From fe3afe3b78318ce06bcb9713896e1d0ec0dff772 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Nowak?= <luke@nexedi.com> Date: Thu, 12 Apr 2012 14:37:59 +0200 Subject: [PATCH] Disallow selecting by uid. uid is used internally during recursive calls and using uid can lead to traverse all lines of catalog. --- product/ERP5Catalog/CatalogTool.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/product/ERP5Catalog/CatalogTool.py b/product/ERP5Catalog/CatalogTool.py index 651ba6cd1d..8a89d8d304 100644 --- a/product/ERP5Catalog/CatalogTool.py +++ b/product/ERP5Catalog/CatalogTool.py @@ -1356,6 +1356,9 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject): security.declarePublic('searchAndActivate') def searchAndActivate(self, *args, **kw): """Restricted version of _searchAndActivate""" + if 'uid' in kw: + raise TypeError("'uid' cannot be used to select documents as it is " + "used internally") return self._searchAndActivate(restricted=True, *args, **kw) security.declareProtected(Permissions.ManagePortal, 'upgradeSchema') -- 2.30.9