[Zope-Checkins] CVS: Zope/lib/python/OFS - Traversable.py:1.13.16.1
Shane Hathaway
shane@cvs.zope.org
Thu, 12 Sep 2002 17:24:57 -0400
Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv15931
Modified Files:
Tag: Zope-2_5-branch
Traversable.py
Log Message:
Merge from head.
Resolution for bug #558: when restrictedTraverse() traverses using a
__bobo_traverse__ hook, and the hook returns an object that comes from
some other container, the security policy may incorrectly deny access.
This fix determines the container of the object based on its
aquisition wrappers, if available, and passes it to validate().
=== Zope/lib/python/OFS/Traversable.py 1.13 => 1.13.16.1 ===
--- Zope/lib/python/OFS/Traversable.py:1.13 Wed Nov 28 10:50:57 2001
+++ Zope/lib/python/OFS/Traversable.py Thu Sep 12 17:24:56 2002
@@ -100,6 +100,7 @@
object = self
while path:
name=pop()
+ __traceback_info__ = path, name
if name[0] == '_':
# Never allowed in a URL.
@@ -120,7 +121,11 @@
if restricted:
container = N
- if has(o, 'im_self'):
+ if aq_base(o) is not o:
+ # The object is wrapped, so the acquisition
+ # context determines the container.
+ container = aq_parent(aq_inner(o))
+ elif has(o, 'im_self'):
container = o.im_self
elif (has(get(object, 'aq_base', object), name)
and get(object, name) == o):