def disablePasResources(event): """Disable access to users/groups/roles management PAS plugins from browser as they have no protection from CSRF attacks. """ try: zport = getattr(event.app, 'zport', None) if not zport or getattr(zport.dmd, 'allowManageAccess', False): return for class_ in (ZODBUserManager.ZODBUserManager, ZODBGroupManager.ZODBGroupManager, ZODBRoleManager.ZODBRoleManager): security = ClassSecurityInfo() security.declareObjectPrivate() security.apply(class_) except AttributeError: pass