[Erp5-report] r14579 - /erp5/trunk/products/ERP5Type/__init__.py
nobody at svn.erp5.org
nobody at svn.erp5.org
Wed May 23 18:41:12 CEST 2007
Author: jerome
Date: Wed May 23 18:41:12 2007
New Revision: 14579
URL: http://svn.erp5.org?rev=14579&view=rev
Log:
Only allow safe functions from Products.ERP5Type.Utils, not the whole module.
Modified:
erp5/trunk/products/ERP5Type/__init__.py
Modified: erp5/trunk/products/ERP5Type/__init__.py
URL: http://svn.erp5.org/erp5/trunk/products/ERP5Type/__init__.py?rev=14579&r1=14578&r2=14579&view=diff
==============================================================================
--- erp5/trunk/products/ERP5Type/__init__.py (original)
+++ erp5/trunk/products/ERP5Type/__init__.py Wed May 23 18:41:12 2007
@@ -67,7 +67,7 @@
portal_tools = ( ClassTool.ClassTool,
CacheTool.CacheTool,
MemcachedTool.MemcachedTool,
- SessionTool.SessionTool )
+ SessionTool.SessionTool )
# Do initialization step
initializeProduct(context, this_module, globals(),
document_module = Document,
@@ -90,10 +90,13 @@
initializeLocalDocumentRegistry()
from AccessControl.SecurityInfo import allow_module
+from AccessControl.SecurityInfo import ModuleSecurityInfo
allow_module('Products.ERP5Type.Cache')
-allow_module('Products.ERP5Type.Utils') # XXX this looks dangerous
- # selected methods only should be allowed eg. cartesianProduct
+ModuleSecurityInfo('Products.ERP5Type.Utils').declarePublic(
+ 'sortValueList', 'convertToUpperCase', 'convertToMixedCase',
+ 'cartesianProduct', 'sleep')
+
allow_module('Products.ERP5Type.Message')
allow_module('Products.ERP5Type.Error')
allow_module('Products.ERP5Type.Log')
More information about the Erp5-report
mailing list