Chris Withers <[EMAIL PROTECTED]> wrote: > > A, B and C are folders nested in each other i.e. A/B/C. A user does not > > have access to A and B but he does have access to C. If getObject uses > > restrictedTraverse it returns None immediately when traversing A, even > > though the user is allowed to access C. If getObject was working > > properly it would have returned C. > > Ah, okay, I thought that's what you meant, but I hoped it wasn't. > The fact that you expect this to work is a bug in Zope's security > machinery, IMHO, but sadly only IMHO it appears.
Huh? That's fundamental to Zope's security model. > I would have no problem with the above behaviour if getObject raised > Unauthorized rather than returned None. > > Your patch still had it returning None, IIRC, why did it do that? > > > The rest of the discussion basically boils down to figure out if the > > user is allowed to access C or not. > > Yep, personally I reckon EVRYTHING should behave like > restrictedTraverse, but as I said, that appears to just be me... Well, you must be the only one who never had a need for security restrictions elsewhere than at the root of the site. Florent -- Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )