[Zope] __bobo_traverse__ and a no-object

Alec Mitchell apm13 at columbia.edu
Fri Jul 14 19:13:38 EDT 2006


On 7/14/06, Garito <garito at sistes.net> wrote:
> Garito escribió:
> > Dieter Maurer escribió:
> >> Garito wrote at 2006-7-14 07:04 +0200:
> >>
> >>> ...
> >>> def __bobo_traverse__(self, REQUEST, name):
> >>>        obj = getattr(self, name, None)
> >>> ...
> >>> I wonder why I can do this on a Page Template:
> >>>
> >>> <tal:b tal:replace='python: here.Texto' />
> >>>
> >>> Where Texto is a adquired property, but not this:
> >>>
> >>> <tal:b tal:replace='here/Texto' />
> >>>
> >>> because zope raises an unauthorized error
> >>>
> >>> How can I solve this point?
> >>>
> >>
> >> You can wait for the next Zope release (2.10) where this is fixed.
> >>
> >> The reason: security for "__bobo_traverse__" is much stricter
> >> than for attribute lookup:
> >>
> >>    In the latter case, the security machinery knows that the value
> >>    was obtained by attribute lookup and can apply the security
> >>    declarations of the accessed object.
> >>
> >>    In the former case, the security machinery does not know
> >>    which object was really accessed and therefore refuses
> >>    to look at the accessed object. This often leads to
> >>    an "Unauthorized".
> >>
> >> The hack in Zope 2.10 checks in this case whether the value
> >> could as well have been obtained by attribute lookup and
> >> then checks along this route.
> >>
> >>
> >> If waiting is not an option for you, you can also backport
> >> the fix to your Zope version.
> >>
> >>
> >>
> >>
> > Do you refer this Collector?
> >
> > http://www.zope.org/Collectors/Zope/2072
> >
> I use Zope 2.9.2

Use 2.9.3 and watch your problem disappear (hopefully).

Alec


More information about the Zope mailing list