[Zope-dev] Re: ZCatalog getObject broken

Florent Guillaume fg at nuxeo.com
Fri Mar 18 04:31:47 EST 2005


Chris Withers  <chris at simplistix.co.uk> wrote:
> > A, B and C are folders nested in each other i.e. A/B/C. A user does not
> > have access to A and B but he does have access to C. If getObject uses
> > restrictedTraverse it returns None immediately when traversing A, even
> > though the user is allowed to access C. If getObject was working
> > properly it would have returned C.
> 
> Ah, okay, I thought that's what you meant, but I hoped it wasn't.
> The fact that you expect this to work is a bug in Zope's security 
> machinery, IMHO, but sadly only IMHO it appears.

Huh? That's fundamental to Zope's security model.

> I would have no problem with the above behaviour if getObject raised 
> Unauthorized rather than returned None.
> 
> Your patch still had it returning None, IIRC, why did it do that?
> 
> > The rest of the discussion basically boils down to figure out if the
> > user is allowed to access C or not.
> 
> Yep, personally I reckon EVRYTHING should behave like 
> restrictedTraverse, but as I said, that appears to just be me...

Well, you must be the only one who never had a need for security
restrictions elsewhere than at the root of the site.

Florent

-- 
Florent Guillaume, Nuxeo (Paris, France)   CTO, Director of R&D
+33 1 40 33 71 59   http://nuxeo.com   fg at nuxeo.com


More information about the Zope-Dev mailing list