The delete_confirmation view does not enforce Delete objects permission on the parent of an object, but the delete action in CMFPlone does.
The delete_confirmation view registration only requires Delete objects on the object itself. It calls parent.manage_delObjects, which has a @security.protected(permissions.DeleteObjects) declaration, but this is not enforced when calling the method in python like this, only when calling it through the web, ZMI style.
I'm not sure whether this leads to a problem in the real world, but theoretically, if I have delete permission on an object but not its parent, then I'm not seeing the delete button in the UI, but I can still go to the delete_confirmation view by typing the URL and delete the object anyway.
The delete_confirmation view does not enforce
Delete objectspermission on the parent of an object, but the delete action in CMFPlone does.The delete_confirmation view registration only requires
Delete objectson the object itself. It calls parent.manage_delObjects, which has a@security.protected(permissions.DeleteObjects)declaration, but this is not enforced when calling the method in python like this, only when calling it through the web, ZMI style.I'm not sure whether this leads to a problem in the real world, but theoretically, if I have delete permission on an object but not its parent, then I'm not seeing the delete button in the UI, but I can still go to the delete_confirmation view by typing the URL and delete the object anyway.