[Zope] restrictedTraverse versus unrestrictedTraverse versus
simpler notations
Terry Hancock
hancock at anansispaceworks.com
Mon Sep 15 15:07:04 EDT 2003
On Monday 15 September 2003 01:38 pm,
nwingfield at che-llp.com wrote:
> Q1. What is the difference between restrictedTraverse
and
> unrestrictedTraverse? When would one use the latter over
the former?
In short, you will almost always use the former, as it is
the only one allowed in templates or scripts.
unrestrictedTraverse is only usable from unrestricted code,
as in a Python Product or External method.
> Q2. In product code, what is the value in using
> 'self.restrictedTraverse(id)' or
'self.unrestrictedTraverse(id)' versus
> simpler notation, such as 'self[id]' or 'getattr(self,
id)' ?
I think the principle value is that unrestrictedTraverse()
will actually follow a path, and it will search attributes
and items both to do it.
Using restrictedTraverse() would be appropriate if you
wanted normal Zope security checks to apply to the
traversal (there are reasons you might want that to be --
if you were ever to traverse to a URL acquired from the
REQUEST, for example, then it should obviously be subject
to the same security as you would expect for restricted
code).
Since explicitness is probably more desireable in product
code, I suspect that it would generally be better to
use one of the simpler notations that you mention. There
may be other reasons to use it, too.
Cheers,
Terry
--
Terry Hancock ( hancock at anansispaceworks.com )
Anansi Spaceworks http://www.anansispaceworks.com
More information about the Zope
mailing list