[Zope-dev] Re: ZCatalog getObject broken

Tres Seaver tseaver at zope.com
Thu Mar 10 11:06:00 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florent Guillaume wrote:
| Dieter Maurer  <dieter at handshake.de> wrote:
|
|>Roché Compaan wrote at 2005-2-25 17:22 +0200:
|>
|>> Last year in March the following checkin was made that changed
|>> ZCatalog's getObject to use restrictedTraverse instead of
|>> unrestrictedTraverse. See:
|>>
|>>http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
|>>
|>>In my opininion this is wrong,
|>
|>I agree with you!
|
|
| Me also.
|
|
|>>...
|>> I would propose that getObject does an unrestrictedTraverse of
|>> the path and then checks if the user has permission to access
|>> that the object.
|>
|> I argued precisely this approach with the person who made the
|> change. I had the impression that I have convinced him -- but
|> apparently, he did not change the code accordingly :-(
|>
|>Maybe, a bug report to the collector will help?
|>
|>       <http://www.zope.org/Collectors/Zope>
|
|
| Roché has added http://www.zope.org/Collectors/Zope/1713
|
| I intend to fix this before 2.7.5 final, probably today or tonight. I
| feel this is sufficiently important to warrant a fix now. I guess
| it'll mean an RC2.
|
| Please shout if you find problems with this approach.

Please note that calling 'validate' without passing the correct values
for 'container', 'accessed', and 'name' may lead to unexpected results
(it tries to guess, but may not be clever enough, especially if there is
any weird wrapping / unwrapping in play).  This was essentially the
issue which led to the "spurious Unauthorized error" problem in Zope
2.7.3 (this point is germane or issue #1534, as well as #1713).

Tres.
- --
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMHBnGqWXf00rNCgRAvVZAJ9vlruC2X6Q60g8kzYpbcy8Rk8E/ACdGktW
4rPMryTLyixAABvKf/tj184=
=U7gY
-----END PGP SIGNATURE-----



More information about the Zope-Dev mailing list