Do not allow the Site Administrator to set the Manager role for a group

plone · Sep 22, 2023 · 0e4223c · 0e4223c
1 parent 1abef4e
commit 0e4223c
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/src/plone/restapi/services/groups/update.py b/src/plone/restapi/services/groups/update.py
@@ -63,10 +63,13 @@ def reply(self):
         if not group:
             raise BadRequest("Trying to update a non-existing group.")
 
-        if not self.is_zope_manager and "Manager" in group.getRoles():
+        roles = data.get("roles", None)
+
+        if not self.is_zope_manager and (
+            "Manager" in group.getRoles() or "Manager" in roles
+        ):
             return self.reply_no_content(status=403)
 
-        roles = data.get("roles", None)
         groups = data.get("groups", None)
         users = data.get("users", {})
 

diff --git a/src/plone/restapi/tests/test_services_groups.py b/src/plone/restapi/tests/test_services_groups.py
@@ -198,3 +198,14 @@ def test_siteadm_not_add_user_to_group_with_manager_role(self):
 
         administrators = self.gtool.getGroupById("Administrators")
         self.assertNotIn(TEST_USER_ID, administrators.getGroupMemberIds())
+
+    def test_siteadm_not_set_manager_to_group(self):
+        self.set_siteadm()
+        payload = {
+            "roles": ["Manager"],
+        }
+        self.api_session.patch("/@groups/ploneteam", json=payload)
+        transaction.commit()
+
+        ploneteam = self.gtool.getGroupById("ploneteam")
+        self.assertNotIn("Manager", ploneteam.getRoles())