Roché Compaan wrote:
I'm unsure about the security check in the patch below - I copied the way restrictedTraverse does it. I read through validate in the default security policy but it is one of those methods where all the security implications doesn't fit in your head all at once.
--- CatalogBrains.py~ 2004-03-23 22:27:23.000000000 +0200 +++ CatalogBrains.py 2005-03-03 09:43:48.000000000 +0200 @@ -47,7 +47,11 @@ (i.e., it was deleted or moved without recataloging), or if the user is not authorized to access an object along the path. """ - return self.aq_parent.restrictedTraverse(self.getPath(), None) + obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None) + if obj and securityManager.validate(obj, obj, None, None): + return obj + else: + return None
There is a method deep down in Zope somewhere called: self.authenticated_has_access(obj) I cannot find the definition on my local Windows install, so I assume it's defined in some c code somewhere. Unfortunately there is no docs on the web either. Though there must have been at some time, as I would otherwise never have found it. Hmm... that is odd. -- hilsen/regards Max M, Denmark http://www.mxm.dk/ IT's Mad Science