On Thu, 24 Jun 2004 19:04:55 +0200
Dieter Maurer <[EMAIL PROTECTED]> wrote:
> Casey Duncan wrote at 2004-6-18 09:58 -0400:
> > ...
> >Security was tightened for getObject recently as part of a general
> >refactor of that code. I am happy to consider whether the security is
> >too tight, in which case it could be backed off a bit.
> I think, you should only require access rights to the object itself
> and not to all folders from the root to the object.
> It is not uncommon that upper levels are more restricted than
> subhierarchies. This is what Zope's URL traversal
> allows: Only the object identified by URL traversal is
> accessed checked.
> That ZCatalog identifies objects by physical path is an implementation
> artifact. It should not make it impossible to access an
> object via the catalog that otherwise can be accessed without
> > ...
> >For hysterical raisins, REQUEST.traverse() does not behave this way.
> >It instead checks only the final object traversed.
> That's a good behaviour...
Except when it isn't ;^) OTOH it is closer to the behavior of getObject
in 2.7.0. Ironically it used to use restrictedTraverse long ago...
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -