fix: @querystring shouldn't list userids

src/plone/restapi/services/querystring/configure.zcml

@@ -4,27 +4,48 @@
     xmlns:plone="http://namespaces.plone.org/plone"
     xmlns:zcml="http://namespaces.zope.org/zcml"
     >
-
+
+  <!-- Editor endpoint -->
   <plone:service
       method="GET"
-      factory=".get.QuerystringGet"
+      factory=".get.QuerystringEditorGet"
       for="Products.CMFPlone.interfaces.IPloneSiteRoot"
-      permission="zope2.View"
+      permission="cmf.ModifyPortalContent"
       name="@querystring"
       />
-
   <plone:service
       method="GET"
-      factory=".get.QuerystringGet"
+      factory=".get.QuerystringEditorGet"
       for="Products.CMFCore.interfaces.IContentish"
-      permission="zope2.View"
+      permission="cmf.ModifyPortalContent"
       name="@querystring"
       />
+
+  <!-- Public endpoint -->
+  <plone:service
+      method="GET"
+      factory=".get.QuerystringPublicGet"
+      for="Products.CMFPlone.interfaces.IPloneSiteRoot"
+      permission="zope2.View"
+      name="@querystring-public"
+      />
+  <plone:service
+      method="GET"
+      factory=".get.QuerystringPublicGet"
+      for="Products.CMFCore.interfaces.IContentish"
+      permission="zope2.View"
+      name="@querystring-public"
+      />
 
+  <!-- Maintain caching for both endpoints -->
   <cache:ruleset
-      for=".get.QuerystringGet"
+      for=".get.QuerystringEditorGet"
+      ruleset="plone.content.dynamic"
+      zcml:condition="have plone-app-caching-3"
+      />
+  <cache:ruleset
+      for=".get.QuerystringPublicGet"
       ruleset="plone.content.dynamic"
       zcml:condition="have plone-app-caching-3"
       />
-
 </configure>

src/plone/restapi/services/querystring/get.py

@@ -4,18 +4,38 @@
 from zope.component import getMultiAdapter
 from zope.component import getUtility
 
-
-class QuerystringGet(Service):
-    """Returns the querystring configuration.
-
-    This basically does the same thing as the '@@querybuilderjsonconfig'
-    view from p.a.querystring, but exposes the config via the REST API.
+class QuerystringEditorGet(Service):
+    """Returns the complete querystring configuration for editors.
+    This maintains all existing functionality but requires edit permissions.
     """
+    def reply(self):
+        registry = getUtility(IRegistry)
+        reader = getMultiAdapter((registry, self.request), IQuerystringRegistryReader)
+        reader.vocab_context = self.context
+        result = reader()
+        result["@id"] = f"{self.context.absolute_url()}/@querystring"
+        return result
 
+class QuerystringPublicGet(Service):
+    """Returns a filtered querystring configuration for public use.
+    This removes sensitive information like user and group vocabularies.
+    """
     def reply(self):
         registry = getUtility(IRegistry)
         reader = getMultiAdapter((registry, self.request), IQuerystringRegistryReader)
         reader.vocab_context = self.context
         result = reader()
-        result["@id"] = "%s/@querystring" % self.context.absolute_url()
+
+        # Filter out sensitive information
+        sensitive_vocabs = ['plone.app.vocabularies.Users', 'plone.app.vocabularies.Groups']
+        indexes_to_remove = []
+
+        for index_name, index_data in result['indexes'].items():
+            if 'vocabulary' in index_data and index_data['vocabulary'] in sensitive_vocabs:
+                indexes_to_remove.append(index_name)
+
+        for index_name in indexes_to_remove:
+            del result['indexes'][index_name]
+
+        result["@id"] = f"{self.context.absolute_url()}/@querystring-public"
         return result