Disallow selecting by uid.

uid is used internally during recursive calls and using uid can lead to traverse all lines of catalog.

Disallow selecting by uid.
uid is used internally during recursive calls and using uid can lead to traverse all lines of catalog.
bfdcec37 · Łukasz Nowak · Rafael Monnerat · af06a551 · bfdcec37
Commit bfdcec37 authored Apr 12, 2012 by Łukasz Nowak Committed by Rafael Monnerat Jul 27, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

product/ERP5Catalog/CatalogTool.py product/ERP5Catalog/CatalogTool.py +3 -0

No files found.
--- a/product/ERP5Catalog/CatalogTool.py
+++ b/product/ERP5Catalog/CatalogTool.py
@@ -1223,6 +1223,9 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
    security.declarePublic('searchAndActivate')
    def searchAndActivate(self, *args, **kw):
      """Restricted version of _searchAndActivate"""
+      if 'uid' in kw:
+        raise TypeError("'uid' cannot be used to select documents as it is "
+          "used internally")
      return self._searchAndActivate(restricted=True, *args, **kw)

    security.declareProtected(Permissions.ManagePortal, 'upgradeSchema')