Chris Withers <chrisw@nipltd.com> said:
As this is such a core piece of Zope, it seems quite unlikely to me that I found a bug here (although an older version of ZPublisher does check object instead of subobject). The only thing I can think of is that Acquisition should work for the getattr() and somehow I managed to disable Acquisition on these instances.
This sounds like a bug to me. I've had very similar problems to this with Squishdot.
An extra data point: it really seems to be a bug. I've applied the patch to our servers (development and production), and the only different behavior I can see is that a folder that is protected by a mysqlUserFolder acl_users now denies be access when trying to access the folder, instead of trying to access one of the objects within the folder. And that seems to be better behavior to me, too. -- Cees de Groot http://www.cdegroot.com <cg@cdegroot.com> GnuPG 1024D/E0989E8B 0016 F679 F38D 5946 4ECD 1986 F303 937F E098 9E8B