Chris Withers wrote at 2005-2-11 11:59 +0000:
... Dieter Maurer wrote:
This would be the case, would ZPublisher use the standard traversal procedure. But, it fact, it does not do that. Instead, it traverses to the URL addressed target disregarding any security restrictions,
I'm afraid this is incorrect. ... Maybe you have some patches in place which affect this
In fact, I have patches in place -- but they do not change Zope in this way ;-)
, but a normal Zope server does not behave as you describe, and many people would be pretty disturbed if it did...
Then they should have a look at the code of "ZPublisher.BaseRequest.BaseRequest.traverse" This method is responsible for URL traversal. They can easily recognize two parts of this function: the traversal loop authentication During the traversal loop, there are no access checks (as I have said). And this must be the case, as there is not yet any user! "roles" are determined during traversal, usually for the last object traversed to, unless this object does not have a "__roles__" attribute (then for its parent, unless it does not have a "__roles__" attribute either, and so on). The authentication then looks for a userfolder that is able to authenticate a user with the roles determined during traversal. That's all of the security checks performed during traversal. In case, they are disturbed by this, then they have reasons indeed... Does the stock Zope code look differently ;-) -- Dieter