Unauthorized: Subscriber can not unsubscribe within a NewsletterBTree Folder

[ramonski]

Problem

A newsletter subscriber is not allowed to unsubscribe within a NewsletterBTree folder

Steps to reproduce

1. Create a new Plone 4.3.7 site with PloneGazette 3.2.5 installed
2. Add a newsletter within the portal
3. Add a Newsletter Large Folder and name it subscribers
4. Configure the Newsletter to use this subscribers folder to store newsletter subscribers
5. Add a subscriber
6. Open another browser as anonymous and browse to the Subscriber_editForm, e.g. http://localhost:8080/Plone/nl/subscribers/00002LIEsh/Subscriber_editForm
7. Click the Unsubscribe Button

   Traceback

2016-01-26 13:51:21 ERROR Zope.SiteErrorLog 1453812681.050.275721078494 http://localhost:8080/Plone/nl/unSubscribe
Traceback (innermost last):
  Module ZPublisher.Publish, line 138, in publish
  Module ZPublisher.mapply, line 77, in mapply
  Module ZPublisher.Publish, line 48, in call_object
  Module Products.PloneGazette.NewsletterTheme, line 458, in unSubscribe
  Module Products.Archetypes.BaseFolder, line 119, in manage_delObjects
Unauthorized: Do not have permissions to remove this object

Analysis

The unsubscribe method of the module NewsletterTheme.py is called:

    security.declarePublic('unSubscribe')
    def unSubscribe(self, subscriber_id, REQUEST=None):
        """The subscriber clicked the Unsubscribe button
        """
        subscriber = self.getSubscriberById(subscriber_id)
        if subscriber is not None:
            parent = subscriber.aq_parent
            parent.manage_delObjects([subscriber_id, ])

        newSecurityManager(REQUEST, ownerOfObject(self))
        if REQUEST is not None:
            REQUEST.RESPONSE.redirect(self.absolute_url() + '/NewsletterTheme_unsubscribed')
        return

Depending if the subscriber object is within the NewsletterTheme folder or within a NewsletterBTree, different methods of manage_delObjects are called.

Within NewsletterTheme:

Zope2-2.13.23-py2.7.egg/OFS/ObjectManager.py(513)manage_delObjects()

Within NewsletterBTree:

Products.Archetypes-1.9.10-py2.7.egg/Products/Archetypes/BaseFolder.py(109)manage_delObjects()

The last call check security, which causes the Unauthorized Error

[ramonski]

Possible solution

Bypassing the security check:

    security.declarePublic('unSubscribe')
    def unSubscribe(self, subscriber_id, REQUEST=None):
        """The subscriber clicked the Unsubscribe button
        """
        subscriber = self.getSubscriberById(subscriber_id)
        if subscriber is not None:
            parent = subscriber.aq_parent
            # Bypassing security check
            #parent.manage_delObjects([subscriber_id, ])
            from Products.CMFCore.PortalFolder import PortalFolderBase as PortalFolder
            PortalFolder.manage_delObjects(parent, [subscriber_id, ])

        newSecurityManager(REQUEST, ownerOfObject(self))
        if REQUEST is not None:
            REQUEST.RESPONSE.redirect(self.absolute_url() + '/NewsletterTheme_unsubscribed')
        return