delete_confirmation permission inconsistency

[reinhardt]

The delete_confirmation view does not enforce Delete objects permission on the parent of an object, but the delete action in CMFPlone does.

The delete_confirmation view registration only requires Delete objects on the object itself. It calls parent.manage_delObjects, which has a @security.protected(permissions.DeleteObjects) declaration, but this is not enforced when calling the method in python like this, only when calling it through the web, ZMI style.

I'm not sure whether this leads to a problem in the real world, but theoretically, if I have delete permission on an object but not its parent, then I'm not seeing the delete button in the UI, but I can still go to the delete_confirmation view by typing the URL and delete the object anyway.

[reinhardt]

@plone/security-team Do you think this is worth looking into?

[jensens]

Better safe than sorry. What about adding something like before the actual delete?

    sm = getSecurityManager()
    if not sm.checkPermission(DeleteObjects, parent):
        raise Unauthorized("You do not have the permission to delete on the parent of the selected item.")