Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

delete_confirmation permission inconsistency #242

Open
reinhardt opened this issue Mar 4, 2022 · 2 comments
Open

delete_confirmation permission inconsistency #242

reinhardt opened this issue Mar 4, 2022 · 2 comments

Comments

@reinhardt
Copy link
Contributor

The delete_confirmation view does not enforce Delete objects permission on the parent of an object, but the delete action in CMFPlone does.

The delete_confirmation view registration only requires Delete objects on the object itself. It calls parent.manage_delObjects, which has a @security.protected(permissions.DeleteObjects) declaration, but this is not enforced when calling the method in python like this, only when calling it through the web, ZMI style.

I'm not sure whether this leads to a problem in the real world, but theoretically, if I have delete permission on an object but not its parent, then I'm not seeing the delete button in the UI, but I can still go to the delete_confirmation view by typing the URL and delete the object anyway.

@reinhardt
Copy link
Contributor Author

@plone/security-team Do you think this is worth looking into?

@jensens
Copy link
Member

jensens commented Aug 24, 2022

Better safe than sorry. What about adding something like before the actual delete?

    sm = getSecurityManager()
    if not sm.checkPermission(DeleteObjects, parent):
        raise Unauthorized("You do not have the permission to delete on the parent of the selected item.")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants