[Zope-dev] Re: ZCatalog getObject broken

Chris Withers chris at simplistix.co.uk
Wed Mar 16 05:17:45 EST 2005


Roché Compaan wrote:
> I don't get why you're not getting it :-)
> 
> A, B and C are folders nested in each other i.e. A/B/C. A user does not
> have access to A and B but he does have access to C. If getObject uses
> restrictedTraverse it returns None immediately when traversing A, even
> though the user is allowed to access C. If getObject was working
> properly it would have returned C.

Ah, okay, I thought that's what you meant, but I hoped it wasn't.
The fact that you expect this to work is a bug in Zope's security 
machinery, IMHO, but sadly only IMHO it appears.
I would have no problem with the above behaviour if getObject raised 
Unauthorized rather than returned None.

Your patch still had it returning None, IIRC, why did it do that?

> The rest of the discussion basically boils down to figure out if the
> user is allowed to access C or not.

Yep, personally I reckon EVRYTHING should behave like 
restrictedTraverse, but as I said, that appears to just be me...

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk


More information about the Zope-Dev mailing list