Publish Folder.recursiveReindexObject

With the removal of Folder_reindexAll, it has become laborious to reindex a whole module, and it was often done in an unsafe way (create a dummy wrapper script in custom skin folder, without thinking about security).

Publish Folder.recursiveReindexObject
With the removal of Folder_reindexAll, it has become laborious to reindex a whole module, and it was often done in an unsafe way (create a dummy wrapper script in custom skin folder, without thinking about security).
fa64d07f · Julien Muchembled · 446ecbd9 · fa64d07f
Commit fa64d07f authored Aug 21, 2019 by Julien Muchembled
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 1 deletion

product/ERP5Type/Core/Folder.py product/ERP5Type/Core/Folder.py +13 -1

No files found.
--- a/product/ERP5Type/Core/Folder.py
+++ b/product/ERP5Type/Core/Folder.py
@@ -1304,7 +1304,19 @@ class Folder(OFSFolder2, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn):
    )(*args, **kw)

  security.declarePublic('recursiveReindexObject')
-  def recursiveReindexObject(self, activate_kw=None, **kw):
+  def recursiveReindexObject(self, activate_kw=None, REQUEST=None, **kw):
+    """Recursively indexes the content of self.
+    """
+    if REQUEST is not None:
+      # Being able to trigger recursive reindexation from URL is convenient
+      # when administrating an ERP5 instance. However, appropriate security
+      # is important to prevent DoS on big objects (in number of subobjects),
+      # i.e. modules. For consistency, we check the same permission as for
+      # reindexObjectSecurity. A normal user is usually not allowed to modify
+      # a module (only add/delete subobjects).
+      if not getSecurityManager().checkPermission(
+          Permissions.ModifyPortalContent, self):
+        raise AccessControl_Unauthorized
    if self.isAncestryIndexable():
      kw, activate_kw = self._getReindexAndActivateParameterDict(
        kw,