I don't get why you're not getting it :-)
A, B and C are folders nested in each other i.e. A/B/C. A user does not have access to A and B but he does have access to C. If getObject uses restrictedTraverse it returns None immediately when traversing A, even though the user is allowed to access C. If getObject was working properly it would have returned C.
Ah, okay, I thought that's what you meant, but I hoped it wasn't.
The fact that you expect this to work is a bug in Zope's security machinery, IMHO, but sadly only IMHO it appears.
I would have no problem with the above behaviour if getObject raised Unauthorized rather than returned None.
Your patch still had it returning None, IIRC, why did it do that?
The rest of the discussion basically boils down to figure out if the user is allowed to access C or not.
Yep, personally I reckon EVRYTHING should behave like restrictedTraverse, but as I said, that appears to just be me...
Simplistix - Content Management, Zope & Python Consulting
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce