[Zope-dev] feedback wanted on ZCatalog changes...
Michel Pelletier
michel@digicool.com
Tue, 4 Jan 2000 18:08:50 -0500
> -----Original Message-----
> From: Anthony Baxter [mailto:anthony@interlink.com.au]
> Sent: Tuesday, January 04, 2000 5:29 PM
> To: Michel Pelletier
> Cc: zope-dev@zope.org
> Subject: Re: [Zope-dev] feedback wanted on ZCatalog changes...
>
>
> Excellent. The other two changes in there were:
>
> make REQUEST and RESPONSE optional for the various manage_ functions,
Done, thanks.
> and
> fixing the "can't index attributes acquired from higher than
> the enclosing
> folder" from ZopeFindAndApply.
I've not been bitten by this one, so I'm not sure I understand.
When indexing with find, you want objects to try and acquire attributes
and index the value of that acquried attribute if it can do so?
Hmm.. I think context could come up and bite us here, The request to
index the object may have a different acquistion context then the
request that runs the query, thus 'find' may index values for objects
that other people may not be able to see in their context, or even have
permission to see. By not acquiring, you limit the functionality, but
avoid having to run catalog queries through the security machinery; god
help us all if that ever happens. Maybe that doesn't make sense, what
do you think? Can you reproduce a security violation with your patch?
-Michel