[Zope-dev] PAS and AccessControl bug?
Martin Aspeli
optilude+lists at gmail.com
Thu Dec 29 20:11:02 UTC 2011
Hi,
I found this code in PAS, which is mostly lifted from AccessControl.userfolder:
def _getObjectContext( self, v, request ):
""" request -> ( a, c, n, v )
o 'a 'is the object the object was accessed through
o 'c 'is the physical container of the object
o 'n 'is the name used to access the object
o 'v' is the object (value) we're validating access to
o XXX: Lifted from AccessControl.User.BasicUserFolder._getobcontext
"""
if len( request.steps ) == 0: # someone deleted root index_html
request[ 'RESPONSE' ].notFoundError(
'no default view (root default view was probably deleted)' )
root = request[ 'PARENTS' ][ -1 ]
request_container = aq_parent( root )
n = request.steps[ -1 ]
# default to accessed and container as v.aq_parent
a = c = request[ 'PARENTS' ][ 0 ]
# try to find actual container
inner = aq_inner( v )
innerparent = aq_parent( inner )
if innerparent is not None:
# this is not a method, we needn't treat it specially
c = innerparent
elif hasattr(v, 'im_self'):
# this is a method, we need to treat it specially
c = v.im_self
c = aq_inner( v )
# if pub's aq_parent or container is the request container, it
# means pub was accessed from the root
if a is request_container:
a = root
if c is request_container:
c = root
return a, c, n, v
Look at this bit again:
elif hasattr(v, 'im_self'):
# this is a method, we need to treat it specially
c = v.im_self
c = aq_inner( v )
In AccessControl, it's similar:
elif hasattr(v, 'im_self'):
# this is a method, we need to treat it specially
c = v.im_self
c = getattr(v, 'aq_inner', v)
Surely, this isn't right? What is the correct thing to do here?
Martin
More information about the Zope-Dev
mailing list