Merge commit from fork

* prevent untrusted access to `AccessControl.userfolder.UserFolder.data`

* fix: capitalization

---------

Co-authored-by: Tres Seaver <tseaver@palladion.com>

Author: d-maurer

CHANGES.rst

@@ -6,6 +6,9 @@ For changes before version 3.0, see ``HISTORY.rst``.
 7.2 (unreleased)
 ----------------
 
+- Prevent untrusted access to ``AccessControl.userfolder.UserFolder.data``
+  (fixes `GHSA-g5vw-3h65-2q3v <https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v>`_).
+
 
 7.1 (2024-10-10)
 ----------------

src/AccessControl/userfolder.py

@@ -376,6 +376,7 @@ class UserFolder(BasicUserFolder):
     zmi_show_add_dialog = False
     id = 'acl_users'
     title = 'User Folder'
+    data__roles__ = ()  # prevent untrusted access to ``data``.
 
     def __init__(self):
         self.data = PersistentMapping()