Require 'List folder contents' permission to use the catalog vocabulary.

This is more correct than the View permission.
plone · Feb 20, 2023 · 3aa8f39 · 3aa8f39
1 parent 3ab4efd
commit 3aa8f39
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 3 deletions.
diff --git a/news/261.bugfix b/news/261.bugfix
@@ -0,0 +1,3 @@
+Require ``List folder contents`` permission to use the catalog vocabulary.
+Until now ``View`` was enough, but that is not strictly correct.
+[maurits]
diff --git a/plone/app/content/browser/vocabulary.py b/plone/app/content/browser/vocabulary.py
@@ -40,7 +40,7 @@
 DEFAULT_PERMISSION = "View"
 DEFAULT_PERMISSION_SECURE = "Modify portal content"
 PERMISSIONS = {
-    "plone.app.vocabularies.Catalog": "View",
+    "plone.app.vocabularies.Catalog": "List folder contents",
     "plone.app.vocabularies.Keywords": "Modify portal content",
     "plone.app.vocabularies.SyndicatableFeedItems": "Modify portal content",
     "plone.app.vocabularies.Users": "Modify portal content",

diff --git a/plone/app/content/tests/test_widgets.py b/plone/app/content/tests/test_widgets.py
@@ -147,6 +147,38 @@ def testVocabularyCatalogResults(self):
         data = json.loads(view())
         self.assertEqual(len(data["results"]), 1)
 
+    def testVocabularyCatalogDisallowed(self):
+        # You need 'List folder contents' permission.
+        self.portal.invokeFactory("Document", id="page", title="page")
+        self.portal.page.reindexObject()
+        # Downgrade permissions
+        setRoles(self.portal, TEST_USER_ID, [])
+        view = VocabularyView(self.portal, self.request)
+        query = {
+            "criteria": [
+                {
+                    "i": "path",
+                    "o": "plone.app.querystring.operation.string.path",
+                    "v": "/plone",
+                },
+                {
+                    "i": "portal_type",
+                    "o": "plone.app.querystring.operation.selection.any",
+                    "v": "Document",
+                },
+            ]
+        }
+        self.request.form.update(
+            {
+                "name": "plone.app.vocabularies.Catalog",
+                "query": json.dumps(query),
+                "attributes": ["UID", "id", "title", "path"],
+            }
+        )
+        data = json.loads(view())
+        self.assertEqual(data["error"], "Vocabulary lookup not allowed")
+        self.assertNotIn("results", data.keys())
+
     def testVocabularyCatalogUnsafeMetadataAllowed(self):
         """Users with permission "Modify portal content" are allowed to see
         ``_unsafe_metadata``.
@@ -184,8 +216,10 @@ def testVocabularyCatalogUnsafeMetadataDisallowed(self):
         """
         self.portal.invokeFactory("Document", id="page", title="page")
         self.portal.page.reindexObject()
-        # Downgrade permissions
-        setRoles(self.portal, TEST_USER_ID, [])
+        # Downgrade permissions.  Since Plone 6.0.2, without "List folder contents"
+        # users are no longer allowed to use the catalog vocabulary at all.
+        # So give the Contributor role.
+        setRoles(self.portal, TEST_USER_ID, ["Contributor"])
         view = VocabularyView(self.portal, self.request)
         query = {
             "criteria": [