- Fix missing access control on ZODB Role Manager enumerateRoles

Author: dataflake

CHANGES.rst

@@ -4,6 +4,8 @@ Change Log
 2.6.0 (unreleased)
 ------------------
 
+- Fix missing access control on ZODB Role Manager ``enumerateRoles``
+
 - Fix open redirect issue in `Cookie Auth Helper` redirect handling
 
 - Add support for Python 3.9.

src/Products/PluggableAuthService/plugins/ZODBRoleManager.py

@@ -112,6 +112,7 @@ def getRolesForPrincipal(self, principal, request=None):
     #
     #   IRoleEnumerationPlugin implementation
     #
+    @security.private
     def enumerateRoles(self, id=None, exact_match=False, sort_by=None,
                        max_results=None, **kw):
         """ See IRoleEnumerationPlugin.