[Zope] __bobo_traverse__ and a no-object

Alec Mitchell apm13 at columbia.edu
Fri Jul 14 13:59:22 EDT 2006


On 7/14/06, Dieter Maurer <dieter at handshake.de> wrote:
> Garito wrote at 2006-7-14 07:04 +0200:
> > ...
> >def __bobo_traverse__(self, REQUEST, name):
> >        obj = getattr(self, name, None)
> > ...
> >I wonder why I can do this on a Page Template:
> >
> ><tal:b tal:replace='python: here.Texto' />
> >
> >Where Texto is a adquired property, but not this:
> >
> ><tal:b tal:replace='here/Texto' />
> >
> >because zope raises an unauthorized error
> >
> >How can I solve this point?
>
> You can wait for the next Zope release (2.10) where this is fixed.
>
> The reason: security for "__bobo_traverse__" is much stricter
> than for attribute lookup:
>
>   In the latter case, the security machinery knows that the value
>   was obtained by attribute lookup and can apply the security
>   declarations of the accessed object.
>
>   In the former case, the security machinery does not know
>   which object was really accessed and therefore refuses
>   to look at the accessed object. This often leads to
>   an "Unauthorized".
>
> The hack in Zope 2.10 checks in this case whether the value
> could as well have been obtained by attribute lookup and
> then checks along this route.
>
>
> If waiting is not an option for you, you can also backport
> the fix to your Zope version.

Hm, if this is the issue, the fix should already be in Zope 2.9.3 and 2.8.7

Alec


More information about the Zope mailing list