Hash: SHA1

Florent Guillaume wrote:
| Dieter Maurer  <[EMAIL PROTECTED]> wrote:
|>Roché Compaan wrote at 2005-2-25 17:22 +0200:
|>> Last year in March the following checkin was made that changed
|>> ZCatalog's getObject to use restrictedTraverse instead of
|>> unrestrictedTraverse. See:
|>>In my opininion this is wrong,
|>I agree with you!
| Me also.
|>> I would propose that getObject does an unrestrictedTraverse of
|>> the path and then checks if the user has permission to access
|>> that the object.
|> I argued precisely this approach with the person who made the
|> change. I had the impression that I have convinced him -- but
|> apparently, he did not change the code accordingly :-(
|>Maybe, a bug report to the collector will help?
|>       <http://www.zope.org/Collectors/Zope>
| Roché has added http://www.zope.org/Collectors/Zope/1713
| I intend to fix this before 2.7.5 final, probably today or tonight. I
| feel this is sufficiently important to warrant a fix now. I guess
| it'll mean an RC2.
| Please shout if you find problems with this approach.

Please note that calling 'validate' without passing the correct values
for 'container', 'accessed', and 'name' may lead to unexpected results
(it tries to guess, but may not be clever enough, especially if there is
any weird wrapping / unwrapping in play).  This was essentially the
issue which led to the "spurious Unauthorized error" problem in Zope
2.7.3 (this point is germane or issue #1534, as well as #1713).

- --
Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"       http://www.zope.com
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to