From fdb7b4d224950d9259cade72069303fad0a0b806 Mon Sep 17 00:00:00 2001
From: SHIVAANSH0610_LUFFY <shivaansh0610@gmail.com>
Date: Wed, 4 Feb 2026 10:59:59 +0530
Subject: [PATCH 1/5] Fix @@allow_upload traversal when parent folders are
 restricted

---
 src/plone/app/content/browser/file.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/plone/app/content/browser/file.py b/src/plone/app/content/browser/file.py
index 03f51a3f..bd7a6ed6 100644
--- a/src/plone/app/content/browser/file.py
+++ b/src/plone/app/content/browser/file.py
@@ -1,3 +1,4 @@
+from zope.traversing.api import unrestrictedTraverse
 from AccessControl import getSecurityManager
 from OFS.interfaces import IFolder
 from plone.app.dexterity.interfaces import IDXFileFactory
@@ -6,6 +7,7 @@
 from Products.CMFCore.utils import getToolByName
 from Products.Five.browser import BrowserView
 
+
 import json
 import logging
 import mimetypes
@@ -190,7 +192,7 @@ def __call__(self):
         )
         context = self.context
         if self.request.form.get("path"):
-            context = context.restrictedTraverse(self.request.form.get("path"))
+            context = unrestrictedTraverse(context, self.request.form.get("path"))
 
         allow_images = False
         allow_files = False

From 2aee4427b3f26a2d747c05a623da6189dd27f221 Mon Sep 17 00:00:00 2001
From: SHIVAANSH0610_LUFFY <shivaansh0610@gmail.com>
Date: Wed, 4 Feb 2026 11:23:40 +0530
Subject: [PATCH 2/5] Add changelog entry for @@allow_upload fix

---
 news/4055.bugfix | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 news/4055.bugfix

diff --git a/news/4055.bugfix b/news/4055.bugfix
new file mode 100644
index 00000000..0b7d53f0
--- /dev/null
+++ b/news/4055.bugfix
@@ -0,0 +1,2 @@
+Fix @@allow_upload failing with a 302 redirect when parent folders
+are restricted but the target folder is accessible.

From 36db46e5f653cd0ed383e9d4cf0c74585cbbbf2e Mon Sep 17 00:00:00 2001
From: SHIVAANSH0610_LUFFY <shivaansh0610@gmail.com>
Date: Wed, 4 Feb 2026 11:43:33 +0530
Subject: [PATCH 3/5] Apply isort formatting

---
 src/plone/app/content/browser/file.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/plone/app/content/browser/file.py b/src/plone/app/content/browser/file.py
index bd7a6ed6..c79b58e0 100644
--- a/src/plone/app/content/browser/file.py
+++ b/src/plone/app/content/browser/file.py
@@ -1,4 +1,3 @@
-from zope.traversing.api import unrestrictedTraverse
 from AccessControl import getSecurityManager
 from OFS.interfaces import IFolder
 from plone.app.dexterity.interfaces import IDXFileFactory
@@ -6,7 +5,7 @@
 from plone.uuid.interfaces import IUUID
 from Products.CMFCore.utils import getToolByName
 from Products.Five.browser import BrowserView
-
+from zope.traversing.api import unrestrictedTraverse
 
 import json
 import logging

From dbe21b6842694e145da65b725daf56501f74e80c Mon Sep 17 00:00:00 2001
From: SHIVAANSH0610_LUFFY <shivaansh0610@gmail.com>
Date: Wed, 4 Feb 2026 12:27:27 +0530
Subject: [PATCH 4/5] Call unrestrictedTraverse as a method on context

---
 src/plone/app/content/browser/file.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/plone/app/content/browser/file.py b/src/plone/app/content/browser/file.py
index c79b58e0..9d347715 100644
--- a/src/plone/app/content/browser/file.py
+++ b/src/plone/app/content/browser/file.py
@@ -5,7 +5,6 @@
 from plone.uuid.interfaces import IUUID
 from Products.CMFCore.utils import getToolByName
 from Products.Five.browser import BrowserView
-from zope.traversing.api import unrestrictedTraverse
 
 import json
 import logging
@@ -191,7 +190,7 @@ def __call__(self):
         )
         context = self.context
         if self.request.form.get("path"):
-            context = unrestrictedTraverse(context, self.request.form.get("path"))
+            context = context.unrestrictedTraverse(self.request.form.get("path"))
 
         allow_images = False
         allow_files = False

From 3d98a90adea7d6c21ec38b2c2cd2b4c03460fee2 Mon Sep 17 00:00:00 2001
From: David Glick <david@glicksoftware.com>
Date: Tue, 17 Feb 2026 21:50:09 -0800
Subject: [PATCH 5/5] Update news/4055.bugfix

---
 news/4055.bugfix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/news/4055.bugfix b/news/4055.bugfix
index 0b7d53f0..a3cdeea3 100644
--- a/news/4055.bugfix
+++ b/news/4055.bugfix
@@ -1,2 +1 @@
-Fix @@allow_upload failing with a 302 redirect when parent folders
-are restricted but the target folder is accessible.
+Fix @@allow_upload failing with a 302 redirect when parent folders are restricted but the target folder is accessible. @shivaansh0610-LUFFY