[Zope-CMF] Weird IndexableObjectWrapper + TopicIndex + aq_acquired interactions.

Lennart Regebro regebro at gmail.com
Tue Sep 20 08:28:11 EDT 2005

OK, lets try on THIS mailing list, then. :)

TopicIndexes can have expressions as filters. Like for example:
    "getattr(o, 'portal_type', None) not in ('Section', 'Workspace')"
Where o is the object that are being indexed.

But, this being an expression, it's protected, and therefore, a
getattr becomes a guarded_gettatr.

guarded_getattr does it's security check by doing:
    validate = SecurityManagement.getSecurityManager().validate
    aq_acquire(inst, name, aq_validate, validate)
Where in this case inst will be the object that is being indexed.

aq_acquire will, if the first parameter is not an AcquisitionWrapper,
and the third parameter is not None, wrap the object.

Now, in most CMF cases, the object is an IndexableObjectWrapper, wrapping an
Acquisition wrapped object. So, aq_acquire will Acquicision wrap the
IndexableObjectWrapper, with the result that the object being used now
has no context!

Then, it passes this to validate, who in turn passes it to allowed,
who check that the object has the users user folder in it's context.

And it hasn't, because it has no context. *blam* You get an
AuthorizedError, and the object does not get indexed.

OK, there are several ways to fix this, one being to not use getattr.
But there is still something missing from my understandning of all

- Not every object has this problem! Why, I have no idea. I had his
problem in two products, and in ONE of them, it disappeared when I
introduced the otherwise useless PropertyManager as a baseclass. The
other product already has propertymanager as a baseclass!

Any insight into this would be appreciated.


Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/

More information about the Zope-CMF mailing list