Type schema is available only for authenticated users

[erral]

The Type Schema endpoint (/@types/WhateverType) is available only for authenticated users:

https://github.com/plone/plone.restapi/blob/master/src/plone/restapi/services/types/get.py#L120
https://github.com/plone/plone.restapi/blob/master/src/plone/restapi/services/types/get.py#L23

If we want to have a DefaultView in Volto for schema based content-types and this view should be viewed by anonymous users, we need to remove the permission check here.

Opinions?

@ionlizarazu @pbauer

[jensens]

Do we expose anything confidential if we allow the type schema for anonymous? I do not think so. But correct me if I am wrong

cc @plone/security-team

[avoinea]

@erral I think we should remove that check and rely only on the permission defined within zcml https://github.com/plone/plone.restapi/blob/master/src/plone/restapi/services/types/configure.zcml#L11

[mauritsvanrees]

The zcml permission currently says anyone with View permission in the Plone Site (or anywhere) can access it. So that will be everyone for most sites.

This is an example of the output you get:
https://plonerestapi.readthedocs.io/en/latest/types.html#get-the-schema-with-get

I suppose it is possible that there is a Choice field where the possible options contain secrets. Not too likely, but it could happen. In that case I would expect the field to have a permission, granted to for example only Site Administrators.

So I think we should check the permission for fields, and only include those fields that the user is allowed to see. It does not look like this happens currently. If we do not check this, then the auto-generated view will contain all fields, also those that the user is not allowed to see.