[Zope] __bobo_traverse__ help
Garito
garito at sistes.net
Wed Nov 8 21:07:39 EST 2006
Dieter Maurer escribió:
> Garito wrote at 2006-11-8 02:50 +0100:
>
>> Please consider this code:
>>
>> def __bobo_traverse__(self, REQUEST, name):
>> obj = self.Propiedad(name)
>> if obj is None: return self
>> else: return obj
>>
>> def Propiedad(self, propiedad):
>> obj = getattr(self, propiedad, None)
>> if obj is None: return obj # Añadir busqueda al catalogo
>> else:
>> if type(obj) == type(str('')) and obj.startswith('[') and
>> obj.endswith(']'):
>> return self.Expresion({'Expresion': obj[1:-1]})['Resultado']
>> return obj
>>
>> I wonder why I can do:
>>
>> <tal:b tal:replace='python: here.Propiedad("Modificacion")' />
>>
>> but not:
>>
>> <tal:b tal:replace='here/Modificacion' />
>> ...
>> When I try here/Modificacion an unauthorized error trying to access
>> Modificacion
>>
>
> What you see is an authentication weekness with "__bobo_traverse__":
>
> Zope's security machinery requires acquisition wrappers
> to work reliably.
>
> When "__bobo_traverse__" returns a non acquisition wrapped
> object without public security declarations, then the
> normal security check would not help.
>
> Zope therefore tries to check whether a standard 'getattr' would
> return the same object and accept it in this case.
> Otherwise, it will raise "Unauthorized" with the intent
> that an unmotivated "Unauthorized" is better than giving
> access to some piece of information that should be protected.
>
>
> In my view, the behaviour is buggy as "__bobo_traverse__" has
> no way to return a non-trivial elementary data type -- but
> almost surely, it will not be changed...
>
>
>
>
Hi Dieter!
Then: what solution did you think will be the best solution for my request?
Thanks!
--
Mis Cosas
http://blogs.sistes.net/Garito
More information about the Zope
mailing list