The member-search form is now protected

[ale-rt]

The member-search form is now protected by the plone.app.controlpanel.UsersAndGroups permission.

Merge together:

#133
plone/Products.PlonePAS#95
plone/plone.app.querystring#157

[mister-roboto]

@ale-rt thanks for creating this Pull Request and helping to improve Plone!

TL;DR: Finish pushing changes, pass all other checks, then paste a comment:

@jenkins-plone-org please run jobs

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.

Happy hacking!

[ale-rt]

I was undecided about the permission to pick.

Another possible permission might be cmf.ListPortalMembers.
I picked this one because the other views defined in this package use that permission.

[ale-rt]

@jenkins-plone-org please run jobs

[ale-rt]

This view is protected by the view permission by choice, see the test added in:

https://github.com/plone/plone.app.users/pull/19/files#diff-1983a8c567ed77be3d42442512e03b31c06c1d915705c4ee709384bc7238e339R10-R30

I am really not sure if that is a good idea.

@davisagli you approved that PR.
Do you know something more?
Does it still make sense?

From what I know, @@member-search is used as the default view for the /Members folder.

[ale-rt]

Note that the /Members folder is by default private, but the view is callable from every context...