Roché Compaan wrote at 2005-3-3 22:36 +0200:
>On Thu, 2005-03-03 at 19:36 +0100, Dieter Maurer wrote:
>> Roché Compaan wrote at 2005-3-3 09:53 +0200:
>> > ...
>> >- return self.aq_parent.restrictedTraverse(self.getPath(), None)
>> >+ obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
>> >+ if obj and securityManager.validate(obj, obj, None, None):
>> I think this is not correct: "validate" needs at least a
>> "value" parameter (this is the forth parameter).
>I thought this much but what value? And doesn't this make the
>implementation of restrictedTraverse suspect too?
>When code is calling getObject on a catalog brain we don't know what
>attribute or method of that object the calling code will access. Does it
>then make any sense at all to do security checks in getObject? IMO it
Value means the accessed value. In your case, this is "obj".
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -