From 0e3b98200322ee7a20b1c09119732a2c6f4cb3c2 Mon Sep 17 00:00:00 2001
From: Julien Muchembled <jm@nexedi.com>
Date: Wed, 21 Aug 2019 15:31:12 +0200
Subject: [PATCH 1/2] Publish Folder.recursiveReindexObject

With the removal of Folder_reindexAll, it has become laborious to reindex
a whole module, and it was often done in an unsafe way (create a dummy wrapper
script in custom skin folder, without thinking about security).
---
 product/ERP5Type/Core/Folder.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/product/ERP5Type/Core/Folder.py b/product/ERP5Type/Core/Folder.py
index 4dd4d169bf3..a3d479b096b 100644
--- a/product/ERP5Type/Core/Folder.py
+++ b/product/ERP5Type/Core/Folder.py
@@ -1304,7 +1304,19 @@ class Folder(OFSFolder2, CMFBTreeFolder, CMFHBTreeFolder, Base, FolderMixIn):
     )(*args, **kw)
 
   security.declarePublic('recursiveReindexObject')
-  def recursiveReindexObject(self, activate_kw=None, **kw):
+  def recursiveReindexObject(self, activate_kw=None, REQUEST=None, **kw):
+    """Recursively indexes the content of self.
+    """
+    if REQUEST is not None:
+      # Being able to trigger recursive reindexation from URL is convenient
+      # when administrating an ERP5 instance. However, appropriate security
+      # is important to prevent DoS on big objects (in number of subobjects),
+      # i.e. modules. For consistency, we check the same permission as for
+      # reindexObjectSecurity. A normal user is usually not allowed to modify
+      # a module (only add/delete subobjects).
+      if not getSecurityManager().checkPermission(
+          Permissions.ModifyPortalContent, self):
+        raise AccessControl_Unauthorized
     if self.isAncestryIndexable():
       kw, activate_kw = self._getReindexAndActivateParameterDict(
         kw,
-- 
2.30.9


From d74fcfccaa3bab79220ab5faba0f290f7de8e576 Mon Sep 17 00:00:00 2001
From: Julien Muchembled <jm@nexedi.com>
Date: Fri, 6 Sep 2019 14:34:18 +0200
Subject: [PATCH 2/2] Micro-optimize Base.isAncestryIndexable

---
 product/ERP5Type/Base.py | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/product/ERP5Type/Base.py b/product/ERP5Type/Base.py
index 8fd7c131522..13b4e1f6674 100644
--- a/product/ERP5Type/Base.py
+++ b/product/ERP5Type/Base.py
@@ -2844,15 +2844,16 @@ class Base( CopyContainer,
     """
     Tells whether this document is indexable, taking into account its entire
     ancestry: a document may only be indexed if its parent is indexable, and
-    it's parent's parent, etc until ERP5Site object (inclusive).
-    """
-    node = self.aq_inner
-    portal = aq_base(self.getPortalObject())
-    is_indexable = self.isIndexable
-    while is_indexable and aq_base(node) is not portal:
-      node = node.aq_parent
-      is_indexable = node.isSubtreeIndexable()
-    return is_indexable
+    its parent's parent, etc until ERP5Site object (inclusive).
+    """
+    if self.isIndexable:
+      node = self.aq_inner.aq_parent
+      portal = aq_base(node.getPortalObject())
+      while node.isSubtreeIndexable():
+        if aq_base(node) is portal:
+          return True
+        node = node.aq_parent
+    return False
 
   security.declarePrivate('immediateReindexObject')
   def immediateReindexObject(self, *args, **kw):
-- 
2.30.9