Garito wrote at 2008-1-26 13:37 +0100:
I don't understand quite well this explanation but it interest me a lot (as you can read if you search for my all questions about __bobo_traverse__) do it need I put the __allow_access_to_unprotected_subobjects__=1 in the __bobo_traverse__ or in other place?
The Zope weakness becomes obvious when "__bobo_traverse__" returns an object without security declarations. To work around this weakness you have to ensure that "__bobo_traverse__" returns an object with security declarations (in fact, it need to be public). This means, you must set the security declarations on the object returned by "__bobo_traverse__".
... 2008/1/25, Dieter Maurer <dieter@handshake.de>:
Gerhard Schmidt wrote at 2008-1-25 12:04 +0100:
Dieter Maurer schrieb: ...
I expect that the "message" object implements a "__bobo_traverse__" method (or gets one through "Five"). Zope is a bit stupid when "__bobo_traverse__" returns an object without security declarations -- such as e.g. a string. In this case, it insists that "getattr" must return the same object and raise "Unauthorized" otherwise.
Time 2008/01/25 12:01:53.125 GMT+1 User Name (User Id) DC83D1F1DB88CDE8 (DC83D1F1DB88CDE8) Request URL http://devportal:6080/portal_communications/manage_messagequeue Exception Type Unauthorized Exception Value You are not allowed to access 'a particular str' in this context ... - __traceback_info__: message Module Products.PageTemplates.Expressions, line 338, in restrictedTraverse - __traceback_info__: {'path': ['ID'], 'TraversalRequestNameStack': []} Unauthorized: You are not allowed to access 'a particular str' in this context
This may be compatible with my assumption.
Check line 338 in "Products/PageTemplates/Expressions.py". When this line is in the block handling the "__bobo_traverse__", then you have confirmed my assumption.
In this case, you must either get rid of the message's "__bobo_traverse__" or let it return an object with security declarations (such as an "str" wrapper with an "__allow_access_to_unprotected_subobjects__=1" and "__roles__=None") or ensure that a "getattr" results in the same str or fix Zope.
-- Dieter