-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Santi Camps wrote:
| We have been written last week about some attribute permission problems | with Zope 2.7.3 beta due to a patch applied by Tres. | First of all, Tres, apologies for my too fast written test case and my | too late test of Zope 2.7.3. Now, with some more time, I've tested and | debugged on Zope 2.7.3 and found exactly what's happen. | Supose we have a structure of objects like this: A.__of__(B) | "A" inherits from Acquisition.Implicit, has security assertions, but has | not __allow_access_to_unprotected_subojects__ | We want to access, from a Zope Page Template, an attribute of "B" that | is not present in "A" | Accessing B.our_attribute attribute works fine. But accessing | A.__of__(B).our_attribute fails, and should work. | | The problem is the call to "validate" done in "guarded_getattr" method | of ImplPython.py. The actual call is "if validate(inst, inst, name, | v)", but the validate function says: | | Arguments: | accessed -- the object that was being accessed | container -- the object the value was found in | name -- The name used to access the value | value -- The value retrieved though the access. | roles -- The roles of the object if already known. | | Now, "accessed" and "container" are always the same, and in some cases | should be different. I attach a patch to solve this case that works | for me. I'm not sure if my code is the best way to solve the problem | but, as I said, it seems to work fine. | Of course, If the patch is accepted, the same change should be done in | the C version.
Jim and I worked through this, and ended up putting back the use of 'aq_acquire' to do the validation, precisely becuase *it* knows what the real container is (from guarded_getattr, you have to guess). Please verify that the head of the 2.7 branch resolves the issues you found.
Thanks very much for your work on this issue. I'm sorry I let it slide so long,
Tres. - -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce