[Zope-dev] ZCatalog getObject broken
Roché Compaan
roche at upfrontsystems.co.za
Thu Mar 3 02:53:08 EST 2005
On Fri, 2005-02-25 at 21:06 +0100, Andreas Jung wrote:
>
> --On Freitag, 25. Februar 2005 20:21 Uhr +0100 Dieter Maurer
> <dieter at handshake.de> wrote:
>
> > Roché Compaan wrote at 2005-2-25 17:22 +0200:
> >> Last year in March the following checkin was made that changed
> >> ZCatalog's getObject to use restrictedTraverse instead of
> >> unrestrictedTraverse. See:
> >>
> >> http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
> >>
> >> In my opininion this is wrong,
> >
> > I agree with you!
> >
> >> ...
> >> I would propose that getObject does an unrestrictedTraverse of the path
> >> and then checks if the user has permission to access that the object.
> >
> > I argued precisely this approach with the person who made the
> > change. I had the impression that I have convinced him -- but
> > apparently, he did not change the code accordingly :-(
> >
> > Maybe, a bug report to the collector will help?
> >
> > <http://www.zope.org/Collectors/Zope>
> >
>
> Best to include a patch as well :-)
>
> -aj
I'm unsure about the security check in the patch below - I copied the
way restrictedTraverse does it. I read through validate in the default
security policy but it is one of those methods where all the security
implications doesn't fit in your head all at once.
--- CatalogBrains.py~ 2004-03-23 22:27:23.000000000 +0200
+++ CatalogBrains.py 2005-03-03 09:43:48.000000000 +0200
@@ -47,7 +47,11 @@
(i.e., it was deleted or moved without recataloging), or if the
user is
not authorized to access an object along the path.
"""
- return self.aq_parent.restrictedTraverse(self.getPath(), None)
+ obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
+ if obj and securityManager.validate(obj, obj, None, None):
+ return obj
+ else:
+ return None
def getRID(self):
"""Return the record ID for this object."""
--
Roché Compaan
Upfront Systems http://www.upfrontsystems.co.za
More information about the Zope-Dev
mailing list