[Zope-Coders] bug in restrictedTraverse
Shane Hathaway
shane@zope.com
Wed, 25 Sep 2002 09:46:44 -0400
Jeremy Hylton wrote:
> Neal Norwitz reported a bug in PageTemplates.Expressions that he found
> with pychecker.
>
> The restrictedTraverse function can fail with a NameError early on,
> because it raises "Unauthorized, name" before name is defined. I
> don't know what the value should be, so I can't fix it.
>
> Jeremy
>
> def restrictedTraverse(object, path, securityManager,
> get=getattr, has=hasattr, N=None, M=[],
> TupleType=type(()) ):
>
> if not path[0]:
> # If the path starts with an empty string, go to the root first.
> object = object.getPhysicalRoot()
> if not securityManager.validateValue(object):
> raise Unauthorized, name
> path.pop(0)
This can just raise Unauthorized with no exception value. AFAIK,
however, no one will ever fail this security check, so this bug was
never spotted.
Shane