[Zope] __bobo_traverse__ help

Garito garito at sistes.net
Wed Nov 8 21:07:39 EST 2006


Dieter Maurer escribió:
> Garito wrote at 2006-11-8 02:50 +0100:
>   
>> Please consider this code:
>>
>> def __bobo_traverse__(self, REQUEST, name):
>>        obj = self.Propiedad(name)
>>        if obj is None: return self
>>        else: return obj
>>
>> def Propiedad(self, propiedad):
>>    obj = getattr(self, propiedad, None)
>>    if obj is None: return obj # Añadir busqueda al catalogo
>>    else:
>>        if type(obj) == type(str('')) and obj.startswith('[') and 
>> obj.endswith(']'):
>>            return self.Expresion({'Expresion': obj[1:-1]})['Resultado']
>>    return obj
>>
>> I wonder why I can do:
>>
>> <tal:b tal:replace='python: here.Propiedad("Modificacion")' />
>>
>> but not:
>>
>> <tal:b tal:replace='here/Modificacion' />
>> ...
>> When I try here/Modificacion an unauthorized error trying to access 
>> Modificacion
>>     
>
> What you see is an authentication weekness with "__bobo_traverse__":
>
>   Zope's security machinery requires acquisition wrappers
>   to work reliably.
>
>   When "__bobo_traverse__" returns a non acquisition wrapped
>   object without public security declarations, then the
>   normal security check would not help.
>
>   Zope therefore tries to check whether a standard 'getattr' would
>   return the same object and accept it in this case.
>   Otherwise, it will raise "Unauthorized" with the intent
>   that an unmotivated "Unauthorized" is better than giving
>   access to some piece of information that should be protected.
>
>
> In my view, the behaviour is buggy as "__bobo_traverse__" has
> no way to return a non-trivial elementary data type -- but
> almost surely, it will not be changed...
>
>
>
>   
Hi Dieter!
Then: what solution did you think will be the best solution for my request?

Thanks!

-- 
Mis Cosas
http://blogs.sistes.net/Garito




More information about the Zope mailing list