1.1 --- a/SubscriptionsTool.py
     1.2 +++ b/SubscriptionsTool.py
     1.3 @@ -38,6 +38,7 @@
     1.4  from Globals import InitializeClass, DTMLFile
     1.5  from Acquisition import aq_parent, aq_inner, aq_base
     1.6  from AccessControl import ClassSecurityInfo
     1.7 +from AccessControl import Unauthorized
     1.8  
     1.9  from zope.interface import implements
    1.10  
    1.11 @@ -53,6 +54,7 @@
    1.12  from Products.CMFCore.permissions import ModifyPortalContent
    1.13  
    1.14  from permissions import ViewMySubscriptions
    1.15 +from permissions import ViewSubscriptions
    1.16  from permissions import CanSubscribe
    1.17  from permissions import ManageSubscriptions
    1.18  
    1.19 @@ -924,6 +926,9 @@
    1.20          else:
    1.21              container = aq_parent(aq_inner(object))
    1.22  
    1.23 +        if not _checkPermission(ViewSubscriptions, obj):
    1.24 +            raise Unauthorized()
    1.25 +
    1.26          if event_type:
    1.27              subscriptions = self.getSubscriptionsFor(event_type, object, infos)
    1.28          else:
    1.29 @@ -962,6 +967,9 @@
    1.30          is notified.
    1.31          """
    1.32  
    1.33 +        if not _checkPermission(ViewSubscriptions, obj):
    1.34 +            raise Unauthorized()
    1.35 +
    1.36          members = {}
    1.37          groups = {}
    1.38          other = {}

     2.1 --- a/permissions.py
     2.2 +++ b/permissions.py
     2.3 @@ -41,5 +41,10 @@
     2.4  ViewMySubscriptions = 'View My Subscriptions'
     2.5  setDefaultRoles( ViewMySubscriptions, ('Manager', 'Member'))
     2.6  
     2.7 +ViewSubscriptions = 'View Subscriptions'
     2.8 +# Giving to Member by default because users already need to get to traverse
     2.9 +# to object to call subscriptions synthethic pages
    2.10 +setDefaultRoles( ViewSubscriptions, ('Manager', 'Member'))
    2.11 +
    2.12  CanNotifyContent = 'Can Notify Content'
    2.13  setDefaultRoles( CanNotifyContent, ('Manager', 'Owner', 'Member'))