Error fetching data from a control panel that the user does not have permission in form

[wesleybl]

Describe the bug

I want a user with the Site Administrator role to manage users, but not have access to the security control panel (http://localhost:3000/controlpanel/security). This control panel requires Plone Site Setup: Security permission. So I granted this permission only to Manager. But in Volto, the user management screen needs access to data from this control panel. So when accessing the user management screen with a Site Administrator user, the url http://localhost:3000/@controlpanels/security returns the error:

{ 
"message": "'SecurityControlpanel' object has no attribute 'title'", 
"type": "AttributeError"
}

In the Plone log we have the error:

2025-10-01 15:30:30 ERROR [Zope.SiteErrorLog:35][waitress-0] AttributeError: http://localhost:3000/@controlpanels/security
Traceback (innermost last): 
Module ZPublisher.WSGIPublisher, line 181, in transaction_pubevents 
Module ZPublisher.WSGIPublisher, line 390, in publish_module 
Module ZPublisher.WSGIPublisher, line 284, in publish 
Module ZPublisher.mapply, line 98, in mapply 
Module ZPublisher.WSGIPublisher, line 68, in call_object 
Module plone.rest.service, line 21, in __call__ 
Module plone.restapi.services, line 19, in render 
Module plone.restapi.services.controlpanels.get, line 50, in reply 
Module plone.restapi.services.controlpanels.get, line 73, in reply_panel 
Module plone.restapi.serializer.controlpanels, line 87, in __call__
AttributeError: 'SecurityControlpanel' object has no attribute 'title'

To Reproduce

Steps to reproduce the behavior:

1. In the Plone Site permissions management screen (http://localhost:8080/Plone/manage_access) set the Plone Site Setup: Security permission only for Manager.
2. Access the user management screen (http://localhost:3000/controlpanel/users) with a Site Administrator user.

Expected behavior

The url http://localhost:3000/@controlpanels/security should not return an error.

Software (please complete the following information):

• OS: [e.g. iOS]
• Browser chrome
• Plone Version 6.1.2
• Volto Version 18.27.2
• Plone REST API Version 9.15.1

Additional context

This error does not occur in Plone Classic.

The error occurs here:

plone.restapi/src/plone/restapi/serializer/controlpanels/__init__.py

Line 87 in 22574d5

"title": self.controlpanel.title,

self.controlpanel becomes None, because of the lack of permission. Maybe in this situation, we should set title and group to an empty string?

[davisagli]

self.controlpanel isn't None, but it's missing a title because of this conditional: https://github.com/plone/plone.restapi/blob/main/src/plone/restapi/controlpanels/__init__.py#L37

Our goal here should be to return a 401 response if the current user doesn't have permission to access the control panel, and don't include it in the listing at /++api++/@ControlPanel

[wesleybl]

Our goal here should be to return a 401 response if the current user doesn't have permission to access the control panel

@davisagli I think it's a fair use case to have a user who can manage users but doesn't have access to the security control panel. They shouldn't change things like Use email address as login name, but they can manage users.

Perhaps we should have a new endpoint that returns the necessary settings for the user management screen? Or perhaps Volto should use the @registry endpoint to retrieve the necessary settings for user management instead of @contropanels?

[ATOMworkplace]

is this issue fixed?

[stevepiercy]

@ATOMworkplace using your super power of observation, you may see that the green "Open" icon reflects its status.

[ATOMworkplace]

@ATOMworkplace using your super power of observation, you may see that the green "Open" icon reflects its status.

I was asking to know whether someone was working on the issue and about close this repo, should've phrased it better ig