Merge pull request #305 from plone/issue-304-move-returns-401-cannot-…

…delete-content Handle special case when user @Move content that cannot delete.
plone · Apr 3, 2017 · 30044ae · 30044ae
2 parents f362df0 + 4cafea3
commit 30044ae
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,7 +4,11 @@ Changelog
 1.0a12 (unreleased)
 -------------------
 
-- Nothing changed yet.
+Bugfixes:
+
+- Handle special case when user @move content that cannot delete returning
+  proper 403
+  [sneridagh]
 
 
 1.0a11 (2017-03-24)

diff --git a/src/plone/restapi/services/copymove/copymove.py b/src/plone/restapi/services/copymove/copymove.py
@@ -67,6 +67,10 @@ def reply(self):
         parents_ids = {}
         for item in source:
             obj = self.get_object(item)
+            if self.is_moving:
+                if not checkPermission('zope2.DeleteObjects', obj):
+                    self.request.response.setStatus(403)
+                    return
             if obj is not None:
                 parent = aq_parent(obj)
                 if parent in parents_ids:
@@ -95,6 +99,7 @@ def clipboard(self, parent, ids):
 class Copy(BaseCopyMove):
     """Copies existing content objects.
     """
+    is_moving = False
 
     def clipboard(self, parent, ids):
         return parent.manage_copyObjects(ids=ids)
@@ -103,6 +108,7 @@ def clipboard(self, parent, ids):
 class Move(BaseCopyMove):
     """Moves existing content objects.
     """
+    is_moving = True
 
     def clipboard(self, parent, ids):
         return parent.manage_cutObjects(ids=ids)
diff --git a/src/plone/restapi/tests/test_copymove.py b/src/plone/restapi/tests/test_copymove.py
@@ -175,3 +175,40 @@ def test_copy_single_object_no_auth_raises_401(self):
         )
 
         self.assertEquals(response.status_code, 401)
+
+    def test_move_single_object_no_permissions_raises_403(self):
+        self.api_session.auth = ('memberuser', 'secret')
+        response = self.api_session.post(
+            '/@move',
+            json={
+                "source": self.doc1.absolute_url()
+            }
+        )
+
+        self.assertEquals(response.status_code, 403)
+
+    def test_move_single_object_no_auth_raises_401(self):
+        self.api_session.auth = ('nonexistent', 'secret')
+        response = self.api_session.post(
+            '/@move',
+            json={
+                "source": self.doc1.absolute_url()
+            }
+        )
+
+        self.assertEquals(response.status_code, 401)
+
+    def test_move_single_object_no_permission_delete_source_raises_403(self):
+        api.user.grant_roles(
+            username='memberuser', obj=self.folder1, roles=['Manager', ])
+        transaction.commit()
+
+        self.api_session.auth = ('memberuser', 'secret')
+        response = self.api_session.post(
+            '/folder1/@move',
+            json={
+                "source": self.doc1.absolute_url()
+            }
+        )
+
+        self.assertEquals(response.status_code, 403)