[Zope-dev] ZCatalog getObject broken

Roché Compaan roche at upfrontsystems.co.za
Thu Mar 3 02:53:08 EST 2005


On Fri, 2005-02-25 at 21:06 +0100, Andreas Jung wrote:
> 
> --On Freitag, 25. Februar 2005 20:21 Uhr +0100 Dieter Maurer 
> <dieter at handshake.de> wrote:
> 
> > Roché Compaan wrote at 2005-2-25 17:22 +0200:
> >> Last year in March the following checkin was made that changed
> >> ZCatalog's getObject to use restrictedTraverse instead of
> >> unrestrictedTraverse. See:
> >>
> >> http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
> >>
> >> In my opininion this is wrong,
> >
> > I agree with you!
> >
> >> ...
> >> I would propose that getObject does an unrestrictedTraverse of the path
> >> and then checks if the user has permission to access that the object.
> >
> > I argued precisely this approach with the person who made the
> > change. I had the impression that I have convinced him -- but
> > apparently, he did not change the code accordingly :-(
> >
> > Maybe, a bug report to the collector will help?
> >
> >        <http://www.zope.org/Collectors/Zope>
> >
> 
> Best to include a patch as well :-)
> 
> -aj

I'm unsure about the security check in the patch below - I copied the
way restrictedTraverse does it. I read through validate in the default
security policy but it is one of those methods where all the security
implications doesn't fit in your head all at once.

--- CatalogBrains.py~	2004-03-23 22:27:23.000000000 +0200
+++ CatalogBrains.py	2005-03-03 09:43:48.000000000 +0200
@@ -47,7 +47,11 @@
         (i.e., it was deleted or moved without recataloging), or if the
user is
         not authorized to access an object along the path.
         """
-        return self.aq_parent.restrictedTraverse(self.getPath(), None)
+        obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None)
+        if obj and securityManager.validate(obj, obj, None, None):
+            return obj
+        else:
+            return None
 
     def getRID(self):
         """Return the record ID for this object."""

-- 
Roché Compaan
Upfront Systems                 http://www.upfrontsystems.co.za



More information about the Zope-Dev mailing list