Commit 7aa3992c authored by Jérome Perrin's avatar Jérome Perrin

Only allow safe functions from Products.ERP5Type.Utils, not the whole module.



git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@14579 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 4d229d4a
......@@ -67,7 +67,7 @@ def initialize( context ):
portal_tools = ( ClassTool.ClassTool,
CacheTool.CacheTool,
MemcachedTool.MemcachedTool,
SessionTool.SessionTool )
SessionTool.SessionTool )
# Do initialization step
initializeProduct(context, this_module, globals(),
document_module = Document,
......@@ -90,10 +90,13 @@ def initialize( context ):
initializeLocalDocumentRegistry()
from AccessControl.SecurityInfo import allow_module
from AccessControl.SecurityInfo import ModuleSecurityInfo
allow_module('Products.ERP5Type.Cache')
allow_module('Products.ERP5Type.Utils') # XXX this looks dangerous
# selected methods only should be allowed eg. cartesianProduct
ModuleSecurityInfo('Products.ERP5Type.Utils').declarePublic(
'sortValueList', 'convertToUpperCase', 'convertToMixedCase',
'cartesianProduct', 'sleep')
allow_module('Products.ERP5Type.Message')
allow_module('Products.ERP5Type.Error')
allow_module('Products.ERP5Type.Log')
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment