Uses acl_users.userFolderDelUsers to delete users

Therefore, it is not necessary to give Manage users permission to the Site Administrator.
plone · Nov 1, 2023 · 51eab0c · 51eab0c
1 parent 732c709
commit 51eab0c
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 13 deletions.
diff --git a/src/plone/restapi/profiles/default/rolemap.xml b/src/plone/restapi/profiles/default/rolemap.xml
@@ -11,9 +11,5 @@
       <role name="Manager"/>
       <role name="Site Administrator"/>
     </permission>
-    <permission name="Manage users" acquire="True">
-      <role name="Manager"/>
-      <role name="Site Administrator"/>
-    </permission>
   </permissions>
 </rolemap>
diff --git a/src/plone/restapi/services/users/delete.py b/src/plone/restapi/services/users/delete.py
@@ -1,9 +1,11 @@
 from AccessControl import getSecurityManager
 from plone.restapi.services import Service
+from Products.CMFCore.interfaces import ISiteRoot
 from Products.CMFCore.permissions import ManagePortal
 from Products.CMFCore.utils import getToolByName
 from zope.interface import implementer
 from zope.publisher.interfaces import IPublishTraverse
+from zope.component import getUtility
 
 
 FALSE_VALUES = (0, "0", False, "false", "no")
@@ -17,6 +19,7 @@ def __init__(self, context, request):
         super().__init__(context, request)
         self.params = []
         self.portal_membership = getToolByName(context, "portal_membership")
+        self.acl_users = getToolByName(context, "acl_users")
 
     @property
     def is_zope_manager(self):
@@ -37,8 +40,10 @@ def _get_user(self, user_id):
         return self.portal_membership.getMemberById(user_id)
 
     def reply(self):
+        user = self._get_user(self._get_user_id)
+        if not user:
+            return self.reply_no_content(status=404)
         if not self.is_zope_manager:
-            user = self._get_user(self._get_user_id)
             current_roles = user.getRoles()
             if "Manager" in current_roles:
                 return self.reply_no_content(status=403)
@@ -51,12 +56,21 @@ def reply(self):
             self.request.get("delete_localroles", True) not in FALSE_VALUES
         )
 
-        delete_successful = self.portal_membership.deleteMembers(
-            (self._get_user_id,),
-            delete_memberareas=delete_memberareas,
-            delete_localroles=delete_localroles,
-        )
-        if delete_successful:
-            return self.reply_no_content()
-        else:
+        try:
+            self.acl_users.userFolderDelUsers((self._get_user_id,))
+        except (AttributeError, NotImplementedError):
             return self.reply_no_content(status=404)
+
+        if delete_memberareas:
+            # Delete member data in portal_memberdata.
+            mdtool = getToolByName(self.context, "portal_memberdata", None)
+            if mdtool is not None:
+                mdtool.deleteMemberData(self._get_user_id)
+
+        if delete_localroles:
+            # Delete members' local roles.
+            self.portal_membership.deleteLocalRoles(
+                getUtility(ISiteRoot), (self._get_user_id,), reindex=1, recursive=1
+            )
+
+        return self.reply_no_content()