[Zope] __bobo_traverse__ and a no-object
Garito
garito at sistes.net
Sat Jul 15 00:04:44 EDT 2006
Alec Mitchell escribió:
> On 7/14/06, Garito <garito at sistes.net> wrote:
>> Garito escribió:
>> > Dieter Maurer escribió:
>> >> Garito wrote at 2006-7-14 07:04 +0200:
>> >>
>> >>> ...
>> >>> def __bobo_traverse__(self, REQUEST, name):
>> >>> obj = getattr(self, name, None)
>> >>> ...
>> >>> I wonder why I can do this on a Page Template:
>> >>>
>> >>> <tal:b tal:replace='python: here.Texto' />
>> >>>
>> >>> Where Texto is a adquired property, but not this:
>> >>>
>> >>> <tal:b tal:replace='here/Texto' />
>> >>>
>> >>> because zope raises an unauthorized error
>> >>>
>> >>> How can I solve this point?
>> >>>
>> >>
>> >> You can wait for the next Zope release (2.10) where this is fixed.
>> >>
>> >> The reason: security for "__bobo_traverse__" is much stricter
>> >> than for attribute lookup:
>> >>
>> >> In the latter case, the security machinery knows that the value
>> >> was obtained by attribute lookup and can apply the security
>> >> declarations of the accessed object.
>> >>
>> >> In the former case, the security machinery does not know
>> >> which object was really accessed and therefore refuses
>> >> to look at the accessed object. This often leads to
>> >> an "Unauthorized".
>> >>
>> >> The hack in Zope 2.10 checks in this case whether the value
>> >> could as well have been obtained by attribute lookup and
>> >> then checks along this route.
>> >>
>> >>
>> >> If waiting is not an option for you, you can also backport
>> >> the fix to your Zope version.
>> >>
>> >>
>> >>
>> >>
>> > Do you refer this Collector?
>> >
>> > http://www.zope.org/Collectors/Zope/2072
>> >
>> I use Zope 2.9.2
>
> Use 2.9.3 and watch your problem disappear (hopefully).
>
> Alec
Completely disappeared!!!
Thank you so much!!!!!!
--
Mis Cosas
http://blogs.sistes.net/Garito
More information about the Zope
mailing list