[Zope-CMF] MembershipTool: Using traversal to look up the Members folder?
Raphael Ritz
r.ritz at biologie.hu-berlin.de
Wed Oct 8 11:44:08 EDT 2008
Wichert Akkerman wrote:
> Previously Raphael Ritz wrote:
>> Currently, CMF(Default - and Plone for that matter) does not support
>> this OOTB because CMFDefault's MembershipTool uses a simple getattr
>> call for the 'membersfolder_id' on the site object.
>> Changing this to use 'unrestrictedTraverse' instead resolves
>> the problem including the possibility to specify the path (or
>> relative content URL) to the folder in ZMI.
>
> Shouldn't it use restrictedTraverse? Is there a special reason you want
> to bypass security?
The reasons are:
(i) the current implementation doesn't check security either
(ii) 'getMembersFolder' while public is most often called from
'getHomeFolder' which does check security so I think it is not
necessary to check security twice. But should we change this at
all I would be fine with 'restrictedTraverse' as well (in the
sense of being defensive).
Raphael
>
> Wichert.
>
More information about the Zope-CMF
mailing list