[Zope-Checkins] CVS: Zope/lib/python/OFS - Traversable.py:1.16
Shane Hathaway
shane@cvs.zope.org
Thu, 12 Sep 2002 17:20:53 -0400
Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv14563
Modified Files:
Traversable.py
Log Message:
Resolution for bug #558: when restrictedTraverse() traverses using a
__bobo_traverse__ hook, and the hook returns an object that comes from
some other container, the security policy may incorrectly deny access.
This fix determines the container of the object based on its
aquisition wrappers, if available, and passes it to validate().
Also added a corresponding unit test.
=== Zope/lib/python/OFS/Traversable.py 1.15 => 1.16 ===
--- Zope/lib/python/OFS/Traversable.py:1.15 Wed Aug 14 17:42:56 2002
+++ Zope/lib/python/OFS/Traversable.py Thu Sep 12 17:20:52 2002
@@ -99,6 +99,7 @@
object = self
while path:
name=pop()
+ __traceback_info__ = path, name
if name[0] == '_':
# Never allowed in a URL.
@@ -119,7 +120,11 @@
if restricted:
container = N
- if has(o, 'im_self'):
+ if aq_base(o) is not o:
+ # The object is wrapped, so the acquisition
+ # context determines the container.
+ container = aq_parent(aq_inner(o))
+ elif has(o, 'im_self'):
container = o.im_self
elif (has(get(object, 'aq_base', object), name)
and get(object, name) == o):