You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not sure whether this leads to a problem in the real world, but theoretically, if I have delete permission on an object but not its parent, then I'm not seeing the delete button in the UI, but I can still go to the delete_confirmation view by typing the URL and delete the object anyway.
The text was updated successfully, but these errors were encountered:
Better safe than sorry. What about adding something like before the actual delete?
sm=getSecurityManager()
ifnotsm.checkPermission(DeleteObjects, parent):
raiseUnauthorized("You do not have the permission to delete on the parent of the selected item.")
The delete_confirmation view does not enforce
Delete objects
permission on the parent of an object, but the delete action in CMFPlone does.The delete_confirmation view registration only requires
Delete objects
on the object itself. It calls parent.manage_delObjects, which has a@security.protected(permissions.DeleteObjects)
declaration, but this is not enforced when calling the method in python like this, only when calling it through the web, ZMI style.I'm not sure whether this leads to a problem in the real world, but theoretically, if I have delete permission on an object but not its parent, then I'm not seeing the delete button in the UI, but I can still go to the delete_confirmation view by typing the URL and delete the object anyway.
The text was updated successfully, but these errors were encountered: