Fix serious authentication vulnerability in stock configuration.

doc/CHANGES.rst

@@ -11,6 +11,8 @@ http://docs.zope.org/zope2/releases/.
 Bugs Fixed
 ++++++++++
 
+- Fixed serious authentication vulnerability in stock configuration.
+
 - Fixed a regression in webdav support that broke external editor feature.
 
 - Restore ability to undo multiple transactions from the ZMI by using the

src/OFS/tests/test_userfolder.py

@@ -17,7 +17,15 @@ import unittest
 # TODO class Test_readUserAccessFile(unittest.TestCase)
 
 
-# TODO class BasicUserFoldertests(unittest.TestCase)
+class BasicUserFolderTests(unittest.TestCase):
+ 
+    def _getTargetClass(self):
+        from OFS.userfolder import BasicUserFolder
+        return BasicUserFolder
+ 
+    def test_manage_users_security_initialized(self):
+        uf = self._getTargetClass()()
+        self.assertTrue(hasattr(uf, 'manage_users__roles__'))
 
 
 class UserFolderTests(unittest.TestCase):
@@ -171,6 +179,8 @@ class UserFolderTests(unittest.TestCase):
 
 
 def test_suite():
-    suite = unittest.TestSuite()
-    suite.addTest(unittest.makeSuite(UserFolderTests))
+    suite = unittest.TestSuite((
+        unittest.makeSuite(BasicUserFolderTests),
+        unittest.makeSuite(UserFolderTests),
+    ))
     return suite

src/OFS/userfolder.py

@@ -293,6 +293,8 @@ class BasicUserFolder(Navigation, Tabs, Item, RoleManager,
                 message='Cannot change the id of a UserFolder',
                 action='./manage_main'))
 
+InitializeClass(BasicUserFolder)
+
 
 class UserFolder(accesscontrol_userfolder.UserFolder, BasicUserFolder):
     """Standard UserFolder object