search

plone / plone.restapi

RESTful API for Plone.
http://plonerestapi.readthedocs.org/
84 stars 73 forks source link

Site Administrator cannot add user to group #1750

Closed wesleybl closed 4 months ago

wesleybl commented 4 months ago

In #1712, the ability for the Site Administrator to manage users was added. But I noticed that he is unable to add a user to a group. He receives an Unauthorized error.

The groups service uses the addMember method:

https://github.com/plone/plone.restapi/blob/16325f20b927f28ff03762687862dcaea9944da5/src/plone/restapi/services/groups/update.py#L125

This method checks if the user has the Manage Users permission:

https://github.com/plone/Products.PlonePAS/blob/d148e7eb50e52cddf954406c06026fb5e60f3da7/src/Products/PlonePAS/tools/groupdata.py#L223

But he doesn't.

@davisagli informed me that it is not a good idea to give Manager Users to the Site Administrator. See:

https://github.com/plone/plone.restapi/pull/1712#discussion_r1377057545

So the ideal is to do the same thing that was done in the other PR and do it with Plone Classic, correct?

Plone Classic use addPrincipalToGroup:

https://github.com/plone/Products.CMFPlone/blob/f3096371d80c3ca8a5829c12976bd0ab2d2c08a4/Products/CMFPlone/controlpanel/browser/usergroups_groupmembership.py#L44

So we should use it here too.