Check vocab permissions before including vocab terms in QuerystringRegistryReader

.meta.toml

@@ -12,3 +12,4 @@ test_matrix = {"6.2" = ["*"]}
 dependencies_mappings = [
     "'Products.ZCatalog' = ['Products.ZCTextIndex']",
     ]
+dependencies_ignores = "['plone.app.content']"

news/+vocab.bugfix

@@ -0,0 +1 @@
+Don't include vocabulary values in QuerystringRegistryReader results if the current user doesn't have permission for the vocabulary. @davisagli

pyproject.toml

@@ -120,6 +120,7 @@ Zope = [
 ]
 python-dateutil = ['dateutil']
 pytest-plone = ['pytest', 'zope.pytestlayer', 'plone.testing', 'plone.app.testing']
+ignore-packages = ['plone.app.content']
 'Products.ZCatalog' = ['Products.ZCTextIndex']
 
 ##

setup.py

@@ -51,6 +51,7 @@
     ],
     extras_require={
         "test": [
+            "plone.app.content",
             "plone.app.testing",
             "plone.app.contenttypes[test]",
         ]

src/plone/app/querystring/registryreader.py

@@ -1,3 +1,5 @@
+from AccessControl import getSecurityManager
+from Acquisition import aq_parent
 from collections import OrderedDict
 from plone.app.querystring.interfaces import IQuerystringRegistryReader
 from plone.base.utils import safe_text
@@ -16,6 +18,13 @@
 import logging
 
 
+try:
+    from plone.app.content.browser.vocabulary import DEFAULT_PERMISSION
+    from plone.app.content.browser.vocabulary import PERMISSIONS
+except ImportError:
+    PERMISSIONS = {}
+    DEFAULT_PERMISSION = "View"
+
 logger = logging.getLogger("plone.app.querystring")
 
 
@@ -42,7 +51,7 @@ def __init__(self, context, request=None):
             request = getRequest()
 
         self.context = context
-        self.vocab_context = context
+        self.vocab_context = aq_parent(context)
         self.request = request
 
     def parseRegistry(self):
@@ -71,6 +80,10 @@ def parseRegistry(self):
 
         return result
 
+    def _checkVocabularyPermission(self, vocab_name):
+        permission = PERMISSIONS.get(vocab_name, DEFAULT_PERMISSION)
+        return getSecurityManager().checkPermission(permission, self.vocab_context)
+
     def getVocabularyValues(self, values):
         """Get all vocabulary values if a vocabulary is defined"""
         id_normalize = getUtility(IIDNormalizer).normalize
@@ -88,6 +101,9 @@ def getVocabularyValues(self, values):
                 # Bail out if the annotation is marked not to fetch the vocabulary
                 # to allow the widget to query the vocabulary as needed
                 continue
+            if not self._checkVocabularyPermission(vocabulary):
+                # Don't include vocab values if user doesn't have permission
+                continue
             for item in utility(self.vocab_context):
                 if isinstance(item.title, Message):
                     title = translate(item.title, context=self.request)

src/plone/app/querystring/tests/testRegistryReader.py

@@ -2,8 +2,10 @@
 from plone.app.querystring.registryreader import DottedDict
 from plone.app.querystring.testing import PLONEAPPQUERYSTRING_INTEGRATION_TESTING
 from plone.app.querystring.tests import registry_testdata as td
+from plone.app.testing import logout
 from plone.registry import Registry
 from plone.registry.interfaces import IRegistry
+from unittest import mock
 from zope.component import getGlobalSiteManager
 from zope.interface import implementer
 from zope.schema.interfaces import IVocabularyFactory
@@ -97,6 +99,23 @@ def test_get_vocabularies_in_context(self):
         vocabulary_result = result.get("plone.app.querystring.field.reviewState.values")
         self.assertEqual(vocabulary_result, {"subsite term": {"title": "subsite term"}})
 
+    def test_get_vocabularies_checks_permission(self):
+        logout()
+        from plone.app.content.browser.vocabulary import PERMISSIONS
+
+        with mock.patch.dict(
+            PERMISSIONS,
+            {"plone.app.querystring.tests.testvocabulary": "Manage portal content"},
+        ):
+            registry = self.createRegistry(td.test_vocabulary_xml)
+            reader = IQuerystringRegistryReader(registry)
+            result = reader.parseRegistry()
+            result = reader.getVocabularyValues(result)
+            vocabulary_result = result.get(
+                "plone.app.querystring.field.reviewState.values"
+            )
+            self.assertEqual(vocabulary_result, {})
+
     def test_map_operations_clean(self):
         """tests if mapOperations is getting all operators correctly"""
         registry = self.createRegistry(td.minimal_correct_xml)