Chris Withers  <[EMAIL PROTECTED]> wrote:
> > A, B and C are folders nested in each other i.e. A/B/C. A user does not
> > have access to A and B but he does have access to C. If getObject uses
> > restrictedTraverse it returns None immediately when traversing A, even
> > though the user is allowed to access C. If getObject was working
> > properly it would have returned C.
> Ah, okay, I thought that's what you meant, but I hoped it wasn't.
> The fact that you expect this to work is a bug in Zope's security 
> machinery, IMHO, but sadly only IMHO it appears.

Huh? That's fundamental to Zope's security model.

> I would have no problem with the above behaviour if getObject raised 
> Unauthorized rather than returned None.
> Your patch still had it returning None, IIRC, why did it do that?
> > The rest of the discussion basically boils down to figure out if the
> > user is allowed to access C or not.
> Yep, personally I reckon EVRYTHING should behave like 
> restrictedTraverse, but as I said, that appears to just be me...

Well, you must be the only one who never had a need for security
restrictions elsewhere than at the root of the site.


Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   [EMAIL PROTECTED]
Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to