From 2b33f6beb820c23d10e901fe374fc44f6ca18414 Mon Sep 17 00:00:00 2001
From: Romain Courteaud <romain@nexedi.com>
Date: Fri, 21 Nov 2008 14:20:16 +0000
Subject: [PATCH] Use restrictedTraverse instead of getattr to prevent
 Unauthorized error

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@24659 20353a03-c40f-0410-a6d1-a30d3c3de9de
---
 .../CurrencyModule_getCurrencyItemList.xml     | 18 ++++++++++--------
 bt5/erp5_base/bt/revision                      |  2 +-
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/CurrencyModule_getCurrencyItemList.xml b/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/CurrencyModule_getCurrencyItemList.xml
index 8cda55d999..ac6fa1a521 100644
--- a/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/CurrencyModule_getCurrencyItemList.xml
+++ b/bt5/erp5_base/SkinTemplateItem/portal_skins/erp5_base/CurrencyModule_getCurrencyItemList.xml
@@ -60,15 +60,17 @@ def getCurrencyItemList(include_empty=1, portal_path=""):\n
   result = []\n
   if include_empty :\n
     result = [[\'\', \'\'],]\n
-  currency_module = getattr(portal, \'currency_module\',\n
-                        getattr(portal, \'currency\', None))\n
+  currency_module = portal.restrictedTraverse(\n
+                             \'currency_module\', \n
+                             portal.restrictedTraverse(\'currency\', None))\n
 \n
-  for currency in LazyFilter(currency_module.contentValues(), skip=\'View\'):\n
-    if not skip_invalidated or \\\n
-          currency.getProperty(\'validation_state\', \'default\') != \'invalidated\':\n
-      # for currency, we intentionaly use reference (EUR) not title (Euros).\n
-      result.append((currency.getReference() or currency.getTitleOrId(),\n
-                     currency.getRelativeUrl()))\n
+  if currency_module is not None:\n
+    for currency in LazyFilter(currency_module.contentValues(), skip=\'View\'):\n
+      if not skip_invalidated or \\\n
+            currency.getProperty(\'validation_state\', \'default\') != \'invalidated\':\n
+        # for currency, we intentionaly use reference (EUR) not title (Euros).\n
+        result.append((currency.getReference() or currency.getTitleOrId(),\n
+                       currency.getRelativeUrl()))\n
   \n
   result.sort(key=lambda x: x[0])\n
   return result\n
diff --git a/bt5/erp5_base/bt/revision b/bt5/erp5_base/bt/revision
index 281cd66131..4af7c92223 100644
--- a/bt5/erp5_base/bt/revision
+++ b/bt5/erp5_base/bt/revision
@@ -1 +1 @@
-469
\ No newline at end of file
+470
\ No newline at end of file
-- 
2.30.9