Ticket #3739 (closed Feature Request: fixed)

Opened 10 years ago

Last modified 5 years ago

Add portal member permission disabled should result in nice error

Reported by: djay Owned by: esteele
Priority: trivial Milestone: 4.0
Component: General Version:
Keywords: CathedralSprint Cc:

Description (last modified by hannosch) (diff)

If add portal member is disabled for anonymous then the registration form will still be available (even if not linked). In situations where this link known to potential users via an email rather than off a link of the website, this can create confusion. The join_form should redirect to another error page asking them to contact their administrator or tell them registration is not possible.

Change History

comment:1 Changed 10 years ago by optilude

Very marginal use case, but probably easy to fix.

comment:2 Changed 9 years ago by hannosch

  • Component changed from Usability/Accessibility to Users/Groups
  • Description modified (diff)

comment:3 Changed 9 years ago by hannosch

  • Milestone changed from 2.1.x to 2.1.3

comment:4 Changed 8 years ago by limi

  • Milestone changed from 2.5.x to 3.0

comment:5 Changed 7 years ago by hannosch

  • Type changed from defect to Enhancement
  • Milestone changed from 3.x to Future

Probably easy to do, needs someone to do it, though.

comment:6 Changed 6 years ago by hannosch

  • Component changed from Users/Groups to Infrastructure

comment:7 Changed 6 years ago by catherine_w

Since I end up manually altering the join_form for my various sites to hide the content from anonymous viewers, I second this enhancement request.

What I typically end up doing is sticking a couple of extra tags in the form. Something like this around the existing form content (just inside the first div):

<tal:checkPermission 
     tal:condition="python:context.portal_membership.checkPermission('Add portal member', context)">
...
</tal:checkPermission>

Then something to render if the user doesn't have the requisite permission, e.g.:

<tal:incorrectPermission 
   tal:condition="python:not context.portal_membership.checkPermission('Add portal member', context)">
   Please 
   <a href="" 
      tal:attributes="href string:${portal_url}/contact-info">
         contact the site administrator
   </a>
   if you need login access.
</tal:incorrectPermission>

comment:8 Changed 5 years ago by esteele

  • Owner set to esteele
  • Milestone changed from Future to 4.0

Should be easily solved by changing the @@register permission to cmf.AddPortalMember. I've got failing plone.app.users tests to fix before I can confidently make this change though.

comment:9 Changed 5 years ago by dukebody

  • Keywords forcommit added

In plone.app.users::

Index: CHANGES.txt
===================================================================
--- CHANGES.txt	(revision 35102)
+++ CHANGES.txt	(working copy)
@@ -4,6 +4,12 @@
 1.0b6 - unreleased
 ------------------
 
+- Update permission for the @@register view so only users with the Add
+  Portal Member permission can use it to add new members.
+  Update tests accordingly.
+  Fixes http://dev.plone.org/plone/ticket/3739
+  [dukebody]
+
 - Fixed help_biography message.
   [vincentfretin]
 
Index: plone/app/users/browser/configure.zcml
===================================================================
--- plone/app/users/browser/configure.zcml	(revision 35102)
+++ plone/app/users/browser/configure.zcml	(working copy)
@@ -9,7 +9,7 @@
       name="register"
       for="plone.app.layout.navigation.interfaces.INavigationRoot"
       class=".register.RegistrationForm"
-      permission="zope.Public"
+      permission="cmf.AddPortalMember"
       />
 
     <browser:page
Index: plone/app/users/tests/flexible_user_registration.txt
===================================================================
--- plone/app/users/tests/flexible_user_registration.txt	(revision 35102)
+++ plone/app/users/tests/flexible_user_registration.txt	(working copy)
@@ -3,12 +3,15 @@
 
     >>> browser = self.browser
 
-First things first... turn on self-registration so that we can see the @@register form.
+First things first... turn on self-registration so that we can see the
+@@register form. Also, let users select their own password so we don't
+depend on a mail server properly set-up:
     >>> browser.open('http://nohost/plone/login_form')
     >>> browser.getControl('Login Name').value = 'admin'
     >>> browser.getControl('Password').value = 'secret'
     >>> browser.getControl('Log in').click()
     >>> browser.open('http://nohost/plone/@@security-controlpanel')
+    >>> browser.getControl('Enable self-registration').selected = True
     >>> browser.getControl('Let users select their own passwords').selected = True
     >>> browser.getControl('Save').click()
     >>> 'Changes saved' in browser.contents

comment:10 Changed 5 years ago by dukebody

  • Status changed from new to closed
  • Resolution set to fixed

(In [35112]) Update permission for the @@register view so only users with the Add Portal Member permission can use it to add new members. Update tests accordingly. Fixes #3739.

comment:11 Changed 5 years ago by dukebody

  • Keywords CathedralSprint added; forcommit removed

comment:12 Changed 3 years ago by davisagli

  • Component changed from Infrastructure to General
Note: See TracTickets for help on using tickets.