Dieter Maurer escribió:
Garito wrote at 2006-11-9 03:07 +0100:
What you see is an authentication weekness with "__bobo_traverse__":
Zope's security machinery requires acquisition wrappers
to work reliably.
When "__bobo_traverse__" returns a non acquisition wrapped
object without public security declarations, then the
normal security check would not help.
Zope therefore tries to check whether a standard 'getattr' would
return the same object and accept it in this case.
Otherwise, it will raise "Unauthorized" with the intent
that an unmotivated "Unauthorized" is better than giving
access to some piece of information that should be protected.
In my view, the behaviour is buggy as "__bobo_traverse__" has
no way to return a non-trivial elementary data type -- but
almost surely, it will not be changed...
Then: what solution did you think will be the best solution for my request?
You may try to return a wrapper that behaves the same way
as the original object (by deriving from the respective type)
but has "__roles__ = None" as additional attribute (which declares
the object public).
Can you point me to a simple example or similar? I'm not sure if I
understand what you are telling me
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -