In publish.py, unwrapMethod tried to find what can be used to publish an
object. In a site, I had someone create a very-badly-named "func_code"
external method in a place accessible by acquisition from every page on the
site (this bad by itself, and I corrected it already). This caused
unwrapMethod to think it can use any object directly for publishing, because
elif getattr(unwrapped, 'func_code', None) is not None:
and "unwrapped" is still in an acquisition context.
Shouldn't the checks be done on unwrapped (from acquisition context) objects
instead, to prevent such stupid mistake to have such a wide impact.
I have the intuition that this could even be a security problem, allowing an
unexpected object to be called instead of another, but I cannot come out with
Do you think there is anything to fix in zope.publisher ? If so, I'll open a
For more information about ZODB, see the ZODB Wiki:
ZODB-Dev mailing list - ZODB-Dev@zope.org