[Zope-dev] Re: ZCatalog getObject broken
Florent Guillaume
fg at nuxeo.com
Fri Mar 18 04:31:47 EST 2005
Chris Withers <chris at simplistix.co.uk> wrote:
> > A, B and C are folders nested in each other i.e. A/B/C. A user does not
> > have access to A and B but he does have access to C. If getObject uses
> > restrictedTraverse it returns None immediately when traversing A, even
> > though the user is allowed to access C. If getObject was working
> > properly it would have returned C.
>
> Ah, okay, I thought that's what you meant, but I hoped it wasn't.
> The fact that you expect this to work is a bug in Zope's security
> machinery, IMHO, but sadly only IMHO it appears.
Huh? That's fundamental to Zope's security model.
> I would have no problem with the above behaviour if getObject raised
> Unauthorized rather than returned None.
>
> Your patch still had it returning None, IIRC, why did it do that?
>
> > The rest of the discussion basically boils down to figure out if the
> > user is allowed to access C or not.
>
> Yep, personally I reckon EVRYTHING should behave like
> restrictedTraverse, but as I said, that appears to just be me...
Well, you must be the only one who never had a need for security
restrictions elsewhere than at the root of the site.
Florent
--
Florent Guillaume, Nuxeo (Paris, France) CTO, Director of R&D
+33 1 40 33 71 59 http://nuxeo.com fg at nuxeo.com
More information about the Zope-Dev
mailing list