Skip to content

Commit

Permalink
Merge pull request #326 from plone/issue-325-move-endpoint-403-on-parent
Browse files Browse the repository at this point in the history 
Fix the @Move endpoint fails to return 403 when the user don't have p…
  • Loading branch information
@tisto
tisto committed Apr 25, 2017
2 parents a94169f + 0a63a4d commit 81faa51
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 4 deletions.
4 changes: 4 additions & 0 deletions CHANGES.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ Bugfixes:
- Don't fetch unnecessary PasswordResetTool in Plone 5.1
[tomgross]

- Fix the @move endpoint fails to return 403 when the user don't have proper
delete permissions over the parent folder
[sneridagh]


1.0a12 (2017-04-03)
-------------------
Expand Down
12 changes: 8 additions & 4 deletions src/plone/restapi/services/copymove/copymove.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,15 @@ def reply(self):
parents_ids = {}
for item in source:
obj = self.get_object(item)
if self.is_moving:
if not checkPermission('zope2.DeleteObjects', obj):
self.request.response.setStatus(403)
return
if obj is not None:
if self.is_moving:
# To be able to safely move the object, the user requires
# permissions on the parent
if not checkPermission('zope2.DeleteObjects', obj) and \
not checkPermission(
'zope2.DeleteObjects', aq_parent(obj)):
self.request.response.setStatus(403)
return
parent = aq_parent(obj)
if parent in parents_ids:
parents_ids[parent].append(obj.getId())
Expand Down
1 change: 1 addition & 0 deletions src/plone/restapi/tests/test_copymove.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,7 @@ def test_move_single_object_no_auth_raises_401(self):
def test_move_single_object_no_permission_delete_source_raises_403(self):
api.user.grant_roles(
username='memberuser', obj=self.folder1, roles=['Manager', ])
api.content.transition(obj=self.doc1, transition='publish')
transaction.commit()

self.api_session.auth = ('memberuser', 'secret')
Expand Down

0 comments on commit 81faa51

Please sign in to comment.