[Zope] Re: Security Hole in
ZPublisher.BaseRequest.BaseRequest.traverse?
Dieter Maurer
dieter at handshake.de
Thu Feb 17 14:21:44 EST 2005
Chris Withers wrote at 2005-2-17 09:22 +0000:
> ...
>Well, this does beg the question: is this how restrictedTraverse works?
>If not, then why isn't restrictedTraverse used?
I already answered this question (implicitly) in an earlier
message:
ZPublisher cannot use "restrictedTraverse" because
authentication happens only at the end of traversal.
Up to this point, there is no user and
"restrictedTraverse" is likely to fail.
--
Dieter
More information about the Zope
mailing list