Garito wrote at 2006-11-9 03:07 +0100:
>> What you see is an authentication weekness with "__bobo_traverse__":
>> Zope's security machinery requires acquisition wrappers
>> to work reliably.
>> When "__bobo_traverse__" returns a non acquisition wrapped
>> object without public security declarations, then the
>> normal security check would not help.
>> Zope therefore tries to check whether a standard 'getattr' would
>> return the same object and accept it in this case.
>> Otherwise, it will raise "Unauthorized" with the intent
>> that an unmotivated "Unauthorized" is better than giving
>> access to some piece of information that should be protected.
>> In my view, the behaviour is buggy as "__bobo_traverse__" has
>> no way to return a non-trivial elementary data type -- but
>> almost surely, it will not be changed...
>Then: what solution did you think will be the best solution for my request?
You may try to return a wrapper that behaves the same way
as the original object (by deriving from the respective type)
but has "__roles__ = None" as additional attribute (which declares
the object public).
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -