[Zope-dev] Removal of aq_acquire from guarded_getattr

Stefan H. Holek stefan at epy.co.at
Fri Jan 21 11:51:33 EST 2005

The bug:

The fix:

This effectively changes how acquisition works in restricted Python. I 
understand this may well be the point <wink>.

The consequences:
Zope sites experiencing seemingly random Unauthorized errors. [1]

I have added tests to the AccessControl suite on 2.7 branch that 
demonstrate the new behavior. Note that all of them pass in Zope 2.7.2.

What it _appears_ to mean is that when a container denies access, the 
object security of the acquiree is checked. Therefore, a potential 
acquiree (read: _any_ object) must make sure to declareObjectProtected 
or it may end up not being acquirable. This is not always the case in 
current Zope/CMF/Plone which would explain the Unauthorized errors we 

Tres, I am happy to discuss this further once you had a look at the 
tests. I also have tests for the CMF in case you want them.



The time has come to start talking about whether the emperor is as well
dressed as we are supposed to think he is.               /Pete McBreen/

More information about the Zope-Dev mailing list