[Zope-dev] ZCatalog getObject broken
Roché Compaan
roche at upfrontsystems.co.za
Thu Mar 3 15:36:16 EST 2005
On Thu, 2005-03-03 at 19:36 +0100, Dieter Maurer wrote:
> Roché Compaan wrote at 2005-3-3 09:53 +0200:
> > ...
> >- return self.aq_parent.restrictedTraverse(self.getPath(), None)
> >+ obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
> >+ if obj and securityManager.validate(obj, obj, None, None):
>
> I think this is not correct: "validate" needs at least a
> "value" parameter (this is the forth parameter).
I thought this much but what value? And doesn't this make the
implementation of restrictedTraverse suspect too?
When code is calling getObject on a catalog brain we don't know what
attribute or method of that object the calling code will access. Does it
then make any sense at all to do security checks in getObject? IMO it
doesn't.
More information about the Zope-Dev
mailing list