On Thu, 2005-03-03 at 09:27 +0100, Max M wrote:
> Roché Compaan wrote:
> 
> > I'm unsure about the security check in the patch below - I copied the
> > way restrictedTraverse does it. I read through validate in the default
> > security policy but it is one of those methods where all the security
> > implications doesn't fit in your head all at once.
> > 
> > --- CatalogBrains.py~       2004-03-23 22:27:23.000000000 +0200
> > +++ CatalogBrains.py        2005-03-03 09:43:48.000000000 +0200
> > @@ -47,7 +47,11 @@
> >          (i.e., it was deleted or moved without recataloging), or if the
> > user is
> >          not authorized to access an object along the path.
> >          """
> > -        return self.aq_parent.restrictedTraverse(self.getPath(), None)
> > +        obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
> > +        if obj and securityManager.validate(obj, obj, None, None):
> > +            return obj
> > +        else:
> > +            return None
> 
> 
> There is a method deep down in Zope somewhere called:
> 
> self.authenticated_has_access(obj)
> 
> I cannot find the definition on my local Windows install, so I assume 
> it's defined in some c code somewhere.
> 
> Unfortunately there is no docs on the web either. Though there must have 
> been at some time, as I would otherwise never have found it.
> 
> Hmm... that is odd.
> 

In this context the user does not need to be authenticated - Anonymous
might have view rights in the context of the object.

-- 
Roché Compaan
Upfront Systems                 http://www.upfrontsystems.co.za

_______________________________________________
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to