, the vocabulary values are included in the `values` property.
 The vocabulary is resolved in the same context where the `/@querystring` endpoint is called (requires `plone.app.querystring >= 2.1.0`).
 
+**Note:** This endpoint returns the querystring configuration, filtering out vocabularies that the current user does not have permission to access. The filtering is done based on the same permission checks as the `@vocabularies` endpoint, ensuring that sensitive information, such as user or group data, is not exposed to unauthorized users.
+
 ## Get `querystring` configuration
 
 To get the metadata about all query operations available in the portal, call the `/@querystring` endpoint with a `GET` request:

src/plone/restapi/services/querystring/configure.zcml

@@ -4,27 +4,48 @@
     xmlns:plone="http://namespaces.plone.org/plone"
     xmlns:zcml="http://namespaces.zope.org/zcml"
     >
-
+
+  <!-- Editor endpoint -->
   <plone:service
       method="GET"
-      factory=".get.QuerystringGet"
+      factory=".get.QuerystringEditorGet"
       for="Products.CMFPlone.interfaces.IPloneSiteRoot"
-      permission="zope2.View"
+      permission="cmf.ModifyPortalContent"
       name="@querystring"
       />
-
   <plone:service
       method="GET"
-      factory=".get.QuerystringGet"
+      factory=".get.QuerystringEditorGet"
       for="Products.CMFCore.interfaces.IContentish"
-      permission="zope2.View"
+      permission="cmf.ModifyPortalContent"
       name="@querystring"
       />
+
+  <!-- Public endpoint -->
+  <plone:service
+      method="GET"
+      factory=".get.QuerystringPublicGet"
+      for="Products.CMFPlone.interfaces.IPloneSiteRoot"
+      permission="zope2.View"
+      name="@querystring-public"
+      />
+  <plone:service
+      method="GET"
+      factory=".get.QuerystringPublicGet"
+      for="Products.CMFCore.interfaces.IContentish"
+      permission="zope2.View"
+      name="@querystring-public"
+      />
 
+  <!-- Maintain caching for both endpoints -->
   <cache:ruleset
-      for=".get.QuerystringGet"
+      for=".get.QuerystringEditorGet"
+      ruleset="plone.content.dynamic"
+      zcml:condition="have plone-app-caching-3"
+      />
+  <cache:ruleset
+      for=".get.QuerystringPublicGet"
       ruleset="plone.content.dynamic"
       zcml:condition="have plone-app-caching-3"
       />
-
 </configure>

src/plone/restapi/services/querystring/get.py

@@ -3,19 +3,29 @@
 from plone.restapi.services import Service
 from zope.component import getMultiAdapter
 from zope.component import getUtility
-
+from plone.restapi.services.vocabularies.get import VocabulariesGet
 
 class QuerystringGet(Service):
-    """Returns the querystring configuration.
-
-    This basically does the same thing as the '@@querybuilderjsonconfig'
-    view from p.a.querystring, but exposes the config via the REST API.
-    """
-
+    """Returns the querystring configuration, filtering based on user permissions."""
+
     def reply(self):
         registry = getUtility(IRegistry)
         reader = getMultiAdapter((registry, self.request), IQuerystringRegistryReader)
         reader.vocab_context = self.context
         result = reader()
-        result["@id"] = "%s/@querystring" % self.context.absolute_url()
+
+        # Filter vocabularies based on user permissions
+        vocabularies_get_service = VocabulariesGet(self.context, self.request)
+        indexes_to_remove = []
+
+        for index_name, index_data in result['indexes'].items():
+            if 'vocabulary' in index_data:
+                vocabulary_name = index_data['vocabulary']
+                if not vocabularies_get_service._has_permission_to_access_vocabulary(vocabulary_name):
+                    indexes_to_remove.append(index_name)
+
+        for index_name in indexes_to_remove:
+            del result['indexes'][index_name]
+
+        result["@id"] = f"{self.context.absolute_url()}/@querystring"
         return result

src/plone/restapi/tests/test_querystring_get.py

@@ -0,0 +1,27 @@
+from plone.app.testing import PLONE_RESTAPI_FUNCTIONAL_TESTING
+from plone.restapi.testing import RelativeSession
+import unittest
+
+class TestQuerystringGet(unittest.TestCase):
+
+    layer = PLONE_RESTAPI_FUNCTIONAL_TESTING
+
+    def setUp(self):
+        self.portal = self.layer["portal"]
+        self.api_session = RelativeSession(self.portal.absolute_url())
+        self.api_session.headers.update({"Accept": "application/json"})
+
+    def test_vocabularies_permission_filtering(self):
+        response = self.api_session.get("/@querystring")
+        self.assertEqual(response.status_code, 200)
+        result = response.json()
+
+        # Assert that a sensitive vocabulary is filtered out
+        self.assertNotIn('plone.app.vocabularies.Users', result['indexes'])
+        self.assertNotIn('plone.app.vocabularies.Groups', result['indexes'])
+
+        # Assert that public vocabularies are still present
+        self.assertIn('plone.app.vocabularies.Keywords', result['indexes'])
+
+    def tearDown(self):
+        self.api_session.close()