search

plone / plone.app.content

Various views for Plone, such as folder_contents, as well as general content infrastructure, such as base classes and name choosers.
https://pypi.org/project/plone.app.content/
7 stars 32 forks source link

delete_confirmation permission inconsistency #242

Open reinhardt opened 2 years ago

reinhardt commented 2 years ago

The delete_confirmation view does not enforce Delete objects permission on the parent of an object, but the delete action in CMFPlone does.

The delete_confirmation view registration only requires Delete objects on the object itself. It calls parent.manage_delObjects, which has a @security.protected(permissions.DeleteObjects) declaration, but this is not enforced when calling the method in python like this, only when calling it through the web, ZMI style.

I'm not sure whether this leads to a problem in the real world, but theoretically, if I have delete permission on an object but not its parent, then I'm not seeing the delete button in the UI, but I can still go to the delete_confirmation view by typing the URL and delete the object anyway.

reinhardt commented 2 years ago

@plone/security-team Do you think this is worth looking into?

jensens commented 2 years ago

Better safe than sorry. What about adding something like before the actual delete?

    sm = getSecurityManager()
    if not sm.checkPermission(DeleteObjects, parent):
        raise Unauthorized("You do not have the permission to delete on the parent of the selected item.")