Only allow safe functions from Products.ERP5Type.Utils, not the whole module.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@14579 20353a03-c40f-0410-a6d1-a30d3c3de9de

Only allow safe functions from Products.ERP5Type.Utils, not the whole module.
git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@14579 20353a03-c40f-0410-a6d1-a30d3c3de9de
7aa3992c · Jérome Perrin · 4d229d4a · 7aa3992c
Commit 7aa3992c authored May 23, 2007 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

product/ERP5Type/__init__.py product/ERP5Type/__init__.py +6 -3

No files found.
--- a/product/ERP5Type/__init__.py
+++ b/product/ERP5Type/__init__.py
@@ -67,7 +67,7 @@ def initialize( context ):
  portal_tools = ( ClassTool.ClassTool,
                   CacheTool.CacheTool,
                   MemcachedTool.MemcachedTool,
-		   SessionTool.SessionTool )
+                   SessionTool.SessionTool )
  # Do initialization step
  initializeProduct(context, this_module, globals(),
                         document_module = Document,
@@ -90,10 +90,13 @@ def initialize( context ):
  initializeLocalDocumentRegistry()

 from AccessControl.SecurityInfo import allow_module
+from AccessControl.SecurityInfo import ModuleSecurityInfo

 allow_module('Products.ERP5Type.Cache')
-allow_module('Products.ERP5Type.Utils') # XXX this looks dangerous
-                                        # selected methods only should be allowed eg. cartesianProduct
+ModuleSecurityInfo('Products.ERP5Type.Utils').declarePublic(
+    'sortValueList', 'convertToUpperCase', 'convertToMixedCase',
+    'cartesianProduct', 'sleep')
+
 allow_module('Products.ERP5Type.Message')
 allow_module('Products.ERP5Type.Error')
 allow_module('Products.ERP5Type.Log')