"Phillip J. Eby" wrote:
This is not a bug, it's a feature. :) If you look closely at the dictionary, you will see it contains empty lists for all these items. These empty lists are the DataSkins.NOT_FOUND singleton, which caches the nonexistence of these attributes. This is not a security problem, nor any other kind of problem. It is instead a performance optimization which keeps the DataSkin from querying all the AttributeProviders every time a known-to-be-nonexistent attribute is looked for.
There _IS_ a problem. Maybe _v_cachedAttr is not a guilty, but do you know it exists only in newly created objects and do _not_ exists in old?. Anyway, newly created DataSkin instances return wrong REQUEST (and other things) but _old_ retrieved ones work good. I tell you this because it is impossible to obtain AUTHENTICATE_USER from fresh DataSkins, so things like 'manage_tabs' just do not work properly. Try set up Rack for any real ZClass and you see this. If you'd like I send you complete test suite reproducing the situation. Mike