From 0410099516d06a901308ff47747f4cd165e56ce8 Mon Sep 17 00:00:00 2001
From: wesleybl <wesleybl@gmail.com>
Date: Fri, 22 Sep 2023 12:39:49 -0300
Subject: [PATCH] Do not allow the Site Administrator to create groups with the
 Manager role

---
 src/plone/restapi/services/groups/add.py        | 12 +++++++++++-
 src/plone/restapi/tests/test_services_groups.py | 14 ++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/plone/restapi/services/groups/add.py b/src/plone/restapi/services/groups/add.py
index ae4561cc19..5ef669bc0b 100644
--- a/src/plone/restapi/services/groups/add.py
+++ b/src/plone/restapi/services/groups/add.py
@@ -1,6 +1,8 @@
+from AccessControl import getSecurityManager
 from plone.restapi.deserializer import json_body
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.services import Service
+from Products.CMFCore.permissions import ManagePortal
 from Products.CMFCore.utils import getToolByName
 from zExceptions import BadRequest
 from zope.component import queryMultiAdapter
@@ -13,6 +15,10 @@
 class GroupsPost(Service):
     """Creates a new group."""
 
+    @property
+    def is_zope_manager(self):
+        return getSecurityManager().checkPermission(ManagePortal, self.context)
+
     def reply(self):
         portal = getSite()
         data = json_body(self.request)
@@ -22,10 +28,14 @@ def reply(self):
         if not groupname:
             raise BadRequest("Property 'groupname' is required")
 
+        roles = data.get("roles", None)
+
+        if not self.is_zope_manager and "Manager" in roles:
+            return self.reply_no_content(status=403)
+
         email = data.get("email", None)
         title = data.get("title", None)
         description = data.get("description", None)
-        roles = data.get("roles", None)
         groups = data.get("groups", None)
         users = data.get("users", [])
 
diff --git a/src/plone/restapi/tests/test_services_groups.py b/src/plone/restapi/tests/test_services_groups.py
index 0ab6809e2b..d83c5f5fe5 100644
--- a/src/plone/restapi/tests/test_services_groups.py
+++ b/src/plone/restapi/tests/test_services_groups.py
@@ -209,3 +209,17 @@ def test_siteadm_not_set_manager_to_group(self):
 
         ploneteam = self.gtool.getGroupById("ploneteam")
         self.assertNotIn("Manager", ploneteam.getRoles())
+
+    def test_siteadm_not_add_group_with_manager_role(self):
+        self.set_siteadm()
+        self.api_session.post(
+            "/@groups",
+            json={
+                "groupname": "fwt",
+                "roles": ["Manager"],
+            },
+        )
+        transaction.commit()
+
+        fwt = self.gtool.getGroupById("fwt")
+        self.assertIsNone(fwt)