Prevent indexing _View_Permission in roles_and_users.

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@32275 20353a03-c40f-0410-a6d1-a30d3c3de9de

Prevent indexing _View_Permission in roles_and_users.
git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@32275 20353a03-c40f-0410-a6d1-a30d3c3de9de
a14aaa6f · Yoshinori Okuji · f1157edc · a14aaa6f
Commit a14aaa6f authored Feb 05, 2010 by Yoshinori Okuji
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

product/ERP5Catalog/CatalogTool.py product/ERP5Catalog/CatalogTool.py +6 -0

No files found.
--- a/product/ERP5Catalog/CatalogTool.py
+++ b/product/ERP5Catalog/CatalogTool.py
@@ -110,6 +110,12 @@ class IndexableObjectWrapper(object):
        #   user:<user_id>:<role_id>
        # A line must not be present twice in final result.
        allowed = set(rolesForPermissionOn('View', ob))
+        # XXX the permission name is included by default for verbose
+        # logging of security errors, but the catalog does not need to
+        # index it. Unfortunately, rolesForPermissionOn does not have
+        # an option to disable this behavior at calling time, so
+        # discard it explicitly.
+        allowed.discard('_View_Permission')
        # XXX Owner is hardcoded, in order to prevent searching for user on the
        # site root.
        allowed.discard('Owner')