plone.restapi icon indicating copy to clipboard operation
plone.restapi copied to clipboard
verified publisher icon plone

Error fetching data from a control panel that the user does not have permission in form

Open wesleybl opened this issue 2 months ago • 5 comments

Describe the bug

I want a user with the Site Administrator role to manage users, but not have access to the security control panel (http://localhost:3000/controlpanel/security). This control panel requires Plone Site Setup: Security permission. So I granted this permission only to Manager. But in Volto, the user management screen needs access to data from this control panel. So when accessing the user management screen with a Site Administrator user, the url http://localhost:3000/@controlpanels/security returns the error:

{ 
"message": "'SecurityControlpanel' object has no attribute 'title'", 
"type": "AttributeError"
}

In the Plone log we have the error:

2025-10-01 15:30:30 ERROR [Zope.SiteErrorLog:35][waitress-0] AttributeError: http://localhost:3000/@controlpanels/security
Traceback (innermost last): 
Module ZPublisher.WSGIPublisher, line 181, in transaction_pubevents 
Module ZPublisher.WSGIPublisher, line 390, in publish_module 
Module ZPublisher.WSGIPublisher, line 284, in publish 
Module ZPublisher.mapply, line 98, in mapply 
Module ZPublisher.WSGIPublisher, line 68, in call_object 
Module plone.rest.service, line 21, in __call__ 
Module plone.restapi.services, line 19, in render 
Module plone.restapi.services.controlpanels.get, line 50, in reply 
Module plone.restapi.services.controlpanels.get, line 73, in reply_panel 
Module plone.restapi.serializer.controlpanels, line 87, in __call__
AttributeError: 'SecurityControlpanel' object has no attribute 'title'

To Reproduce

Steps to reproduce the behavior:

  1. In the Plone Site permissions management screen (http://localhost:8080/Plone/manage_access) set the Plone Site Setup: Security permission only for Manager.
  2. Access the user management screen (http://localhost:3000/controlpanel/users) with a Site Administrator user.

Expected behavior

The url http://localhost:3000/@controlpanels/security should not return an error.

Software (please complete the following information):

  • OS: [e.g. iOS]
  • Browser chrome
  • Plone Version 6.1.2
  • Volto Version 18.27.2
  • Plone REST API Version 9.15.1

Additional context

This error does not occur in Plone Classic.

The error occurs here:

https://github.com/plone/plone.restapi/blob/22574d574fe5e44f9f76059f861a26a62af855b7/src/plone/restapi/serializer/controlpanels/init.py#L87

self.controlpanel becomes None, because of the lack of permission. Maybe in this situation, we should set title and group to an empty string?

wesleybl avatar Oct 01 '25 15:10 wesleybl