[Zope-Checkins] CVS: Zope/lib/python/OFS - Traversable.py:1.15.6.1

Shane Hathaway shane@cvs.zope.org
Thu, 12 Sep 2002 17:22:40 -0400


Update of /cvs-repository/Zope/lib/python/OFS
In directory cvs.zope.org:/tmp/cvs-serv15514

Modified Files:
      Tag: Zope-2_6-branch
	Traversable.py 
Log Message:
Merge from head.

Resolution for bug #558: when restrictedTraverse() traverses using a
__bobo_traverse__ hook, and the hook returns an object that comes from
some other container, the security policy may incorrectly deny access.
This fix determines the container of the object based on its
aquisition wrappers, if available, and passes it to validate().

Also added a corresponding unit test.


=== Zope/lib/python/OFS/Traversable.py 1.15 => 1.15.6.1 ===
--- Zope/lib/python/OFS/Traversable.py:1.15	Wed Aug 14 17:42:56 2002
+++ Zope/lib/python/OFS/Traversable.py	Thu Sep 12 17:22:40 2002
@@ -99,6 +99,7 @@
             object = self
             while path:
                 name=pop()
+                __traceback_info__ = path, name
 
                 if name[0] == '_':
                     # Never allowed in a URL.
@@ -119,7 +120,11 @@
 
                     if restricted:
                         container = N
-                        if has(o, 'im_self'):
+                        if aq_base(o) is not o:
+                            # The object is wrapped, so the acquisition
+                            # context determines the container.
+                            container = aq_parent(aq_inner(o))
+                        elif has(o, 'im_self'):
                             container = o.im_self
                         elif (has(get(object, 'aq_base', object), name)
                               and get(object, name) == o):