WEB-3733 : Restrict permissions for "site admin" in control panel. So…

…me options are only available for manager

CHANGES.rst

@@ -5,6 +5,9 @@ Changelog
 1.0.9 (unreleased)
 ------------------
 
+- WEB-3733 : Restrict permissions for "site admin" in control panel. Some options are only available for manager
+  [boulch]
+
 - Change s-maxage for new Varnish strategy based on grace
   [sverbois]
 

src/imio/smartweb/policy/browser/configure.zcml

@@ -19,4 +19,24 @@
       directory="static"
       />
 
+  <configure package="plone.app.users.browser">
+  <browser:page
+      name="member-fields"
+      for="*"
+      class=".schemaeditor.MemberSchemaContext"
+      permission="smartweb.manageronlyconfiglets"
+      layer="imio.smartweb.core.interfaces.IImioSmartwebCoreLayer"
+      allowed_interface="OFS.interfaces.IItem" />
+  </configure>
+
+  <configure package="Products.CMFPlone.controlpanel.browser">
+  <browser:page
+      name="usergroup-controlpanel"
+      for="Products.CMFPlone.interfaces.IPloneSiteRoot"
+      class=".usergroups.UserGroupsSettingsPanelView"
+      permission="smartweb.manageronlyconfiglets"
+      layer="imio.smartweb.core.interfaces.IImioSmartwebCoreLayer"
+      />
+  </configure>
+
 </configure>

src/imio/smartweb/policy/permissions.zcml

@@ -1,12 +1,13 @@
 <configure
   xmlns="http://namespaces.zope.org/zope"
   xmlns:zcml="http://namespaces.zope.org/zcml"
-  i18n_domain="plone">
+  i18n_domain="smartweb">
 
   <configure zcml:condition="installed AccessControl.security">
-  <!-- -*- extra stuff goes here -*- -->
-
-
+    <permission
+      id="smartweb.manageronlyconfiglets"
+      title="Smartweb: Manager-only configlets"
+      description="" />
   </configure>
 
 </configure>

src/imio/smartweb/policy/profiles/default/controlpanel.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<object name="portal_controlpanel">
+  <configlet
+      title="Member Fields"
+      action_id="MemberFields"
+      appId="MemberFields"
+      category="plone-users"
+      condition_expr=""
+      icon_expr="string:card-list"
+      url_expr="string:${portal_url}/@@member-fields"
+      visible="True">
+    <permission>Smartweb: Manager-only configlets</permission>
+  </configlet>
+
+  <configlet
+      title="User and Group Settings"
+      action_id="UsersGroupsSettings"
+      appId="UsersGroupsSettings"
+      category="plone-users"
+      condition_expr=""
+      icon_expr="string:toggles"
+      url_expr="string:${portal_url}/@@usergroup-controlpanel"
+      visible="True">
+    <permission>Smartweb: Manager-only configlets</permission>
+  </configlet>
+
+  <configlet
+      title="Anysurfer"
+      action_id="anysurfer"
+      appId="collective.anysurfer"
+      category="Products"
+      condition_expr=""
+      url_expr="string:${portal_url}/@@anysurfer-settings"
+      icon_expr="string:$portal_url/++resource++collective.anysurfer/anysurfer.png"
+      visible="True">
+    <permission>Smartweb: Manager-only configlets</permission>
+  </configlet>
+
+</object>

src/imio/smartweb/policy/profiles/default/metadata.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <metadata>
-  <version>1020</version>
+  <version>1021</version>
   <dependencies>
     <dependency>profile-plone.app.contenttypes:plone-content</dependency>
     <dependency>profile-plone.app.caching:default</dependency>

src/imio/smartweb/policy/profiles/default/rolemap.xml

@@ -1,7 +1,69 @@
 <?xml version="1.0"?>
 <rolemap>
   <permissions>
+
     <permission name="Portlets: Manage portlets" acquire="False">
     </permission>
+
+    <permission name="Plone Site Setup: Site" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Mail" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Language" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Navigation" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Search" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Security" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Themes" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Types" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Inspect Relations" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: TinyMCE" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Markup" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Content rules: Manage rules" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Editing" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Filtering" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Smartweb: Manager-only configlets" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
   </permissions>
 </rolemap>

src/imio/smartweb/policy/upgrades/configure.zcml

@@ -75,6 +75,14 @@
       provides="Products.GenericSetup.interfaces.EXTENSION"
       />
 
+  <genericsetup:registerProfile
+      name="upgrade_1020_to_1021"
+      title="Upgrade policy 1020 to 1021"
+      directory="profiles/1020_to_1021"
+      description="Set some restrictions in control panel"
+      provides="Products.GenericSetup.interfaces.EXTENSION"
+      />
+
   <genericsetup:upgradeStep
       title="Configure first official release"
       description="Install pas.plugins.imio and run needed profiles steps"
@@ -294,4 +302,14 @@
         />
   </genericsetup:upgradeSteps>
 
+  <genericsetup:upgradeSteps
+      source="1020"
+      destination="1021"
+      profile="imio.smartweb.policy:default">
+    <genericsetup:upgradeDepends
+        title="Set some restrictions in control panel"
+        import_profile="imio.smartweb.policy.upgrades:upgrade_1020_to_1021"
+        />
+  </genericsetup:upgradeSteps>
+
 </configure>

src/imio/smartweb/policy/upgrades/profiles/1020_to_1021/controlpanel.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<object name="portal_controlpanel">
+  <configlet
+      title="Member Fields"
+      action_id="MemberFields"
+      appId="MemberFields"
+      category="plone-users"
+      condition_expr=""
+      icon_expr="string:card-list"
+      url_expr="string:${portal_url}/@@member-fields"
+      visible="True">
+    <permission>Smartweb: Manager-only configlets</permission>
+  </configlet>
+
+  <configlet
+      title="User and Group Settings"
+      action_id="UsersGroupsSettings"
+      appId="UsersGroupsSettings"
+      category="plone-users"
+      condition_expr=""
+      icon_expr="string:toggles"
+      url_expr="string:${portal_url}/@@usergroup-controlpanel"
+      visible="True">
+    <permission>Smartweb: Manager-only configlets</permission>
+  </configlet>
+
+  <configlet
+      title="Anysurfer"
+      action_id="anysurfer"
+      appId="collective.anysurfer"
+      category="Products"
+      condition_expr=""
+      url_expr="string:${portal_url}/@@anysurfer-settings"
+      icon_expr="string:$portal_url/++resource++collective.anysurfer/anysurfer.png"
+      visible="True">
+    <permission>Smartweb: Manager-only configlets</permission>
+  </configlet>
+
+</object>

src/imio/smartweb/policy/upgrades/profiles/1020_to_1021/rolemap.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0"?>
+<rolemap>
+
+  <permissions>
+
+    <permission name="Plone Site Setup: Site" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Mail" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Language" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Navigation" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Search" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Security" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Themes" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Types" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Inspect Relations" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: TinyMCE" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Markup" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Content rules: Manage rules" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Editing" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Plone Site Setup: Filtering" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+    <permission name="Smartweb: Manager-only configlets" acquire="False">
+      <role name="Manager"/>
+    </permission>
+
+  </permissions>
+
+</rolemap>