On Thu, 2005-03-03 at 19:36 +0100, Dieter Maurer wrote:
> Roché Compaan wrote at 2005-3-3 09:53 +0200:
> > ...
> >-        return self.aq_parent.restrictedTraverse(self.getPath(), None)
> >+        obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
> >+        if obj and securityManager.validate(obj, obj, None, None):
> I think this is not correct: "validate" needs at least a
> "value" parameter (this is the forth parameter).

I thought this much but what value? And doesn't this make the
implementation of restrictedTraverse suspect too?

When code is calling getObject on a catalog brain we don't know what
attribute or method of that object the calling code will access. Does it
then make any sense at all to do security checks in getObject? IMO it

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to