You know you are in trouble when you need to read the c-code of
Acquisition to understand a problem. :) This took me half the day to
figure out, and in fact, I still don't fully understand it.
So I need help with this.
CPS has an index, called cps_filter_sets. It's a TopicIndex, and
TopicIndexes can have expressions as filters. This one has:
"getattr(o, 'portal_type', None) not in ('Section', 'Workspace')"
Where o is the object that are being indexed.
But, this being an expression, it's protected, and therefore, a
getattr becomes a guarded_gettatr.
guarded_getattr does it's security check by doing:
validate = SecurityManagement.getSecurityManager().validate
aq_acquire(inst, name, aq_validate, validate)
Where in this case inst will be the object that is being indexed.
aq_acquire will, if the first parameter is not an AcquisitionWrapper,
and the third parameter is not None, wrap the object.
Now, in our case, the object is an IndexableObjectWrapper, wrapping an
Acquisition wrapped object. So, aq_acquire will Acquicision wrap the
IndexableObjectWrapper, with the result that the object being used now
has no context!
Then, it passes this to validate, who in turn passes it to allowed,
who check that the object has the users user folder in it's context.
And it hasn't, because it has no context. *blam* You get an
AuthorizedError, and the object does not get indexed.
OK, there are several ways to fix this, one being to not use getattr.
But there is still something missing from my understandning of all
- Not every object has this problem! Why, I have no idea. I had his
problem in two products, and in ONE of them, it disappeared when I
introduced the otherwise useless PropertyManager as a baseclass. The
other product already has propertymanager as a baseclass!
Any insight into this would be appreciated.
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists -