Merge remote-tracking branch 'origin/master' into dx-siteroot

plone · Apr 23, 2021 · 7aea789 · 7aea789
2 parents 699e6f9 + ebcc3d8
commit 7aea789
Show file tree

Hide file tree

Showing 8 changed files with 116 additions and 10 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -8,6 +8,39 @@ Changelog
 
 .. towncrier release notes start
 
+2.0.38 (2021-03-02)
+-------------------
+
+Bug fixes:
+
+
+- Make portal_setup objects accessible only to Manager/Owner.
+  See `GenericSetup issue 101 <https://github.com/zopefoundation/Products.GenericSetup/issues/101>`_.
+  [maurits] (#101)
+
+
+2.0.37 (2021-02-19)
+-------------------
+
+Breaking changes:
+
+
+- Remove temp_folder from Zope root if broken.
+  See `issue 2957 <https://github.com/plone/Products.CMFPlone/issues/2957>`_.
+  [maurits] (#2957)
+
+
+Bug fixes:
+
+
+- Plone 6.0: remove portal_form_controller tool.
+  [maurits] (#3057)
+- Improved upgrade step for site_logo from ASCII to Bytes.
+  The previous upgrade was incomplete and could remove the logo when called twice.
+  See `comment on issue 3172 <https://github.com/plone/Products.CMFPlone/issues/3172#issuecomment-733085519>`_.
+  [maurits] (#3172)
+
+
 2.0.36 (2020-10-30)
 -------------------
 

diff --git a/news/2957.breaking b/news/2957.breaking
diff --git a/news/3057.bugfix b/news/3057.bugfix
diff --git a/news/3172.bugfix b/news/3172.bugfix
diff --git a/plone/app/upgrade/v52/configure.zcml b/plone/app/upgrade/v52/configure.zcml
@@ -181,4 +181,16 @@
 
     </gs:upgradeSteps>
 
+    <gs:upgradeSteps
+        source="5211"
+        destination="5212"
+        profile="Products.CMFPlone:plone">
+
+        <gs:upgradeStep
+            title="Make portal_setup logs accessible only to Manager/Owner."
+            handler=".final.secure_portal_setup_objects"
+            />
+
+    </gs:upgradeSteps>
+
 </configure>
diff --git a/plone/app/upgrade/v52/final.py b/plone/app/upgrade/v52/final.py
@@ -1,10 +1,12 @@
 # -*- coding: utf-8 -*-
+from AccessControl.Permissions import view
 from plone.app.upgrade.utils import loadMigrationProfile
 from plone.registry import field
 from plone.registry.interfaces import IRegistry
 from Products.CMFCore.utils import getToolByName
 from Products.CMFPlone.interfaces import IMarkupSchema
 from Products.CMFPlone.interfaces import ISiteSchema
+from Products.CMFPlone.utils import base_hasattr
 from Products.CMFPlone.utils import safe_unicode
 from zope.component import getUtility
 
@@ -238,3 +240,30 @@ def migrate_site_logo_from_ascii_to_bytes(context):
     you get a WrongType error when saving the site-controlpanel.
     """
     migrate_record_from_ascii_to_bytes("plone.site_logo", ISiteSchema, prefix="plone")
+
+
+def _recursive_strict_permission(obj):
+    obj.manage_permission(view, ('Manager', 'Owner'), 0)
+    if base_hasattr(obj, 'objectValues'):
+        for child in obj.objectValues():
+            _recursive_strict_permission(child)
+
+
+def secure_portal_setup_objects(context):
+    """Make portal_setup objects accessible only to Manager/Owner.
+
+    This matches the GenericSetup code for new logs and snapshots.
+    See https://github.com/zopefoundation/Products.GenericSetup/pull/102
+    """
+    # context conveniently is the portal_setup too.
+    # Set permission on the sub objects of the setup tool, which are the logs.
+    for child in context.objectValues():
+        # Recursive is not strictly needed, but it does not hurt.
+        _recursive_strict_permission(child)
+    logger.info("Made portal_setup logs only available for Manager and Owner.")
+
+    # And now the snapshot folder and sub items, if they exist.
+    if not base_hasattr(context, "snapshots"):
+        return
+    _recursive_strict_permission(context.snapshots)
+    logger.info("Made portal_setup snapshots only available for Manager and Owner.")
diff --git a/plone/app/upgrade/v60/profiles/to_alpha1/controlpanel.xml b/plone/app/upgrade/v60/profiles/to_alpha1/controlpanel.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0"?>
+<object name="portal_controlpanel" meta_type="Plone Control Panel Tool"
+  i18n:domain="plone" xmlns:i18n="http://xml.zope.org/namespaces/i18n">
+
+  <!-- remove -->
+  <configlet remove="true"
+    action_id="UsersGroups2" appId="UsersGroups" category="plone-users">
+    <permission>Plone Site Setup: Users and Groups</permission>
+  </configlet>
+
+  <!-- add -->
+  <configlet title="Users" action_id="UsersGroups"
+    appId="UsersGroups" category="plone-users" condition_expr=""
+    icon_expr="string:person"
+    url_expr="string:${portal_url}/@@usergroup-userprefs" visible="True"
+    i18n:attributes="title">
+    <permission>Plone Site Setup: Users and Groups</permission>
+  </configlet>
+  <configlet title="Groups" action_id="UsersGroups2"
+    appId="UsersGroups2" category="plone-users" condition_expr=""
+    icon_expr="string:people"
+    url_expr="string:${portal_url}/@@usergroup-groupprefs" visible="True"
+    i18n:attributes="title">
+    <permission>Plone Site Setup: Users and Groups</permission>
+  </configlet>
+  <configlet title="User and Group Settings" action_id="UsersGroupsSettings"
+    appId="UsersGroupsSettings" category="plone-users" condition_expr=""
+    icon_expr="string:toggles"
+    url_expr="string:${portal_url}/@@usergroup-controlpanel" visible="True"
+    i18n:attributes="title">
+    <permission>Plone Site Setup: Users and Groups</permission>
+  </configlet>
+  <configlet title="Member Fields" action_id="MemberFields"
+    appId="MemberFields" category="plone-users" condition_expr=""
+    icon_expr="string:card-list"
+    url_expr="string:${portal_url}/@@member-fields" visible="True"
+    i18n:attributes="title">
+    <permission>Plone Site Setup: Users and Groups</permission>
+   </configlet>
+
+</object>
diff --git a/setup.py b/setup.py
@@ -2,7 +2,7 @@
 from setuptools import setup
 
 
-version = '2.0.37.dev0'
+version = '2.0.39.dev0'
 
 setup(
     name='plone.app.upgrade',