[Zope] __bobo_traverse__ and a no-object

Garito garito at sistes.net
Fri Jul 14 14:43:56 EDT 2006


Garito escribió:
> Dieter Maurer escribió:
>> Garito wrote at 2006-7-14 07:04 +0200:
>>  
>>> ...
>>> def __bobo_traverse__(self, REQUEST, name):
>>>        obj = getattr(self, name, None)
>>> ...
>>> I wonder why I can do this on a Page Template:
>>>
>>> <tal:b tal:replace='python: here.Texto' />
>>>
>>> Where Texto is a adquired property, but not this:
>>>
>>> <tal:b tal:replace='here/Texto' />
>>>
>>> because zope raises an unauthorized error
>>>
>>> How can I solve this point?
>>>     
>>
>> You can wait for the next Zope release (2.10) where this is fixed.
>>
>> The reason: security for "__bobo_traverse__" is much stricter
>> than for attribute lookup:
>>
>>    In the latter case, the security machinery knows that the value
>>    was obtained by attribute lookup and can apply the security
>>    declarations of the accessed object.
>>
>>    In the former case, the security machinery does not know
>>    which object was really accessed and therefore refuses
>>    to look at the accessed object. This often leads to
>>    an "Unauthorized".
>>
>> The hack in Zope 2.10 checks in this case whether the value
>> could as well have been obtained by attribute lookup and
>> then checks along this route.
>>
>>
>> If waiting is not an option for you, you can also backport
>> the fix to your Zope version.
>>
>>
>>
>>   
> Do you refer this Collector?
>
> http://www.zope.org/Collectors/Zope/2072
>
I use Zope 2.9.2

-- 
Mis Cosas
http://blogs.sistes.net/Garito




More information about the Zope mailing list