content.create: Random id generation is unsafe

[achimwilde]

/src/plone/api/content.py, lines 81/82:

# Create a temporary id if the id is not given
content_id = not safe_id and id or str(random.randint(0, 99999999))

We have a website with thousands of articles which are imported as Plone objects every couple of weeks and have numeric names which we pass as title parameter to api.content.create. Sometimes the random temporary id will conflict with an id of a previously generated object, resulting in a BadRequest error.

So instead of blindly using the random temporary id a test should be done if this id can be used safely, by checking if an object with this id already exists in the container. How about this:

<   content_id = not safe_id and id or str(random.randint(0, 99999999))
>   while (True):
>        content_id = not safe_id and id or str(random.randint(0, 99999999))
>        if content_id not in container.keys():
>            break

This solution definately isn't perfect, but if you have items with most or all possible ids from 0 to 99999999 in one folder, you will have plenty of other issues anyway...

[jensens]

I would generate an uuid4 instead. Its longer, but safe.

Personal I use https://pypi.org/project/shortuuid/ for such cases, but that is another dependency we do not want to have in core.

[mauritsvanrees]

In Archetypes we used to try 100 times.
I guess code or inspiration could be borrowed from there. I assumed a similar thing happened in plone.api already.