On 7/14/06, Dieter Maurer <[EMAIL PROTECTED]> wrote:
Garito wrote at 2006-7-14 07:04 +0200:
> ...
>def __bobo_traverse__(self, REQUEST, name):
>        obj = getattr(self, name, None)
> ...
>I wonder why I can do this on a Page Template:
><tal:b tal:replace='python: here.Texto' />
>Where Texto is a adquired property, but not this:
><tal:b tal:replace='here/Texto' />
>because zope raises an unauthorized error
>How can I solve this point?

You can wait for the next Zope release (2.10) where this is fixed.

The reason: security for "__bobo_traverse__" is much stricter
than for attribute lookup:

  In the latter case, the security machinery knows that the value
  was obtained by attribute lookup and can apply the security
  declarations of the accessed object.

  In the former case, the security machinery does not know
  which object was really accessed and therefore refuses
  to look at the accessed object. This often leads to
  an "Unauthorized".

The hack in Zope 2.10 checks in this case whether the value
could as well have been obtained by attribute lookup and
then checks along this route.

If waiting is not an option for you, you can also backport
the fix to your Zope version.

Hm, if this is the issue, the fix should already be in Zope 2.9.3 and 2.8.7

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to