[Zope] __bobo_traverse__ help
Garito
garito at sistes.net
Fri Nov 10 09:00:08 EST 2006
Dieter Maurer escribió:
> Garito wrote at 2006-11-9 03:07 +0100:
>
>> ...
>>
>>> What you see is an authentication weekness with "__bobo_traverse__":
>>>
>>> Zope's security machinery requires acquisition wrappers
>>> to work reliably.
>>>
>>> When "__bobo_traverse__" returns a non acquisition wrapped
>>> object without public security declarations, then the
>>> normal security check would not help.
>>>
>>> Zope therefore tries to check whether a standard 'getattr' would
>>> return the same object and accept it in this case.
>>> Otherwise, it will raise "Unauthorized" with the intent
>>> that an unmotivated "Unauthorized" is better than giving
>>> access to some piece of information that should be protected.
>>>
>>>
>>> In my view, the behaviour is buggy as "__bobo_traverse__" has
>>> no way to return a non-trivial elementary data type -- but
>>> almost surely, it will not be changed...
>>>
>> ...
>> Then: what solution did you think will be the best solution for my request?
>>
>
> You may try to return a wrapper that behaves the same way
> as the original object (by deriving from the respective type)
> but has "__roles__ = None" as additional attribute (which declares
> the object public).
>
>
>
>
Uau!
Can you point me to a simple example or similar? I'm not sure if I
understand what you are telling me
Thanks!
--
Mis Cosas
http://blogs.sistes.net/Garito
More information about the Zope
mailing list