--On Donnerstag, 10. März 2005 12:49 Uhr +0100 Florent Guillaume <[EMAIL PROTECTED]> wrote:
Dieter Maurer <[EMAIL PROTECTED]> wrote:Roché Compaan wrote at 2005-2-25 17:22 +0200: > Last year in March the following checkin was made that changed > ZCatalog's getObject to use restrictedTraverse instead of > unrestrictedTraverse. See: > > http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html > > In my opininion this is wrong,
I agree with you!
> ... > I would propose that getObject does an unrestrictedTraverse of the path > and then checks if the user has permission to access that the object.
I argued precisely this approach with the person who made the change. I had the impression that I have convinced him -- but apparently, he did not change the code accordingly :-(
Maybe, a bug report to the collector will help?
Roché has added http://www.zope.org/Collectors/Zope/1713
I intend to fix this before 2.7.5 final, probably today or tonight. I feel this is sufficiently important to warrant a fix now. I guess it'll mean an RC2.
Please see my remark on this issue in the collector.
Description: PGP signature_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )