[Zope-dev] Re: ZCatalog getObject broken
Dieter Maurer
dieter at handshake.de
Thu Mar 10 13:11:43 EST 2005
Chris McDonough wrote at 2005-3-10 11:28 -0500:
>I implemented a "publisherTraverse" function like this FWIW:
>
>def publisherTraverse(context, path):
> # this is a hack to get around the fact that restrictedTraverse,
> # unlike publisher traversal, does checks at every step of the
> # path. We don't want to limit access in this way (e.g. nested
> # shares are possible) so we reimplement restrictedTraverse in a
> # way that that emulates publisher traversal semantics
> ob = context.unrestrictedTraverse(path)
> user = getSecurityManager().getUser()
> if not user.has_permission('View', ob):
> raise zExceptions_Unauthorized, "cant traverse to %s" % path
> return ob
>
>Maybe this is better than using validate?
No, because it does not take executable permission context
into account (e.g. proxy roles).
--
Dieter
More information about the Zope-Dev
mailing list