Chris Withers <[EMAIL PROTECTED]> wrote:
> > A, B and C are folders nested in each other i.e. A/B/C. A user does not
> > have access to A and B but he does have access to C. If getObject uses
> > restrictedTraverse it returns None immediately when traversing A, even
> > though the user is allowed to access C. If getObject was working
> > properly it would have returned C.
> Ah, okay, I thought that's what you meant, but I hoped it wasn't.
> The fact that you expect this to work is a bug in Zope's security
> machinery, IMHO, but sadly only IMHO it appears.
Huh? That's fundamental to Zope's security model.
> I would have no problem with the above behaviour if getObject raised
> Unauthorized rather than returned None.
> Your patch still had it returning None, IIRC, why did it do that?
> > The rest of the discussion basically boils down to figure out if the
> > user is allowed to access C or not.
> Yep, personally I reckon EVRYTHING should behave like
> restrictedTraverse, but as I said, that appears to just be me...
Well, you must be the only one who never had a need for security
restrictions elsewhere than at the root of the site.
Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D
+33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED]
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -