manage_afterAdd, manage_afterClone and manage_beforeDelete should be private.

product/CMFActivity/ActivityTool.py

@@ -798,10 +798,12 @@ class ActivityTool (Folder, UniqueObject):
           url += urllib.quote('Cancel and invoke links visible')
           RESPONSE.redirect(url)
 
+    security.declarePrivate('manage_beforeDelete')
     def manage_beforeDelete(self, item, container):
         self.unsubscribe()
         Folder.inheritedAttribute('manage_beforeDelete')(self, item, container)
-
+    
+    security.declarePrivate('manage_afterAdd')
     def manage_afterAdd(self, item, container):
         self.subscribe()
         Folder.inheritedAttribute('manage_afterAdd')(self, item, container)

product/ERP5/Document/BaseCategory.py

@@ -66,6 +66,7 @@ class BaseCategory(CMFBaseCategory, XMLObject):
       #result.extend(self.portal_catalog())
       return result
 
+    security.declarePrivate('manage_afterAdd')
     def manage_afterAdd(self, item, container):
       """
          Reset Accessors

product/ERP5/Document/Bug.py

@@ -55,6 +55,7 @@ class Bug(Ticket):
                       , PropertySheet.Bug
                       )
 
+    security.declarePrivate('manage_afterClone')
     def manage_afterClone(self, item):
       Ticket.manage_afterClone(self, item)
       # delete existing bug lines

product/ERP5/Document/BusinessTemplate.py

@@ -4789,7 +4789,7 @@ Business Template is a set of definitions, such as skins, portal types and categ
       XMLObject.__init__(self, *args, **kw)
       self._clean()
 
-    security.declareProtected(Permissions.ManagePortal, 'manage_afterAdd')
+    security.declarePrivate('manage_afterAdd')
     def manage_afterAdd(self, item, container):
       """
         This is called when a new business template is added or imported.

product/ERP5/ERP5Site.py

@@ -364,6 +364,7 @@ class ERP5Site(FolderMixIn, CMFSite, CacheCookieMixin):
 
     return self
 
+  security.declarePrivate('manage_beforeDelete')
   def manage_beforeDelete(self, item, container):
     # skin is setup during __before_publishing_traverse__, which
     # doesn't happen when the object is being deleted from the management

product/ERP5/mixin/rule.py

@@ -474,6 +474,7 @@ class RuleMixin(Predicate):
 
 
 class SimulableMixin(Base):
+  security = ClassSecurityInfo()
 
   def updateSimulation(self, **kw):
     """Create/update related simulation trees by activity
@@ -600,6 +601,7 @@ class SimulableMixin(Base):
         return applied_rule
       raise SimulationError("No such rule as %r is found" % rule_reference)
 
+  security.declarePrivate('manage_beforeDelete')
   def manage_beforeDelete(self, item, container):
     """Delete related Applied Rule"""
     for o in self.getCausalityRelatedValueList(portal_type='Applied Rule'):

product/ERP5/mixin/timer_service.py

@@ -68,12 +68,12 @@ class TimerServiceMixin(object):
       return "Usubscribed from Timer Service"
     return "TimerService not available"
 
-  security.declareProtected(Permissions.ManageProperties, 'manage_beforeDelete')
+  security.declarePrivate('manage_beforeDelete')
   def manage_beforeDelete(self, *args, **kw):
     self.unsubscribe()
     super(TimerServiceMixin, self).manage_beforeDelete(*args, **kw)
 
-  security.declareProtected(Permissions.ManageProperties, 'manage_afterAdd')
+  security.declarePrivate('manage_afterAdd')
   def manage_afterAdd(self, *args, **kw):
     self.unsubscribe()
     super(TimerServiceMixin, self).manage_afterAdd(*args, **kw)

product/ERP5Banking/Document/BankingOperation.py

@@ -64,7 +64,8 @@ class BankingOperation(BaobabMixin, AccountingTransaction):
                     , PropertySheet.ItemAggregation
                     , PropertySheet.Amount
                     )
-
+  
+  security.declarePrivate('manage_beforeDelete')
   def manage_beforeDelete(self, item, container):
     """
     The right of deleting must be define by workflows

product/ERP5Type/CopySupport.py

@@ -234,6 +234,7 @@ class CopyContainer:
               return self.manage_main(self, REQUEST, update_menu=1)
 
   # Copy and paste support
+  security.declarePrivate('manage_afterClone')
   def manage_afterClone(self, item):
     """
         Add self to the workflow.
@@ -316,6 +317,7 @@ class CopyContainer:
       script()
 
 
+  security.declarePrivate('manage_afterAdd')
   def manage_afterAdd(self, item, container):
       """
           Add self to the catalog.
@@ -328,6 +330,7 @@ class CopyContainer:
           if getattr(self, 'isIndexable', 1):
             self.__recurse('manage_afterAdd', item, container)
 
+  security.declarePrivate('manage_beforeDelete')
   def manage_beforeDelete(self, item, container):
       """
           Remove self from the catalog.

product/Formulator/Field.py

@@ -554,7 +554,7 @@ class ZMIField(
                 getattr(self, method_name)(values[key])
 
 
-    security.declareProtected('Change Formulator Forms', 'manage_beforeDelete')
+    security.declarePrivate('manage_beforeDelete')
     def manage_beforeDelete(self, item, container):
         """Remove name from list if object is deleted.
         """
@@ -562,7 +562,7 @@ class ZMIField(
         if hasattr(item.aq_explicit, 'is_field'):
             container.field_removed(item.id)
 
-    security.declareProtected('Change Formulator Forms', 'manage_afterAdd')
+    security.declarePrivate('manage_afterAdd')
     def manage_afterAdd(self, item, container):
         """What happens when we add a field.
         """

product/ZMySQLDA/DA.py

@@ -99,6 +99,7 @@ from App.ImageFile import ImageFile
 from DateTime import DateTime
 from . import DABase
 from .db import DB, DeferredDB
+from AccessControl import ClassSecurityInfo
 
 SHARED_DC_ZRDB_LOCATION = os.path.dirname(Shared.DC.ZRDB.__file__)
 
@@ -132,6 +133,7 @@ class Connection(DABase.Connection):
     id='%s_database_connection' % database_type
     meta_type=title='Z %s Database Connection' % database_type
     icon='misc_/Z%sDA/conn' % database_type
+    security = ClassSecurityInfo()
 
     manage_properties=HTMLFile('connectionEdit', globals())
 
@@ -139,6 +141,7 @@ class Connection(DABase.Connection):
 
     def factory(self): return DB
 
+    security.declarePrivate('manage_beforeDelete')
     def manage_beforeDelete(self, item, container):
         database_connection_pool.get(self._p_oid, {}).pop(self._p_jar, None)