[Zope-Checkins] CVS: Zope/lib/python/OFS - Traversable.py:1.13.16.2

Shane Hathaway shane@cvs.zope.org
Wed, 18 Sep 2002 11:52:23 -0400


Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv28903/lib/python/OFS

Modified Files:
      Tag: Zope-2_5-branch
	Traversable.py 
Log Message:
Merge from head, adding a note to CHANGES.txt.

Finished fix for collector #558.  restrictedTraverse() was not providing
adequate context for the security manager, resulting in excessive Unauthorized
errors.  The previous fix corrected traversal using __bobo_traverse__();
this fix corrects traversal using getattr().  The problem was solved by
simply making use of AccessControl.ZopeGuards.guarded_getattr().


=== Zope/lib/python/OFS/Traversable.py 1.13.16.1 => 1.13.16.2 ===
--- Zope/lib/python/OFS/Traversable.py:1.13.16.1	Thu Sep 12 17:24:56 2002
+++ Zope/lib/python/OFS/Traversable.py	Wed Sep 18 11:51:52 2002
@@ -19,6 +19,7 @@
 from Acquisition import Acquired, aq_inner, aq_parent, aq_base
 from AccessControl import getSecurityManager
 from AccessControl import Unauthorized
+from AccessControl.ZopeGuards import guarded_getattr
 from string import split, join
 from urllib import quote
 
@@ -135,21 +136,11 @@
                             raise Unauthorized, name
                       
                 else:
-                    o=get(object, name, M)
-                    if o is not M:
-                        if restricted:
-                            # waaaa
-                            if hasattr(aq_base(object), name):
-                                # value wasn't acquired
-                                if not securityManager.validate(
-                                    object, object, name, o):
-                                    raise Unauthorized, name
-                            else:
-                                if not securityManager.validate(
-                                    object, N, name, o):
-                                    raise Unauthorized, name
-                        
+                    if restricted:
+                        o = guarded_getattr(object, name, M)
                     else:
+                        o = get(object, name, M)
+                    if o is M:
                         o=object[name]
                         if (restricted and not securityManager.validate(
                             object, object, N, o)):