On Fri, 2005-02-25 at 21:06 +0100, Andreas Jung wrote:
--On Freitag, 25. Februar 2005 20:21 Uhr +0100 Dieter Maurer <dieter@handshake.de> wrote:
Roché Compaan wrote at 2005-2-25 17:22 +0200:
Last year in March the following checkin was made that changed ZCatalog's getObject to use restrictedTraverse instead of unrestrictedTraverse. See:
http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
In my opininion this is wrong,
I agree with you!
... I would propose that getObject does an unrestrictedTraverse of the path and then checks if the user has permission to access that the object.
I argued precisely this approach with the person who made the change. I had the impression that I have convinced him -- but apparently, he did not change the code accordingly :-(
Maybe, a bug report to the collector will help?
Best to include a patch as well :-)
-aj
I'm unsure about the security check in the patch below - I copied the way restrictedTraverse does it. I read through validate in the default security policy but it is one of those methods where all the security implications doesn't fit in your head all at once. --- CatalogBrains.py~ 2004-03-23 22:27:23.000000000 +0200 +++ CatalogBrains.py 2005-03-03 09:43:48.000000000 +0200 @@ -47,7 +47,11 @@ (i.e., it was deleted or moved without recataloging), or if the user is not authorized to access an object along the path. """ - return self.aq_parent.restrictedTraverse(self.getPath(), None) + obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None) + if obj and securityManager.validate(obj, obj, None, None): + return obj + else: + return None def getRID(self): """Return the record ID for this object.""" -- Roché Compaan Upfront Systems http://www.upfrontsystems.co.za