Require 'List folder contents' permission to use the catalog vocabulary.

[mauritsvanrees]

This is more correct than the View permission.

[mister-roboto]

@mauritsvanrees thanks for creating this Pull Request and helping to improve Plone!

TL;DR: Finish pushing changes, pass all other checks, then paste a comment:

@jenkins-plone-org please run jobs

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.

Happy hacking!

[mauritsvanrees]

Let's see if Jenkins thinks this is a good idea too.

@jenkins-plone-org please run jobs

[jensens]

Sounds better suited, but it may break something in heavily customized sites. The usual restrictions of the restrictedSearch do apply anyway, so even with View no harm is done IMO.

[ale-rt]

I agree that List folder contents looks like a better fit, but:

1. I am not really sure if we want to change this in a minor release
2. I am not sure if we want to change it at all

I am +0 on merging this one now. I would feel more confident to merge this for Plone 6.1 only, but I might be too conservative and overcautious.

[tisto]

@mauritsvanrees what the status of this? This PR is somehow assigned to the Plone 6.1 project. Is this correct? Do we aim to include this in Plnoe 6.1?

[mauritsvanrees]

Theoretically this is better, and it gives some security hardening, but at the cost potentially breaking stuff. I am not pursuing this currently. I have reverted the PR to draft.