From b249b0dd4a461f6f517d587b539dae3bbe85ca29 Mon Sep 17 00:00:00 2001
From: Tres Seaver <tseaver@palladion.com>
Date: Fri, 5 Jul 2013 11:44:21 -0400
Subject: [PATCH] Add permissions to some unprotected methods of
 'OFS.ObjectManager'

Fixes LP #1094221.
---
 doc/CHANGES.rst          | 3 +++
 src/OFS/ObjectManager.py | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/doc/CHANGES.rst b/doc/CHANGES.rst
index a42730aef2..c3297f8da6 100644
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
 2.12.28 (unreleased)
 --------------------
 
+- LP #1094221:  add permissions to some unprotected methods of
+  ``OFS.ObjectManager``
+
 - LP #1094049:  prevent zlib-based DoS when parsing the cookie containing
   paste tokens.
 
diff --git a/src/OFS/ObjectManager.py b/src/OFS/ObjectManager.py
index 0afcfe99f9..ddbc948b66 100644
--- a/src/OFS/ObjectManager.py
+++ b/src/OFS/ObjectManager.py
@@ -310,6 +310,7 @@ def _getOb(self, id, default=_marker):
             raise AttributeError, id
         return default
 
+    security.declareProtected(access_contents_information, 'hasObject')
     def hasObject(self, id):
         """Indicate whether the folder has an item by ID.
 
@@ -449,6 +450,7 @@ def objectMap(self):
         # Return a tuple of mappings containing subobject meta-data
         return tuple(map(lambda dict: dict.copy(), self._objects))
 
+    security.declareProtected(access_contents_information, 'objectIds_d')
     def objectIds_d(self, t=None):
         if hasattr(self, '_reserved_names'): n=self._reserved_names
         else: n=()
@@ -459,9 +461,11 @@ def objectIds_d(self, t=None):
             if id not in n: a(id)
         return r
 
+    security.declareProtected(access_contents_information, 'objectValues_d')
     def objectValues_d(self, t=None):
         return map(self._getOb, self.objectIds_d(t))
 
+    security.declareProtected(access_contents_information, 'objectItems_d')
     def objectItems_d(self, t=None):
         r=[]
         a=r.append
@@ -469,6 +473,7 @@ def objectItems_d(self, t=None):
         for id in self.objectIds_d(t): a((id, g(id)))
         return r
 
+    security.declareProtected(access_contents_information, 'objectMap_d')
     def objectMap_d(self, t=None):
         if hasattr(self, '_reserved_names'): n=self._reserved_names
         else: n=()
@@ -479,6 +484,7 @@ def objectMap_d(self, t=None):
             if d['id'] not in n: a(d.copy())
         return r
 
+    security.declareProtected(access_contents_information, 'superValues')
     def superValues(self, t):
         # Return all of the objects of a given type located in
         # this object and containing objects.
@@ -547,6 +553,7 @@ def manage_delObjects(self, ids=[], REQUEST=None):
             return self.manage_main(self, REQUEST, update_menu=1)
 
 
+    security.declareProtected(access_contents_information, 'tpValues')
     def tpValues(self):
         # Return a list of subobjects, used by tree tag.
         r=[]