From 68397cd423500c65f7cf5279ee0b94e85e479f67 Mon Sep 17 00:00:00 2001 From: ksuess Date: Wed, 24 Nov 2021 10:31:06 +0100 Subject: [PATCH] Check DEFAULT_PERMISSION for all vocabularies (built-in and custom) --- .../restapi/services/vocabularies/get.py | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/src/plone/restapi/services/vocabularies/get.py b/src/plone/restapi/services/vocabularies/get.py index 3987880681..8e09386b26 100644 --- a/src/plone/restapi/services/vocabularies/get.py +++ b/src/plone/restapi/services/vocabularies/get.py @@ -35,20 +35,19 @@ def _error(self, status, type, message): return {"error": {"type": type, "message": message}} def _has_permission_to_access_vocabulary(self, vocabulary_name): - """Check if user is authorized to access built-in vocabulary + """Check if user is authorized to access the vocabulary. - default permission for all vocabularies, built-in and others, was - + The endpoint using this method is supposed to have no further protection (`zope.2Public` permission). + A vocabulary with no further protection follows the `plone.app.vocabularies.DEFAULT_PERMISSION` (usually `zope2.View`). + For further protection the dictionary `plone.app.vocabularies.PERMISSION` is used. + It is a mapping from vocabulary name to permission. + If a vocabulary is mapped there, the permission from the map is taken. + Thus vocabularies can be protected stronger or weaker than the default. """ - if vocabulary_name in PERMISSIONS: - sm = getSecurityManager() - return sm.checkPermission( - PERMISSIONS.get(vocabulary_name, DEFAULT_PERMISSION), self.context - ) - return True + sm = getSecurityManager() + return sm.checkPermission( + PERMISSIONS.get(vocabulary_name, DEFAULT_PERMISSION), self.context + ) def reply(self): # return list of all vocabularies