Give Site Administrator permission to manage users (#1712)

* Give Site Administrator permission to manage users

Permission of related endpoints changed from cmf.ManagePortal to
plone.app.controlpanel.UsersAndGroups. It was also necessary to give
Manage users and plone.restapi: Access Plone user information
permissions to the Site Administrator.

* Does not allow a Site Administrator to set a Manager role

* Does not allow a Site Administrator delete Manager

* Test that the Site Administrator cannot add a Manager

* Do not allow a Site Administrator user to add users to groups that have
the Manager role

* Do not allow the Site Administrator to set the Manager role for a group

* Do not allow the Site Administrator to create groups with the Manager
role

* Does not allow an Site Administrator add group to group with Manager
role

* Do not allow Site Administrator to delete group with Manager role

* Add can_assign and can_assign_add keys to the roles endpoint

This is to inform the front-end whether role assignment should be
allowed or not. It was necessary to create the can_assign_add key,
because a user can only create another with the roles they have. But in
editing he can assign other roles.

* Add can_delete key to the users endpoint

Used to backend hide remove user button if user cannot be removed by
currently authenticated user

* Add can_delete key to the groups endpoint

Used to backend hide remove group button if group cannot be removed by
currently authenticated user

* Does not allow a Site Administrator to change a Manager's email and
password

* Update examples in documentation

* Uses acl_users.userFolderDelUsers to delete users

Therefore, it is not necessary to give Manage users permission to the
Site Administrator.

* Simplifies logic that defines whether the user can update roles

* Show message on lack of permission errors

* Set default roles as list

This prevents '"Manager" in roles' breaking if roles was missing

* Quote the plone.app.controlpanel.UsersAndGroups permission in changes

* Remove can_assign_add key

* Add upgrade step

Upgrade step to give permission plone.restapi: Access Plone user
information to Site Administrator

* Define can_delete in group serializer

* Define can_delete in users serializer

* Shows the can_delete key in the users and groups serializer only if the
user has "Plone Site Setup: Users and Groups" permission

* Rename ManageUsers to PloneManageUsers

* Uses PloneManageUsers variable instead of the string

* Remove can_delete key from users/groups endpoints

* Remove can_assign key from roles endpoint

* remove unused function

---------

Co-authored-by: David Glick <david@glicksoftware.com>

news/1712.feature

@@ -0,0 +1 @@
+Give Site Administrator permission to manage users. To make this possible, we now check the "plone.app.controlpanel.UsersAndGroups" permission instead of "cmf.ManagePortal" in a lot of operations in the users and groups endpoints. @wesleybl

src/plone/restapi/locales/de/LC_MESSAGES/plone.restapi.po

@@ -1,7 +1,7 @@
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
-"POT-Creation-Date: 2022-12-29 15:58+0000\n"
+"POT-Creation-Date: 2023-09-25 20:32+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI +ZONE\n"
 "Last-Translator: Timo Stollenwerk <tisto@plone.org>\n"
 "Language-Team: German <DE@li.org>\n"
@@ -14,11 +14,11 @@ msgstr ""
 "Preferred-Encodings: utf-8 latin1\n"
 "Domain: plone.restapi\n"
 
-#: plone/restapi/services/email_send/post.py:81
+#: plone/restapi/services/email_send/post.py:88
 msgid "${sender_fullname} via ${portal_title}"
 msgstr "${sender_fullname} via ${portal_title}"
 
-#: plone/restapi/services/email_send/post.py:74
+#: plone/restapi/services/email_send/post.py:81
 msgid "A portal user via ${portal_title}"
 msgstr "Ein Portal Nutzer via ${portal_title}"
 
@@ -34,31 +34,31 @@ msgstr ""
 msgid "Adds sample workflows for testing"
 msgstr ""
 
-#: plone/restapi/services/aliases/add.py:106
+#: plone/restapi/services/aliases/add.py:107
 msgid "Alternative urls that point to themselves will cause an endless cycle of redirects."
 msgstr ""
 
-#: plone/restapi/configure.zcml:115
+#: plone/restapi/configure.zcml:116
 msgid "Blocks"
 msgstr ""
 
-#: plone/restapi/configure.zcml:122
+#: plone/restapi/configure.zcml:123
 msgid "Blocks (Editable Layout)"
 msgstr ""
 
-#: plone/restapi/configure.zcml:122
+#: plone/restapi/configure.zcml:123
 msgid "Enables Volto Blocks (editable layout) support"
 msgstr ""
 
-#: plone/restapi/configure.zcml:115
+#: plone/restapi/configure.zcml:116
 msgid "Enables Volto Blocks support"
 msgstr ""
 
 #: plone/restapi/configure.zcml:81
 msgid "Enables blocks on the Document content type"
 msgstr ""
 
-#: plone/restapi/services/contextnavigation/get.py:133
+#: plone/restapi/services/contextnavigation/get.py:136
 msgid "Enter a valid scale name (see 'Image Handling' control panel) to override (e.g. icon, tile, thumb, mini, preview, ... ). Leave empty to use default (see 'Site' control panel)."
 msgstr ""
 
@@ -67,15 +67,15 @@ msgid "Error in fields. ${errors_to_string}"
 msgstr ""
 
 #. Default: "The reset_token is expired."
-#: plone/restapi/services/users/add.py:312
+#: plone/restapi/services/users/add.py:319
 msgid "Expired Token"
 msgstr ""
 
-#: plone/restapi/services/contextnavigation/get.py:126
+#: plone/restapi/services/contextnavigation/get.py:129
 msgid "If enabled, the portlet will not show document type icons."
 msgstr ""
 
-#: plone/restapi/services/contextnavigation/get.py:145
+#: plone/restapi/services/contextnavigation/get.py:148
 msgid "If enabled, the portlet will not show thumbs."
 msgstr ""
 
@@ -91,11 +91,11 @@ msgstr ""
 msgid "Layout"
 msgstr ""
 
-#: plone/restapi/services/contextnavigation/get.py:195
+#: plone/restapi/services/contextnavigation/get.py:197
 msgid "Navigation"
 msgstr ""
 
-#: plone/restapi/services/contextnavigation/get.py:132
+#: plone/restapi/services/contextnavigation/get.py:135
 msgid "Override thumb scale"
 msgstr ""
 
@@ -123,50 +123,58 @@ msgstr ""
 msgid "Roles"
 msgstr ""
 
-#: plone/restapi/services/users/add.py:350
+#: plone/restapi/services/users/add.py:357
 msgid "See the user endpoint documentation for the valid parameters."
 msgstr ""
 
-#: plone/restapi/services/contextnavigation/get.py:125
+#: plone/restapi/services/contextnavigation/get.py:128
 msgid "Suppress Icons"
 msgstr ""
 
-#: plone/restapi/services/contextnavigation/get.py:144
+#: plone/restapi/services/contextnavigation/get.py:147
 msgid "Suppress thumbs"
 msgstr ""
 
-#: plone/restapi/services/users/add.py:342
+#: plone/restapi/services/users/add.py:349
 msgid "The password passed as 'old_password' is wrong."
 msgstr ""
 
-#: plone/restapi/services/users/add.py:307
+#: plone/restapi/services/users/add.py:314
 msgid "The reset_token is unknown/not valid."
 msgstr ""
 
 #: plone/restapi/configure.zcml:81
 msgid "Volto Blocks"
 msgstr ""
 
-#: plone/restapi/services/users/update.py:119
+#: plone/restapi/services/users/update.py:151
 msgid "You are not authorized to perform this action"
 msgstr ""
 
-#: plone/restapi/services/email_send/post.py:91
+#: plone/restapi/services/email_send/post.py:98
 msgid "You are receiving this mail because ${sender_fullname} sent this message via the site ${portal_title}:"
 msgstr "Sie erhalten diese E-Mail, weil Ihnen ${sender_fullname} diese Nachricht über die Webseite ${portal_title} geschickt hat:"
 
 #: plone/restapi/services/users/add.py:114
 msgid "You can't send both password and sendPasswordReset."
 msgstr ""
 
-#: plone/restapi/services/users/add.py:322
+#: plone/restapi/services/users/add.py:329
 msgid "You can't set a password without a password reset token."
 msgstr ""
 
-#: plone/restapi/services/users/update.py:125
+#: plone/restapi/services/users/update.py:120
+msgid "You can't update roles of this user"
+msgstr ""
+
+#: plone/restapi/services/users/update.py:157
 msgid "You can't update the properties of this user"
 msgstr ""
 
+#: plone/restapi/services/users/update.py:94
+msgid "You can't update this user"
+msgstr ""
+
 #: plone/restapi/services/users/add.py:284
 msgid "You can't use 'reset_token' and 'old_password' together."
 msgstr ""
@@ -179,72 +187,72 @@ msgstr ""
 msgid "You need AddPortalMember permission."
 msgstr ""
 
-#: plone/restapi/services/users/add.py:329
+#: plone/restapi/services/users/add.py:336
 msgid "You need to be logged in as the user '${username}' to set the password."
 msgstr ""
 
 #. Default: "Missing dependency"
-#: plone/restapi/services/addons/addons.py:207
+#: plone/restapi/services/addons/addons.py:212
 msgid "dependency_missing"
 msgstr ""
 
 #. Default: "If selected, the navigation tree will only show the current folder and its children at all times."
-#: plone/restapi/services/contextnavigation/get.py:84
+#: plone/restapi/services/contextnavigation/get.py:87
 msgid "help_current_folder_only"
 msgstr ""
 
 #. Default: "Whether or not to show the top, or 'root', node in the navigation tree. This is affected by the 'Start level' setting."
-#: plone/restapi/services/contextnavigation/get.py:69
+#: plone/restapi/services/contextnavigation/get.py:72
 msgid "help_include_top_node"
 msgstr ""
 
 #. Default: "You may search for and choose a folder to act as the root of the navigation tree. Leave blank to use the Plone site root."
-#: plone/restapi/services/contextnavigation/get.py:58
+#: plone/restapi/services/contextnavigation/get.py:61
 msgid "help_navigation_root"
 msgstr ""
 
 #. Default: "An integer value that specifies the number of folder levels below the site root that must be exceeded before the navigation tree will display. 0 means that the navigation tree should be displayed everywhere including pages in the root of the site. 1 means the tree only shows up inside folders located in the root and downwards, never showing at the top level."
-#: plone/restapi/services/contextnavigation/get.py:96
+#: plone/restapi/services/contextnavigation/get.py:99
 msgid "help_navigation_start_level"
 msgstr ""
 
 #. Default: "The title of the navigation tree."
-#: plone/restapi/services/contextnavigation/get.py:49
+#: plone/restapi/services/contextnavigation/get.py:52
 msgid "help_navigation_title"
 msgstr ""
 
 #. Default: "How many folders should be included before the navigation tree stops. 0 means no limit. 1 only includes the root folder."
-#: plone/restapi/services/contextnavigation/get.py:113
+#: plone/restapi/services/contextnavigation/get.py:116
 msgid "help_navigation_tree_depth"
 msgstr ""
 
 #. Default: "Only show the contents of the current folder."
-#: plone/restapi/services/contextnavigation/get.py:80
+#: plone/restapi/services/contextnavigation/get.py:83
 msgid "label_current_folder_only"
 msgstr ""
 
 #. Default: "Include top node"
-#: plone/restapi/services/contextnavigation/get.py:68
+#: plone/restapi/services/contextnavigation/get.py:71
 msgid "label_include_top_node"
 msgstr ""
 
 #. Default: "Root node"
-#: plone/restapi/services/contextnavigation/get.py:57
+#: plone/restapi/services/contextnavigation/get.py:60
 msgid "label_navigation_root_path"
 msgstr ""
 
 #. Default: "Start level"
-#: plone/restapi/services/contextnavigation/get.py:95
+#: plone/restapi/services/contextnavigation/get.py:98
 msgid "label_navigation_startlevel"
 msgstr ""
 
 #. Default: "Title"
-#: plone/restapi/services/contextnavigation/get.py:48
+#: plone/restapi/services/contextnavigation/get.py:51
 msgid "label_navigation_title"
 msgstr ""
 
 #. Default: "Navigation tree depth"
-#: plone/restapi/services/contextnavigation/get.py:112
+#: plone/restapi/services/contextnavigation/get.py:115
 msgid "label_navigation_tree_depth"
 msgstr ""