[Zope] __bobo_traverse__ help
Dieter Maurer
dieter at handshake.de
Thu Nov 9 15:00:20 EST 2006
Garito wrote at 2006-11-9 03:07 +0100:
> ...
>> What you see is an authentication weekness with "__bobo_traverse__":
>>
>> Zope's security machinery requires acquisition wrappers
>> to work reliably.
>>
>> When "__bobo_traverse__" returns a non acquisition wrapped
>> object without public security declarations, then the
>> normal security check would not help.
>>
>> Zope therefore tries to check whether a standard 'getattr' would
>> return the same object and accept it in this case.
>> Otherwise, it will raise "Unauthorized" with the intent
>> that an unmotivated "Unauthorized" is better than giving
>> access to some piece of information that should be protected.
>>
>>
>> In my view, the behaviour is buggy as "__bobo_traverse__" has
>> no way to return a non-trivial elementary data type -- but
>> almost surely, it will not be changed...
> ...
>Then: what solution did you think will be the best solution for my request?
You may try to return a wrapper that behaves the same way
as the original object (by deriving from the respective type)
but has "__roles__ = None" as additional attribute (which declares
the object public).
--
Dieter
More information about the Zope
mailing list