Does not allow a Site Administrator delete Manager

plone · Sep 21, 2023 · b453aa4 · b453aa4
1 parent e05e1ec
commit b453aa4
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 4 deletions.
diff --git a/src/plone/restapi/services/users/add.py b/src/plone/restapi/services/users/add.py
@@ -14,7 +14,6 @@
 from zope.component import getAdapter
 from zope.component import getMultiAdapter
 from zope.component import queryMultiAdapter
-from zope.component.hooks import getSite
 from zope.i18n import translate
 from zope.interface import alsoProvides
 from zope.interface import implementer

diff --git a/src/plone/restapi/services/users/delete.py b/src/plone/restapi/services/users/delete.py
@@ -1,4 +1,6 @@
+from AccessControl import getSecurityManager
 from plone.restapi.services import Service
+from Products.CMFCore.permissions import ManagePortal
 from Products.CMFCore.utils import getToolByName
 from zope.component.hooks import getSite
 from zope.interface import implementer
@@ -15,6 +17,11 @@ class UsersDelete(Service):
     def __init__(self, context, request):
         super().__init__(context, request)
         self.params = []
+        self.portal_membership = getToolByName(context, "portal_membership")
+
+    @property
+    def is_zope_manager(self):
+        return getSecurityManager().checkPermission(ManagePortal, self.context)
 
     def publishTraverse(self, request, name):
         # Consume any path segments after /@users as parameters
@@ -27,9 +34,15 @@ def _get_user_id(self):
             raise Exception("Must supply exactly one parameter (user id)")
         return self.params[0]
 
+    def _get_user(self, user_id):
+        return self.portal_membership.getMemberById(user_id)
+
     def reply(self):
-        portal = getSite()
-        portal_membership = getToolByName(portal, "portal_membership")
+        if not self.is_zope_manager:
+            user = self._get_user(self._get_user_id)
+            current_roles = user.getRoles()
+            if "Manager" in current_roles:
+                return self.reply_no_content(status=403)
 
         delete_memberareas = (
             self.request.get("delete_memberareas", True) not in FALSE_VALUES
@@ -39,7 +52,7 @@ def reply(self):
             self.request.get("delete_localroles", True) not in FALSE_VALUES
         )
 
-        delete_successful = portal_membership.deleteMembers(
+        delete_successful = self.portal_membership.deleteMembers(
             (self._get_user_id,),
             delete_memberareas=delete_memberareas,
             delete_localroles=delete_localroles,

diff --git a/src/plone/restapi/tests/test_services_users.py b/src/plone/restapi/tests/test_services_users.py
@@ -1354,3 +1354,12 @@ def test_manager_update_manager(self):
 
         noam = api.user.get(userid="noam")
         self.assertIn("Manager", noam.getRoles())
+
+    def test_siteadm_not_delete_manager(self):
+        self.set_siteadm()
+        api.user.grant_roles(username="noam", roles=["Manager"])
+        transaction.commit()
+        self.api_session.delete("/@users/noam")
+        transaction.commit()
+
+        self.assertIsNotNone(api.user.get(userid="noam"))