Commit b249b0dd authored by Tres Seaver's avatar Tres Seaver

Add permissions to some unprotected methods of 'OFS.ObjectManager'

Fixes LP #1094221.
parent 9f37c696
...@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/ ...@@ -8,6 +8,9 @@ http://docs.zope.org/zope2/
2.12.28 (unreleased) 2.12.28 (unreleased)
-------------------- --------------------
- LP #1094221: add permissions to some unprotected methods of
``OFS.ObjectManager``
- LP #1094049: prevent zlib-based DoS when parsing the cookie containing - LP #1094049: prevent zlib-based DoS when parsing the cookie containing
paste tokens. paste tokens.
......
...@@ -310,6 +310,7 @@ class ObjectManager(CopyContainer, ...@@ -310,6 +310,7 @@ class ObjectManager(CopyContainer,
raise AttributeError, id raise AttributeError, id
return default return default
security.declareProtected(access_contents_information, 'hasObject')
def hasObject(self, id): def hasObject(self, id):
"""Indicate whether the folder has an item by ID. """Indicate whether the folder has an item by ID.
...@@ -449,6 +450,7 @@ class ObjectManager(CopyContainer, ...@@ -449,6 +450,7 @@ class ObjectManager(CopyContainer,
# Return a tuple of mappings containing subobject meta-data # Return a tuple of mappings containing subobject meta-data
return tuple(map(lambda dict: dict.copy(), self._objects)) return tuple(map(lambda dict: dict.copy(), self._objects))
security.declareProtected(access_contents_information, 'objectIds_d')
def objectIds_d(self, t=None): def objectIds_d(self, t=None):
if hasattr(self, '_reserved_names'): n=self._reserved_names if hasattr(self, '_reserved_names'): n=self._reserved_names
else: n=() else: n=()
...@@ -459,9 +461,11 @@ class ObjectManager(CopyContainer, ...@@ -459,9 +461,11 @@ class ObjectManager(CopyContainer,
if id not in n: a(id) if id not in n: a(id)
return r return r
security.declareProtected(access_contents_information, 'objectValues_d')
def objectValues_d(self, t=None): def objectValues_d(self, t=None):
return map(self._getOb, self.objectIds_d(t)) return map(self._getOb, self.objectIds_d(t))
security.declareProtected(access_contents_information, 'objectItems_d')
def objectItems_d(self, t=None): def objectItems_d(self, t=None):
r=[] r=[]
a=r.append a=r.append
...@@ -469,6 +473,7 @@ class ObjectManager(CopyContainer, ...@@ -469,6 +473,7 @@ class ObjectManager(CopyContainer,
for id in self.objectIds_d(t): a((id, g(id))) for id in self.objectIds_d(t): a((id, g(id)))
return r return r
security.declareProtected(access_contents_information, 'objectMap_d')
def objectMap_d(self, t=None): def objectMap_d(self, t=None):
if hasattr(self, '_reserved_names'): n=self._reserved_names if hasattr(self, '_reserved_names'): n=self._reserved_names
else: n=() else: n=()
...@@ -479,6 +484,7 @@ class ObjectManager(CopyContainer, ...@@ -479,6 +484,7 @@ class ObjectManager(CopyContainer,
if d['id'] not in n: a(d.copy()) if d['id'] not in n: a(d.copy())
return r return r
security.declareProtected(access_contents_information, 'superValues')
def superValues(self, t): def superValues(self, t):
# Return all of the objects of a given type located in # Return all of the objects of a given type located in
# this object and containing objects. # this object and containing objects.
...@@ -547,6 +553,7 @@ class ObjectManager(CopyContainer, ...@@ -547,6 +553,7 @@ class ObjectManager(CopyContainer,
return self.manage_main(self, REQUEST, update_menu=1) return self.manage_main(self, REQUEST, update_menu=1)
security.declareProtected(access_contents_information, 'tpValues')
def tpValues(self): def tpValues(self):
# Return a list of subobjects, used by tree tag. # Return a list of subobjects, used by tree tag.
r=[] r=[]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment