Disallow selecting by uid.

uid is used internally during recursive calls and using uid can lead to traverse all lines of catalog.

Disallow selecting by uid.
uid is used internally during recursive calls and using uid can lead to traverse all lines of catalog.
93713240 · Łukasz Nowak · Alain Takoudjou · d752a9cb · 93713240
Commit 93713240 authored Apr 12, 2012 by Łukasz Nowak Committed by Alain Takoudjou Feb 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

product/ERP5Catalog/CatalogTool.py product/ERP5Catalog/CatalogTool.py +3 -0

No files found.
--- a/product/ERP5Catalog/CatalogTool.py
+++ b/product/ERP5Catalog/CatalogTool.py
@@ -1081,6 +1081,9 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
    security.declarePublic('searchAndActivate')
    def searchAndActivate(self, *args, **kw):
      """Restricted version of _searchAndActivate"""
+      if 'uid' in kw:
+        raise TypeError("'uid' cannot be used to select documents as it is "
+          "used internally")
      return self._searchAndActivate(restricted=True, *args, **kw)

    security.declareProtected(Permissions.ManagePortal, 'upgradeSchema')