[Zope] __bobo_traverse__ and a no-object
Garito
garito at sistes.net
Fri Jul 14 14:00:47 EDT 2006
Dieter Maurer escribió:
> Garito wrote at 2006-7-14 07:04 +0200:
>
>> ...
>> def __bobo_traverse__(self, REQUEST, name):
>> obj = getattr(self, name, None)
>> ...
>> I wonder why I can do this on a Page Template:
>>
>> <tal:b tal:replace='python: here.Texto' />
>>
>> Where Texto is a adquired property, but not this:
>>
>> <tal:b tal:replace='here/Texto' />
>>
>> because zope raises an unauthorized error
>>
>> How can I solve this point?
>>
>
> You can wait for the next Zope release (2.10) where this is fixed.
>
> The reason: security for "__bobo_traverse__" is much stricter
> than for attribute lookup:
>
> In the latter case, the security machinery knows that the value
> was obtained by attribute lookup and can apply the security
> declarations of the accessed object.
>
> In the former case, the security machinery does not know
> which object was really accessed and therefore refuses
> to look at the accessed object. This often leads to
> an "Unauthorized".
>
> The hack in Zope 2.10 checks in this case whether the value
> could as well have been obtained by attribute lookup and
> then checks along this route.
>
>
> If waiting is not an option for you, you can also backport
> the fix to your Zope version.
>
>
>
>
Hi Dieter!
In fact all my work depends on this question (this is the reason behind
my nervous. Sorry again Andreas and the rest of people)
Do you know how can I find information to backport the fix?
--
Mis Cosas
http://blogs.sistes.net/Garito
More information about the Zope
mailing list