Commit 2bd0564c authored by Tres Seaver's avatar Tres Seaver

Add permissions to some unprotected methods of 'OFS.ObjectManager'

Fixes LP #1094221.
parent 6ca36919
...@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/ ...@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
2.13.21 (unreleased) 2.13.21 (unreleased)
-------------------- --------------------
- LP #1094221: add permissions to some unprotected methods of
``OFS.ObjectManager``.
- LP #1094049: prevent zlib-based DoS when parsing the cookie containing - LP #1094049: prevent zlib-based DoS when parsing the cookie containing
paste tokens. paste tokens.
......
...@@ -301,6 +301,7 @@ class ObjectManager(CopyContainer, ...@@ -301,6 +301,7 @@ class ObjectManager(CopyContainer,
raise AttributeError, id raise AttributeError, id
return default return default
security.declareProtected(access_contents_information, 'hasObject')
def hasObject(self, id): def hasObject(self, id):
"""Indicate whether the folder has an item by ID. """Indicate whether the folder has an item by ID.
...@@ -440,6 +441,7 @@ class ObjectManager(CopyContainer, ...@@ -440,6 +441,7 @@ class ObjectManager(CopyContainer,
# Return a tuple of mappings containing subobject meta-data # Return a tuple of mappings containing subobject meta-data
return tuple(d.copy() for d in self._objects) return tuple(d.copy() for d in self._objects)
security.declareProtected(access_contents_information, 'objectIds_d')
def objectIds_d(self, t=None): def objectIds_d(self, t=None):
if hasattr(self, '_reserved_names'): n=self._reserved_names if hasattr(self, '_reserved_names'): n=self._reserved_names
else: n=() else: n=()
...@@ -450,9 +452,11 @@ class ObjectManager(CopyContainer, ...@@ -450,9 +452,11 @@ class ObjectManager(CopyContainer,
if id not in n: a(id) if id not in n: a(id)
return r return r
security.declareProtected(access_contents_information, 'objectValues_d')
def objectValues_d(self, t=None): def objectValues_d(self, t=None):
return map(self._getOb, self.objectIds_d(t)) return map(self._getOb, self.objectIds_d(t))
security.declareProtected(access_contents_information, 'objectItems_d')
def objectItems_d(self, t=None): def objectItems_d(self, t=None):
r=[] r=[]
a=r.append a=r.append
...@@ -460,6 +464,7 @@ class ObjectManager(CopyContainer, ...@@ -460,6 +464,7 @@ class ObjectManager(CopyContainer,
for id in self.objectIds_d(t): a((id, g(id))) for id in self.objectIds_d(t): a((id, g(id)))
return r return r
security.declareProtected(access_contents_information, 'objectMap_d')
def objectMap_d(self, t=None): def objectMap_d(self, t=None):
if hasattr(self, '_reserved_names'): n=self._reserved_names if hasattr(self, '_reserved_names'): n=self._reserved_names
else: n=() else: n=()
...@@ -470,6 +475,7 @@ class ObjectManager(CopyContainer, ...@@ -470,6 +475,7 @@ class ObjectManager(CopyContainer,
if d['id'] not in n: a(d.copy()) if d['id'] not in n: a(d.copy())
return r return r
security.declareProtected(access_contents_information, 'superValues')
def superValues(self, t): def superValues(self, t):
# Return all of the objects of a given type located in # Return all of the objects of a given type located in
# this object and containing objects. # this object and containing objects.
...@@ -537,6 +543,7 @@ class ObjectManager(CopyContainer, ...@@ -537,6 +543,7 @@ class ObjectManager(CopyContainer,
return self.manage_main(self, REQUEST, update_menu=1) return self.manage_main(self, REQUEST, update_menu=1)
security.declareProtected(access_contents_information, 'tpValues')
def tpValues(self): def tpValues(self):
# Return a list of subobjects, used by tree tag. # Return a list of subobjects, used by tree tag.
r=[] r=[]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment