-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Florent Guillaume wrote: | Dieter Maurer <[EMAIL PROTECTED]> wrote: | |>Roché Compaan wrote at 2005-2-25 17:22 +0200: |> |>> Last year in March the following checkin was made that changed |>> ZCatalog's getObject to use restrictedTraverse instead of |>> unrestrictedTraverse. See: |>> |>>http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html |>> |>>In my opininion this is wrong, |> |>I agree with you! | | | Me also. | | |>>... |>> I would propose that getObject does an unrestrictedTraverse of |>> the path and then checks if the user has permission to access |>> that the object. |> |> I argued precisely this approach with the person who made the |> change. I had the impression that I have convinced him -- but |> apparently, he did not change the code accordingly :-( |> |>Maybe, a bug report to the collector will help? |> |> <http://www.zope.org/Collectors/Zope> | | | Roché has added http://www.zope.org/Collectors/Zope/1713 | | I intend to fix this before 2.7.5 final, probably today or tonight. I | feel this is sufficiently important to warrant a fix now. I guess | it'll mean an RC2. | | Please shout if you find problems with this approach.
Please note that calling 'validate' without passing the correct values for 'container', 'accessed', and 'name' may lead to unexpected results (it tries to guess, but may not be clever enough, especially if there is any weird wrapping / unwrapping in play). This was essentially the issue which led to the "spurious Unauthorized error" problem in Zope 2.7.3 (this point is germane or issue #1534, as well as #1713).
Tres. - -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCMHBnGqWXf00rNCgRAvVZAJ9vlruC2X6Q60g8kzYpbcy8Rk8E/ACdGktW 4rPMryTLyixAABvKf/tj184= =U7gY -----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce