On Fri, 2005-02-25 at 21:06 +0100, Andreas Jung wrote:
> --On Freitag, 25. Februar 2005 20:21 Uhr +0100 Dieter Maurer
> <[EMAIL PROTECTED]> wrote:
> > Roché Compaan wrote at 2005-2-25 17:22 +0200:
> >> Last year in March the following checkin was made that changed
> >> ZCatalog's getObject to use restrictedTraverse instead of
> >> unrestrictedTraverse. See:
> >> http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
> >> In my opininion this is wrong,
> > I agree with you!
> >> ...
> >> I would propose that getObject does an unrestrictedTraverse of the path
> >> and then checks if the user has permission to access that the object.
> > I argued precisely this approach with the person who made the
> > change. I had the impression that I have convinced him -- but
> > apparently, he did not change the code accordingly :-(
> > Maybe, a bug report to the collector will help?
> > <http://www.zope.org/Collectors/Zope>
> Best to include a patch as well :-)
I'm unsure about the security check in the patch below - I copied the
way restrictedTraverse does it. I read through validate in the default
security policy but it is one of those methods where all the security
implications doesn't fit in your head all at once.
--- CatalogBrains.py~ 2004-03-23 22:27:23.000000000 +0200
+++ CatalogBrains.py 2005-03-03 09:43:48.000000000 +0200
@@ -47,7 +47,11 @@
(i.e., it was deleted or moved without recataloging), or if the
not authorized to access an object along the path.
- return self.aq_parent.restrictedTraverse(self.getPath(), None)
+ obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
+ if obj and securityManager.validate(obj, obj, None, None):
+ return obj
+ return None
"""Return the record ID for this object."""
Upfront Systems http://www.upfrontsystems.co.za
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -