On Fri, 2005-02-25 at 20:21 +0100, Dieter Maurer wrote:
> Roché Compaan wrote at 2005-2-25 17:22 +0200:
> >Last year in March the following checkin was made that changed
> >ZCatalog's getObject to use restrictedTraverse instead of
> >unrestrictedTraverse. See:
> >
> >http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
> >
> >In my opininion this is wrong,
> 
> I agree with you!

I'm surprised that a release with such a dramatic change didn't break
tons of sites running out there. Or maybe people upgrade reluctantly.

>
> > ...
> >I would propose that getObject does an unrestrictedTraverse of the path
> >and then checks if the user has permission to access that the object.
> 
> I argued precisely this approach with the person who made the
> change. I had the impression that I have convinced him -- but
> apparently, he did not change the code accordingly :-(
> 
> Maybe, a bug report to the collector will help?
> 
>        <http://www.zope.org/Collectors/Zope>

I was reluctant to post an issue on the collector since getObject has
been see-sawing on restricted- and unrestrictedTraverse for a very long
time and I thought I'd post here first as a sanity check. Before Zope
2.3 it was restricted then it changed to unrestricted and now we're back
to restricted again. But at the risk of somebody completely ignoring it
or changing it back to restricted in Zope 2.8 I'll be off to the
collector to log another issue ;-) 

-- 
Roché Compaan
Upfront Systems                   http://www.upfrontsystems.co.za

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to