[Zope-dev] Re: CatalogBrains since Zope2.7.1b1

[Dieter Maurer]

Casey Duncan wrote at 2004-6-18 09:58 -0400:
> ...
>Security was tightened for getObject recently as part of a general
>refactor of that code. I am happy to consider whether the security is
>too tight, in which case it could be backed off a bit.

I think, you should only require access rights to the object itself
and not to all folders from the root to the object.

It is not uncommon that upper levels are more restricted than
subhierarchies. This is what Zope's URL traversal
allows: Only the object identified by URL traversal is
accessed checked.

That ZCatalog identifies objects by physical path is an implementation
artifact. It should not make it impossible to access an
object via the catalog that otherwise can be accessed without
problem.

> ...
>For hysterical raisins, REQUEST.traverse() does not behave this way. It
>instead checks only the final object traversed.
That's a good behaviour...

-- 
Dieter