Roché Compaan wrote at 2005-3-3 22:36 +0200: >On Thu, 2005-03-03 at 19:36 +0100, Dieter Maurer wrote: >> Roché Compaan wrote at 2005-3-3 09:53 +0200: >> > ... >> >- return self.aq_parent.restrictedTraverse(self.getPath(), None) >> >+ obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None) >> >+ if obj and securityManager.validate(obj, obj, None, None): >> >> I think this is not correct: "validate" needs at least a >> "value" parameter (this is the forth parameter). > >I thought this much but what value? And doesn't this make the >implementation of restrictedTraverse suspect too? > >When code is calling getObject on a catalog brain we don't know what >attribute or method of that object the calling code will access. Does it >then make any sense at all to do security checks in getObject? IMO it >doesn't.
Value means the accessed value. In your case, this is "obj". -- Dieter _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )