From fe3afe3b78318ce06bcb9713896e1d0ec0dff772 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Nowak?= <luke@nexedi.com>
Date: Thu, 12 Apr 2012 14:37:59 +0200
Subject: [PATCH] Disallow selecting by uid.

uid is used internally during recursive calls and using uid can lead to
traverse all lines of catalog.
---
 product/ERP5Catalog/CatalogTool.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/product/ERP5Catalog/CatalogTool.py b/product/ERP5Catalog/CatalogTool.py
index 651ba6cd1d..8a89d8d304 100644
--- a/product/ERP5Catalog/CatalogTool.py
+++ b/product/ERP5Catalog/CatalogTool.py
@@ -1356,6 +1356,9 @@ class CatalogTool (UniqueObject, ZCatalog, CMFCoreCatalogTool, ActiveObject):
     security.declarePublic('searchAndActivate')
     def searchAndActivate(self, *args, **kw):
       """Restricted version of _searchAndActivate"""
+      if 'uid' in kw:
+        raise TypeError("'uid' cannot be used to select documents as it is "
+          "used internally")
       return self._searchAndActivate(restricted=True, *args, **kw)
 
     security.declareProtected(Permissions.ManagePortal, 'upgradeSchema')
-- 
2.30.9