Protect views of ZPT source with 'View Management Screens' permision.

Fixes LP #978980.

Protect views of ZPT source with 'View Management Screens' permision.
Fixes LP #978980.
c12ebd20 · Tres Seaver · 3c92e1f6 · c12ebd20 · c12ebd20
Commit c12ebd20 authored Feb 20, 2013 by Tres Seaver
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

doc/CHANGES.rst doc/CHANGES.rst +3 -0

src/Products/PageTemplates/ZopePageTemplate.py src/Products/PageTemplates/ZopePageTemplate.py +4 -0

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/releases/.
 2.12.27 (unreleased)
 --------------------
+- LP #978980: Protect views of ZPT source with 'View Management Screens'
+  permision.
 2.12.26 (2012-10-31)
 --------------------

--- a/src/Products/PageTemplates/ZopePageTemplate.py
+++ b/src/Products/PageTemplates/ZopePageTemplate.py
@@ -57,6 +57,8 @@ if os.environ.has_key('ZPT_PREFERRED_ENCODING'):
 class Src(Explicit):
    """ I am scary code """
+    security = ClassSecurityInfo()
+    security.declareObjectProtected(view_management_screens)
    PUT = document_src = Acquired
    index_html = None
@@ -69,6 +71,8 @@ class Src(Explicit):
        " "
        return self.document_src(REQUEST)
+InitializeClass(Src)
 class ZopePageTemplate(Script, PageTemplate, Historical, Cacheable,
                       Traversable, PropertyManager):
    "Zope wrapper for Page Template using TAL, TALES, and METAL"