search

plone / Products.CMFPlone

The core of the Plone content management system
https://plone.org
GNU General Public License v2.0
259 stars 194 forks source link

portal_actions / object / history wrong permission raises Forbidden in Volto Frontend #4059

Open avoinea opened 2 weeks ago

avoinea commented 2 weeks ago

It should be CMFEditions: Access previous versions

https://github.com/plone/Products.CMFPlone/blob/26c659aaad12ce59376d3d79ca12b2d1128fa38a/Products/CMFPlone/profiles/default/actions.xml#L157-L175

This is used by Volto Frontend, and while the history menu is visible, when clicking on it by a user that doesn't have Modify portal content on object, the forbidden is raised.

See:

https://github.com/plone/plone.restapi/blob/4f3bb4f1c656295f609a9aaea4540325d1b55b8e/src/plone/restapi/services/history/configure.zcml#L9-L15

And also:

https://github.com/plone/plone.app.layout/blob/1c7334194ec5eb9e57f5306bfd5e227b0b78a294/plone/app/layout/viewlets/content.py#L444-L445

And Volto:

https://github.com/plone/volto/blob/157df05e5da7cc4349f2fefaa6e3566da56a8213/packages/volto/src/components/manage/History/History.jsx#L152-L160

davisagli commented 2 weeks ago

I agree. Also probably worth fixing in an upgrade step.