Garito wrote at 2008-1-26 13:37 +0100:
>I don't understand quite well this explanation but it interest me a lot (as
>you can read if you search for my all questions about __bobo_traverse__)
>do it need I put the __allow_access_to_unprotected_subobjects__=1 in the
>__bobo_traverse__ or in other place?

The Zope weakness becomes obvious when "__bobo_traverse__"
returns an object without security declarations.

To work around this weakness you have to ensure that
"__bobo_traverse__" returns an object
with security declarations (in fact, it need to be public).
This means, you must set the security declarations on the
object returned by "__bobo_traverse__".

> ...
>2008/1/25, Dieter Maurer <[EMAIL PROTECTED]>:
>>
>> Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
>> >Dieter Maurer schrieb:
>> > ...
>> >> I expect that the "message" object implements a "__bobo_traverse__"
>> >> method (or gets one through "Five").
>> >> Zope is a bit stupid when "__bobo_traverse__" returns an object
>> >> without security declarations -- such as e.g. a string.
>> >> In this case, it insists that "getattr" must return the same object
>> >> and raise "Unauthorized" otherwise.
>> >
>> >Time   2008/01/25 12:01:53.125 GMT+1
>> >User Name (User Id)    DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8)
>> >Request URL
>> http://devportal:6080/portal_communications/manage_messagequeue
>> >Exception Type         Unauthorized
>> >Exception Value        You are not allowed to access 'a particular str'
>> in
>> >this context
>> > ...
>> >   - __traceback_info__: message
>> >  Module Products.PageTemplates.Expressions, line 338, in
>> restrictedTraverse
>> >   - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack':
>> []}
>> >Unauthorized: You are not allowed to access 'a particular str' in this
>> >context
>>
>> This may be compatible with my assumption.
>>
>> Check line 338 in "Products/PageTemplates/Expressions.py".
>> When this line is in the block handling the "__bobo_traverse__",
>> then you have confirmed my assumption.
>>
>>
>> In this case, you must either get rid of the message's "__bobo_traverse__"
>> or let it return an object with security declarations (such
>> as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1"
>> and "__roles__=None") or ensure that a "getattr" results in the same
>> str or fix Zope.



-- 
Dieter
_______________________________________________
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to