--On Donnerstag, 10. März 2005 12:49 Uhr +0100 Florent Guillaume <[EMAIL PROTECTED]> wrote:


Dieter Maurer <[EMAIL PROTECTED]> wrote:
Roché Compaan wrote at 2005-2-25 17:22 +0200:
> Last year in March the following checkin was made that changed
> ZCatalog's getObject to use restrictedTraverse instead of
> unrestrictedTraverse. See:
> http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
> In my opininion this is wrong,

I agree with you!

Me also.

> ...
> I would propose that getObject does an unrestrictedTraverse of the path
> and then checks if the user has permission to access that the object.

I argued precisely this approach with the person who made the
change. I had the impression that I have convinced him -- but
apparently, he did not change the code accordingly :-(

Maybe, a bug report to the collector will help?


Roché has added http://www.zope.org/Collectors/Zope/1713

I intend to fix this before 2.7.5 final, probably today or tonight.
I feel this is sufficiently important to warrant a fix now.
I guess it'll mean an RC2.

Please see my remark on this issue in the collector.


Attachment: pgphJkbk8eW1O.pgp
Description: PGP signature

Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to