-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Santi Camps wrote:
| We have been written last week about some attribute permission problems
| with Zope 2.7.3 beta due to a patch applied by Tres.
| First of all, Tres, apologies for my too fast written test case and my
| too late test of Zope 2.7.3. Now, with some more time, I've tested and
| debugged on Zope 2.7.3 and found exactly what's happen.
| Supose we have a structure of objects like this:A.__of__(B)
| A inherits from Acquisition.Implicit, has security assertions, but has
| not __allow_access_to_unprotected_subojects__
| We want to access, from a Zope Page Template, an attribute of B that
| is not present in A
| Accessing B.our_attribute attribute works fine. But accessing
| A.__of__(B).our_attribute fails, and should work.
|
| The problem is the call to validate done in guarded_getattr method
| of ImplPython.py. The actual call is if validate(inst, inst, name,
| v), but the validate function says:
|
| Arguments:
|accessed -- the object that was being accessed
|container -- the object the value was found in
|name -- The name used to access the value
|value -- The value retrieved though the access.
|roles -- The roles of the object if already known.
|
| Now, accessed and container are always the same, and in some cases
| should be different. I attach a patch to solve this case that works
| for me. I'm not sure if my code is the best way to solve the problem
| but, as I said, it seems to work fine.
| Of course, If the patch is accepted, the same change should be done in
| the C version.
Jim and I worked through this, and ended up putting back the use of
'aq_acquire' to do the validation, precisely becuase *it* knows what the
real container is (from guarded_getattr, you have to guess). Please
verify that the head of the 2.7 branch resolves the issues you found.
Thanks very much for your work on this issue. I'm sorry I let it slide
so long,
Tres.
- --
===
Tres Seaver[EMAIL PROTECTED]
Zope Corporation Zope Dealers http://www.zope.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD4DBQFCFWSEGqWXf00rNCgRAtxAAJisR/4jFULrp9Lyd9mvubtF1y8MAJsE0/Vy
NTXbqXc+olXYl3SVxiWW8w==
=1hOE
-END PGP SIGNATURE-
___
Zope-Dev maillist - Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )