Roché Compaan wrote at 2005-3-3 22:36 +0200:
>On Thu, 2005-03-03 at 19:36 +0100, Dieter Maurer wrote:
>> Roché Compaan wrote at 2005-3-3 09:53 +0200:
>> > ...
>> >-        return self.aq_parent.restrictedTraverse(self.getPath(), None)
>> >+        obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
>> >+        if obj and securityManager.validate(obj, obj, None, None):
>> I think this is not correct: "validate" needs at least a
>> "value" parameter (this is the forth parameter).
>I thought this much but what value? And doesn't this make the
>implementation of restrictedTraverse suspect too?
>When code is calling getObject on a catalog brain we don't know what
>attribute or method of that object the calling code will access. Does it
>then make any sense at all to do security checks in getObject? IMO it

Value means the accessed value. In your case, this is "obj".

Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to