[Zope-dev] Re: CatalogBrains since Zope2.7.1b1
Santi Camps
santi at zetadb.com
Sun Jun 27 08:48:39 EDT 2004
Optional arguments will still allow untrusted code to bypass security
checks.
Yes, that's true.
Here are three solutions to this, two of which do not involve catalog
changes:
- Use a proxy role on the script that invokes getObject which grants the
permissions needed.
- Use self.unrestrictedTraverse(brain.getPath()) from trusted code
- Add a private method: unrestrictedGetObject() to the catalog brain API
which does no security checking, but is inaccessible to untrusted code.
I think the last one is a good idea and I will implement it. The other
two are available options for now.
Ok, I think it will be useful. Until then, the second option is a good solution for me. Thanks a lot for the suggestion.
Regards
Santi Camps
More information about the Zope-Dev
mailing list