[Zope-dev] Re: ZCatalog getObject broken
Max M
maxm at mxm.dk
Thu Mar 3 03:27:42 EST 2005
Roché Compaan wrote:
> I'm unsure about the security check in the patch below - I copied the
> way restrictedTraverse does it. I read through validate in the default
> security policy but it is one of those methods where all the security
> implications doesn't fit in your head all at once.
>
> --- CatalogBrains.py~ 2004-03-23 22:27:23.000000000 +0200
> +++ CatalogBrains.py 2005-03-03 09:43:48.000000000 +0200
> @@ -47,7 +47,11 @@
> (i.e., it was deleted or moved without recataloging), or if the
> user is
> not authorized to access an object along the path.
> """
> - return self.aq_parent.restrictedTraverse(self.getPath(), None)
> + obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
> + if obj and securityManager.validate(obj, obj, None, None):
> + return obj
> + else:
> + return None
There is a method deep down in Zope somewhere called:
self.authenticated_has_access(obj)
I cannot find the definition on my local Windows install, so I assume
it's defined in some c code somewhere.
Unfortunately there is no docs on the web either. Though there must have
been at some time, as I would otherwise never have found it.
Hmm... that is odd.
--
hilsen/regards Max M, Denmark
http://www.mxm.dk/
IT's Mad Science
More information about the Zope-Dev
mailing list