[Zope-dev] Re: [Zope-CMF] Access problem.
Tres Seaver
tseaver@zope.com
25 Sep 2002 07:39:46 -0400
On Wed, 2002-09-25 at 06:41, Ignacio Dosil Lago wrote:
> -- I am developing a CMF "link" product which defines its own traverse method:
>
> def __bobo_traverse__(self, request, name=None):
> "Traverse method hook"
>
> if hasattr(self, name):
> # return own attributes/subobjects
> return getattr(self, name)
> else:
> t= self.getTarget()
> if hasattr(t, name):
> # return target's attributes/subobjects
> return getattr(t, name)
> else:
> return t
>
> -- It works fine under the ZMI but when I try to access an object of this
> product into a CMF portal using the CMF interface, Zope requests me login
> name and password (even if I am admin!!), which it doesn't accept, so the
> only way to continue is to cancel instead of triying to log in.
I don't know why it would work in the ZMI; this smells like a problem
in the way you wrap (or don't) the target object returned by
'getTarget'. Try the following to test that:
from Acquisition import aq_base, aq_parent
def __bobo_traverse__(self, request, name=None):
"Traverse method hook"
if hasattr(self, name):
# return own attributes/subobjects
return getattr(self, name)
else:
t = self.getTarget()
t = aq_base( t ).__of__( aq_parent( self ) )
if hasattr(t, name):
# return target's attributes/subobjects
return getattr(t, name)
else:
return t
This version addresses the issue that the security machinery expects to
crawl up the containment part of the acquisition chain to verify that
the user and the accessed object are in proper relation to one another;
it does this by ripping off any existing acquisition wrapper (the
'aq_base' call) and re-wrapping the object in the context of the link's
parent ( the '__of__' call).
Hope this helps,
Tres.
--
===============================================================
Tres Seaver tseaver@zope.com
Zope Corporation "Zope Dealers" http://www.zope.com