Merge branch 'master' into object_field_serializer

plone · Apr 8, 2017 · 3906915 · 3906915
2 parents 1f8e638 + 7f1f8b5
commit 3906915
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,12 +1,22 @@
 Changelog
 =========
 
-1.0a12 (unreleased)
+1.0a13 (unreleased)
 -------------------
 
 - Nothing changed yet.
 
 
+1.0a12 (2017-04-03)
+-------------------
+
+Bugfixes:
+
+- Handle special case when user @move content that cannot delete returning
+  proper 403
+  [sneridagh]
+
+
 1.0a11 (2017-03-24)
 -------------------
 

diff --git a/setup.py b/setup.py
@@ -1,6 +1,6 @@
 from setuptools import setup, find_packages
 
-version = '1.0a12.dev0'
+version = '1.0a13.dev0'
 
 long_description = (
     open('README.rst').read() + '\n' +

diff --git a/src/plone/restapi/services/copymove/copymove.py b/src/plone/restapi/services/copymove/copymove.py
@@ -67,6 +67,10 @@ def reply(self):
         parents_ids = {}
         for item in source:
             obj = self.get_object(item)
+            if self.is_moving:
+                if not checkPermission('zope2.DeleteObjects', obj):
+                    self.request.response.setStatus(403)
+                    return
             if obj is not None:
                 parent = aq_parent(obj)
                 if parent in parents_ids:
@@ -95,6 +99,7 @@ def clipboard(self, parent, ids):
 class Copy(BaseCopyMove):
     """Copies existing content objects.
     """
+    is_moving = False
 
     def clipboard(self, parent, ids):
         return parent.manage_copyObjects(ids=ids)
@@ -103,6 +108,7 @@ def clipboard(self, parent, ids):
 class Move(BaseCopyMove):
     """Moves existing content objects.
     """
+    is_moving = True
 
     def clipboard(self, parent, ids):
         return parent.manage_cutObjects(ids=ids)
diff --git a/src/plone/restapi/tests/test_copymove.py b/src/plone/restapi/tests/test_copymove.py
@@ -175,3 +175,40 @@ def test_copy_single_object_no_auth_raises_401(self):
         )
 
         self.assertEquals(response.status_code, 401)
+
+    def test_move_single_object_no_permissions_raises_403(self):
+        self.api_session.auth = ('memberuser', 'secret')
+        response = self.api_session.post(
+            '/@move',
+            json={
+                "source": self.doc1.absolute_url()
+            }
+        )
+
+        self.assertEquals(response.status_code, 403)
+
+    def test_move_single_object_no_auth_raises_401(self):
+        self.api_session.auth = ('nonexistent', 'secret')
+        response = self.api_session.post(
+            '/@move',
+            json={
+                "source": self.doc1.absolute_url()
+            }
+        )
+
+        self.assertEquals(response.status_code, 401)
+
+    def test_move_single_object_no_permission_delete_source_raises_403(self):
+        api.user.grant_roles(
+            username='memberuser', obj=self.folder1, roles=['Manager', ])
+        transaction.commit()
+
+        self.api_session.auth = ('memberuser', 'secret')
+        response = self.api_session.post(
+            '/folder1/@move',
+            json={
+                "source": self.doc1.absolute_url()
+            }
+        )
+
+        self.assertEquals(response.status_code, 403)