[Zope-Checkins] CVS: Zope/lib/python/Products/PageTemplates - Expressions.py:1.31.10.4
Shane Hathaway
shane@cvs.zope.org
Wed, 18 Sep 2002 11:52:23 -0400
Update of /cvs-repository/Zope/lib/python/Products/PageTemplates
In directory cvs.zope.org:/tmp/cvs-serv28903/lib/python/Products/PageTemplates
Modified Files:
Tag: Zope-2_5-branch
Expressions.py
Log Message:
Merge from head, adding a note to CHANGES.txt.
Finished fix for collector #558. restrictedTraverse() was not providing
adequate context for the security manager, resulting in excessive Unauthorized
errors. The previous fix corrected traversal using __bobo_traverse__();
this fix corrects traversal using getattr(). The problem was solved by
simply making use of AccessControl.ZopeGuards.guarded_getattr().
=== Zope/lib/python/Products/PageTemplates/Expressions.py 1.31.10.3 => 1.31.10.4 ===
--- Zope/lib/python/Products/PageTemplates/Expressions.py:1.31.10.3 Thu Sep 12 17:57:33 2002
+++ Zope/lib/python/Products/PageTemplates/Expressions.py Wed Sep 18 11:51:52 2002
@@ -49,6 +49,7 @@
if sys.modules.has_key('Zope'):
import AccessControl
from AccessControl import getSecurityManager
+ from AccessControl.ZopeGuards import guarded_getattr
try:
from AccessControl import Unauthorized
except ImportError:
@@ -62,6 +63,7 @@
else:
from PythonExpr import getSecurityManager, PythonExpr
+ guarded_getattr = getattr
try:
from zExceptions import Unauthorized
except ImportError:
@@ -333,16 +335,8 @@
if not validate(object, container, name, o):
raise Unauthorized, name
else:
- o=get(object, name, M)
- if o is not M:
- # Check security.
- if has(object, 'aq_acquire'):
- object.aq_acquire(
- name, validate2, validate)
- else:
- if not validate(object, object, name, o):
- raise Unauthorized, name
- else:
+ o = guarded_getattr(object, name, M)
+ if o is M:
try:
o=object[name]
except (AttributeError, TypeError):