[Zope-dev] ZCatalog getObject broken
Dieter Maurer
dieter at handshake.de
Fri Feb 25 14:21:07 EST 2005
Roché Compaan wrote at 2005-2-25 17:22 +0200:
>Last year in March the following checkin was made that changed
>ZCatalog's getObject to use restrictedTraverse instead of
>unrestrictedTraverse. See:
>
>http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
>
>In my opininion this is wrong,
I agree with you!
> ...
>I would propose that getObject does an unrestrictedTraverse of the path
>and then checks if the user has permission to access that the object.
I argued precisely this approach with the person who made the
change. I had the impression that I have convinced him -- but
apparently, he did not change the code accordingly :-(
Maybe, a bug report to the collector will help?
<http://www.zope.org/Collectors/Zope>
--
Dieter
More information about the Zope-Dev
mailing list