Add permissions to some unprotected methods of 'OFS.ObjectManager'

Fixes LP #1094221.
zopefoundation · Jul 5, 2013 · b249b0d · b249b0d
1 parent 9f37c69
commit b249b0d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/doc/CHANGES.rst b/doc/CHANGES.rst
@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
 2.12.28 (unreleased)
 --------------------
 
+- LP #1094221:  add permissions to some unprotected methods of
+  ``OFS.ObjectManager``
+
 - LP #1094049:  prevent zlib-based DoS when parsing the cookie containing
   paste tokens.
 

diff --git a/src/OFS/ObjectManager.py b/src/OFS/ObjectManager.py
@@ -310,6 +310,7 @@ def _getOb(self, id, default=_marker):
             raise AttributeError, id
         return default
 
+    security.declareProtected(access_contents_information, 'hasObject')
     def hasObject(self, id):
         """Indicate whether the folder has an item by ID.
 
@@ -449,6 +450,7 @@ def objectMap(self):
         # Return a tuple of mappings containing subobject meta-data
         return tuple(map(lambda dict: dict.copy(), self._objects))
 
+    security.declareProtected(access_contents_information, 'objectIds_d')
     def objectIds_d(self, t=None):
         if hasattr(self, '_reserved_names'): n=self._reserved_names
         else: n=()
@@ -459,16 +461,19 @@ def objectIds_d(self, t=None):
             if id not in n: a(id)
         return r
 
+    security.declareProtected(access_contents_information, 'objectValues_d')
     def objectValues_d(self, t=None):
         return map(self._getOb, self.objectIds_d(t))
 
+    security.declareProtected(access_contents_information, 'objectItems_d')
     def objectItems_d(self, t=None):
         r=[]
         a=r.append
         g=self._getOb
         for id in self.objectIds_d(t): a((id, g(id)))
         return r
 
+    security.declareProtected(access_contents_information, 'objectMap_d')
     def objectMap_d(self, t=None):
         if hasattr(self, '_reserved_names'): n=self._reserved_names
         else: n=()
@@ -479,6 +484,7 @@ def objectMap_d(self, t=None):
             if d['id'] not in n: a(d.copy())
         return r
 
+    security.declareProtected(access_contents_information, 'superValues')
     def superValues(self, t):
         # Return all of the objects of a given type located in
         # this object and containing objects.
@@ -547,6 +553,7 @@ def manage_delObjects(self, ids=[], REQUEST=None):
             return self.manage_main(self, REQUEST, update_menu=1)
 
 
+    security.declareProtected(access_contents_information, 'tpValues')
     def tpValues(self):
         # Return a list of subobjects, used by tree tag.
         r=[]