Commit 2bd0564c authored by Tres Seaver's avatar Tres Seaver

Add permissions to some unprotected methods of 'OFS.ObjectManager'

Fixes LP #1094221.
parent 6ca36919
......@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
2.13.21 (unreleased)
--------------------
- LP #1094221: add permissions to some unprotected methods of
``OFS.ObjectManager``.
- LP #1094049: prevent zlib-based DoS when parsing the cookie containing
paste tokens.
......
......@@ -301,6 +301,7 @@ class ObjectManager(CopyContainer,
raise AttributeError, id
return default
security.declareProtected(access_contents_information, 'hasObject')
def hasObject(self, id):
"""Indicate whether the folder has an item by ID.
......@@ -440,6 +441,7 @@ class ObjectManager(CopyContainer,
# Return a tuple of mappings containing subobject meta-data
return tuple(d.copy() for d in self._objects)
security.declareProtected(access_contents_information, 'objectIds_d')
def objectIds_d(self, t=None):
if hasattr(self, '_reserved_names'): n=self._reserved_names
else: n=()
......@@ -450,9 +452,11 @@ class ObjectManager(CopyContainer,
if id not in n: a(id)
return r
security.declareProtected(access_contents_information, 'objectValues_d')
def objectValues_d(self, t=None):
return map(self._getOb, self.objectIds_d(t))
security.declareProtected(access_contents_information, 'objectItems_d')
def objectItems_d(self, t=None):
r=[]
a=r.append
......@@ -460,6 +464,7 @@ class ObjectManager(CopyContainer,
for id in self.objectIds_d(t): a((id, g(id)))
return r
security.declareProtected(access_contents_information, 'objectMap_d')
def objectMap_d(self, t=None):
if hasattr(self, '_reserved_names'): n=self._reserved_names
else: n=()
......@@ -470,6 +475,7 @@ class ObjectManager(CopyContainer,
if d['id'] not in n: a(d.copy())
return r
security.declareProtected(access_contents_information, 'superValues')
def superValues(self, t):
# Return all of the objects of a given type located in
# this object and containing objects.
......@@ -537,6 +543,7 @@ class ObjectManager(CopyContainer,
return self.manage_main(self, REQUEST, update_menu=1)
security.declareProtected(access_contents_information, 'tpValues')
def tpValues(self):
# Return a list of subobjects, used by tree tag.
r=[]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment