[Zope] __bobo_traverse__ and a no-object

Garito garito at sistes.net
Fri Jul 14 14:00:47 EDT 2006


Dieter Maurer escribió:
> Garito wrote at 2006-7-14 07:04 +0200:
>   
>> ...
>> def __bobo_traverse__(self, REQUEST, name):
>>        obj = getattr(self, name, None)
>> ...
>> I wonder why I can do this on a Page Template:
>>
>> <tal:b tal:replace='python: here.Texto' />
>>
>> Where Texto is a adquired property, but not this:
>>
>> <tal:b tal:replace='here/Texto' />
>>
>> because zope raises an unauthorized error
>>
>> How can I solve this point?
>>     
>
> You can wait for the next Zope release (2.10) where this is fixed.
>
> The reason: security for "__bobo_traverse__" is much stricter
> than for attribute lookup:
>
>    In the latter case, the security machinery knows that the value
>    was obtained by attribute lookup and can apply the security
>    declarations of the accessed object.
>
>    In the former case, the security machinery does not know
>    which object was really accessed and therefore refuses
>    to look at the accessed object. This often leads to
>    an "Unauthorized".
>
> The hack in Zope 2.10 checks in this case whether the value
> could as well have been obtained by attribute lookup and
> then checks along this route.
>
>
> If waiting is not an option for you, you can also backport
> the fix to your Zope version.
>
>
>
>   
Hi Dieter!
In fact all my work depends on this question (this is the reason behind 
my nervous. Sorry again Andreas and the rest of people)

Do you know how can I find information to backport the fix?

-- 
Mis Cosas
http://blogs.sistes.net/Garito




More information about the Zope mailing list