[Zope-dev] ZCatalog getObject broken

Dieter Maurer dieter at handshake.de
Fri Mar 4 13:18:35 EST 2005


Roché Compaan wrote at 2005-3-3 22:36 +0200:
>On Thu, 2005-03-03 at 19:36 +0100, Dieter Maurer wrote:
>> Roché Compaan wrote at 2005-3-3 09:53 +0200:
>> > ...
>> >-        return self.aq_parent.restrictedTraverse(self.getPath(), None)
>> >+        obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
>> >+        if obj and securityManager.validate(obj, obj, None, None):
>> 
>> I think this is not correct: "validate" needs at least a
>> "value" parameter (this is the forth parameter).
>
>I thought this much but what value? And doesn't this make the
>implementation of restrictedTraverse suspect too?
>
>When code is calling getObject on a catalog brain we don't know what
>attribute or method of that object the calling code will access. Does it
>then make any sense at all to do security checks in getObject? IMO it
>doesn't.

Value means the accessed value. In your case, this is "obj".


-- 
Dieter


More information about the Zope-Dev mailing list