[Zope-dev] Re: ZCatalog getObject broken

Tres Seaver tseaver at zope.com
Thu Mar 10 12:13:21 EST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris McDonough wrote:
| I implemented a "publisherTraverse" function like this FWIW:
|
| def publisherTraverse(context, path):
|     # this is a hack to get around the fact that restrictedTraverse,
|     # unlike publisher traversal, does checks at every step of the
|     # path.  We don't want to limit access in this way (e.g. nested
|     # shares are possible) so we reimplement restrictedTraverse in a
|     # way that that emulates publisher traversal semantics
|     ob = context.unrestrictedTraverse(path)
|     user = getSecurityManager().getUser()
|     if not user.has_permission('View', ob):
|         raise zExceptions_Unauthorized, "cant traverse to %s" % path
|     return ob

I don't think that the 'has_permission' check is quite right:  at least,
that isn't what the publisher does.  'ZPublisher.BaseRequest.traverse'
collects roles during the traversal, and then calls the user folder's
'validate', passing them at the end.  Note as well that 'View' may not
be the permission which is protecting the traversed-to object).

The "correct" emulation would probably be to call the user object's
'authorize' method, passing the proper values for accessed, container,
name, value, and roles.  Figuring out the proper values is left as an
exercise for the reader ;).

Oracular'ly,

Tres.
- --
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCMIAxGqWXf00rNCgRAicEAJ4xoSRVeFBDNGixfenZsXK58aN/zACfUbFF
SNfOYkCwgZyV30fl1H3ttko=
=rdT7
-----END PGP SIGNATURE-----



More information about the Zope-Dev mailing list