Santi Camps wrote at 2004-10-20 07:18 +0200:
... Anyway, I can't understand a behaviour that allows to access a method directly from the URL and crashes when the access is done from a ZPT.
"ZPublisher" (more precisely: "ZPublisher.BaseRequest.BaseRequest.traverse") is responsible for security checking for Web traversal. It uses a different approach then "AccessControl" (which protects access from restricted code). As you found out: Tres fixed a security whole in "AccessControl" but a similar whole is still present in "ZPublisher"...
... On the other hand, I don't think that current code could be considered a security hole. If a method is unprotected, then the protection of the object itself is applied. I like it.
But the names chosen to control this behaviour ("__allow_access_to_unprotected_subobjects__") suggests that this should not apply automatically. -- Dieter