-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Chris McDonough wrote: | I implemented a "publisherTraverse" function like this FWIW: | | def publisherTraverse(context, path): | # this is a hack to get around the fact that restrictedTraverse, | # unlike publisher traversal, does checks at every step of the | # path. We don't want to limit access in this way (e.g. nested | # shares are possible) so we reimplement restrictedTraverse in a | # way that that emulates publisher traversal semantics | ob = context.unrestrictedTraverse(path) | user = getSecurityManager().getUser() | if not user.has_permission('View', ob): | raise zExceptions_Unauthorized, "cant traverse to %s" % path | return ob
I don't think that the 'has_permission' check is quite right: at least, that isn't what the publisher does. 'ZPublisher.BaseRequest.traverse' collects roles during the traversal, and then calls the user folder's 'validate', passing them at the end. Note as well that 'View' may not be the permission which is protecting the traversed-to object).
The "correct" emulation would probably be to call the user object's 'authorize' method, passing the proper values for accessed, container, name, value, and roles. Figuring out the proper values is left as an exercise for the reader ;).
Tres. - -- =============================================================== Tres Seaver [EMAIL PROTECTED] Zope Corporation "Zope Dealers" http://www.zope.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCMIAxGqWXf00rNCgRAicEAJ4xoSRVeFBDNGixfenZsXK58aN/zACfUbFF SNfOYkCwgZyV30fl1H3ttko= =rdT7 -----END PGP SIGNATURE-----
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce