From 1392709ed2583895291f92624d2f702f6dd54d5c Mon Sep 17 00:00:00 2001
From: Yoshinori Okuji <yo@nexedi.com>
Date: Wed, 19 Oct 2005 12:42:27 +0000
Subject: [PATCH] Use the permission ManagePortal rather than View for
 showDict, for possible information leaks.

Add a new debugging method, showPermissions. This code was copied from
BusinessTemplate, so it might be better to use this method in
BusinessTemplate rather than duplicating the code.


git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@4075 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 product/ERP5Type/Base.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/product/ERP5Type/Base.py b/product/ERP5Type/Base.py
index 9f73958bd5..646ad7bb67 100755
--- a/product/ERP5Type/Base.py
+++ b/product/ERP5Type/Base.py
@@ -29,7 +29,7 @@
 import ExtensionClass
 from Globals import InitializeClass, DTMLFile, PersistentMapping
 from AccessControl import ClassSecurityInfo
-from AccessControl.Permission import pname
+from AccessControl.Permission import pname, Permission
 from Acquisition import aq_base, aq_inner, aq_acquire, aq_chain
 
 from Products.CMFCore.PortalContent import PortalContent
@@ -1151,7 +1151,7 @@ class Base( CopyContainer, PortalContent, ActiveObject, ERP5PropertyManager ):
     pass
 
   # For Debugging
-  security.declareProtected( Permissions.View, 'showDict' )
+  security.declareProtected( Permissions.ManagePortal, 'showDict' )
   def showDict(self):
     """
       Returns the dictionnary of the object
@@ -1159,6 +1159,20 @@ class Base( CopyContainer, PortalContent, ActiveObject, ERP5PropertyManager ):
     """
     return self.__dict__
 
+  security.declareProtected( Permissions.ManagePortal, 'showPermissions' )
+  def showPermissions(self, all=1):
+    """
+      Return the tuple of permissions
+      Only for debugging
+    """
+    permission_list = []
+    for permission in self.ac_inherited_permissions(all=all):
+      name, value = permission[:2]
+      role_list = Permission(name, value, self).getRoles(default=[])
+      permission_list.append((name, role_list))
+
+    return tuple(permission_list)
+
   # Private accessors for the implementation of relations based on
   # categories
   security.declareProtected( Permissions.ModifyPortalContent, '_setValue' )
-- 
2.30.9