Provide security declarations for BTreeFolder2Base class, instead o…

…f only for `BTreeFolder2` via the `OFS.Folder` mix-in. LP #902068: Fixed missing security declaration for `ObjectManager` class.
zopefoundation · Dec 12, 2011 · ca018bf · ca018bf
1 parent d944819
commit ca018bf
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/doc/CHANGES.rst b/doc/CHANGES.rst
@@ -8,6 +8,11 @@ http://docs.zope.org/zope2/releases/.
 2.12.21 (unreleased)
 --------------------
 
+- Provide security declarations for `BTreeFolder2Base` class, instead of only
+  for `BTreeFolder2` via the `OFS.Folder` mix-in.
+
+- LP #902068: Fixed missing security declaration for `ObjectManager` class.
+
 - Fixed serious authentication vulnerability in stock configuration.
 
 2.12.20 (2011-10-04)

diff --git a/src/OFS/ObjectManager.py b/src/OFS/ObjectManager.py
@@ -805,7 +805,7 @@ def get(self, key, default=None):
     def keys(self):
         return self.objectIds()
 
-    security.declareProtected(access_contents_information, 'get')
+    security.declareProtected(access_contents_information, 'items')
     def items(self):
         return self.objectItems()
 

diff --git a/src/Products/BTreeFolder2/BTreeFolder2.py b/src/Products/BTreeFolder2/BTreeFolder2.py
@@ -472,11 +472,15 @@ def _delObject(self, id, dp=1, suppress_events=False):
 
     # Aliases for mapping-like access.
     __len__ = objectCount
+    security.declareProtected(access_contents_information, 'keys')
     keys = objectIds
+    security.declareProtected(access_contents_information, 'values')
     values = objectValues
+    security.declareProtected(access_contents_information, 'items')
     items = objectItems
 
     # backward compatibility
+    security.declareProtected(access_contents_information, 'hasObject')
     hasObject = has_key
 
     security.declareProtected(access_contents_information, 'get')