Merge 981f41a into 0ab25d5

zopefoundation · Mar 11, 2021 · 32a01a5 · 32a01a5
2 parents 0ab25d5 + 981f41a
commit 32a01a5
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,10 @@ Change Log
 2.6.2 (unreleaased)
 -------------------
 
+- Tighten down security on several login string transformation methods
+  (`#88
+  <https://github.com/zopefoundation/Products.PluggableAuthService/issues/88>`_)
+
 
 2.6.1 (2021-02-26)
 ------------------

diff --git a/src/Products/PluggableAuthService/PluggableAuthService.py b/src/Products/PluggableAuthService/PluggableAuthService.py
@@ -976,7 +976,7 @@ def __call__(self, container, req):
         resp._unauthorized = self._unauthorized
         resp._has_challenged = False
 
-    @security.public
+    @security.private
     def applyTransform(self, value):
         """ Transform for login name.
 
@@ -1024,7 +1024,7 @@ def _setPropValue(self, id, value):
                          'Updating existing login names.', orig_value, value)
             self.updateAllLoginNames()
 
-    @security.public
+    @security.private
     def lower(self, value):
         """ Transform for login name.
 
@@ -1034,7 +1034,7 @@ def lower(self, value):
         """
         return value.strip().lower()
 
-    @security.public
+    @security.private
     def upper(self, value):
         """ Transform for login name.
 

diff --git a/src/Products/PluggableAuthService/plugins/BasePlugin.py b/src/Products/PluggableAuthService/plugins/BasePlugin.py
@@ -115,7 +115,7 @@ def _invalidatePrincipalCache(self, id):
             view_name = createViewName('_findUser', id)
             pas.ZCacheable_invalidate(view_name)
 
-    @security.public
+    @security.private
     def applyTransform(self, value):
         """ Transform for login name.