Wichert Akkerman wrote:
> Previously Raphael Ritz wrote:
>> Currently, CMF(Default - and Plone for that matter) does not support
>> this OOTB because CMFDefault's MembershipTool uses a simple getattr
>> call for the 'membersfolder_id' on the site object.
>> Changing this to use 'unrestrictedTraverse' instead resolves
>> the problem including the possibility to specify the path (or
>> relative content URL) to the folder in ZMI.
> Shouldn't it use restrictedTraverse? Is there a special reason you want
> to bypass security?
The reasons are:
(i) the current implementation doesn't check security either
(ii) 'getMembersFolder' while public is most often called from
'getHomeFolder' which does check security so I think it is not
necessary to check security twice. But should we change this at
all I would be fine with 'restrictedTraverse' as well (in the
sense of being defensive).
Zope-CMF maillist - Zope-CMF@lists.zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests