[Zope] __bobo_traverse__ help

Garito garito at sistes.net
Fri Nov 10 09:00:08 EST 2006


Dieter Maurer escribió:
> Garito wrote at 2006-11-9 03:07 +0100:
>   
>> ...
>>     
>>> What you see is an authentication weekness with "__bobo_traverse__":
>>>
>>>   Zope's security machinery requires acquisition wrappers
>>>   to work reliably.
>>>
>>>   When "__bobo_traverse__" returns a non acquisition wrapped
>>>   object without public security declarations, then the
>>>   normal security check would not help.
>>>
>>>   Zope therefore tries to check whether a standard 'getattr' would
>>>   return the same object and accept it in this case.
>>>   Otherwise, it will raise "Unauthorized" with the intent
>>>   that an unmotivated "Unauthorized" is better than giving
>>>   access to some piece of information that should be protected.
>>>
>>>
>>> In my view, the behaviour is buggy as "__bobo_traverse__" has
>>> no way to return a non-trivial elementary data type -- but
>>> almost surely, it will not be changed...
>>>       
>> ...
>> Then: what solution did you think will be the best solution for my request?
>>     
>
> You may try to return a wrapper that behaves the same way
> as the original object (by deriving from the respective type)
> but has "__roles__ = None" as additional attribute (which declares
> the object public).
>
>
>
>   
Uau!
Can you point me to a simple example or similar? I'm not sure if I 
understand what you are telling me

Thanks!

-- 
Mis Cosas
http://blogs.sistes.net/Garito




More information about the Zope mailing list