[Zope] __bobo_traverse__ help

Dieter Maurer dieter at handshake.de
Wed Nov 8 14:13:52 EST 2006


Garito wrote at 2006-11-8 02:50 +0100:
>Please consider this code:
>
>def __bobo_traverse__(self, REQUEST, name):
>        obj = self.Propiedad(name)
>        if obj is None: return self
>        else: return obj
>
>def Propiedad(self, propiedad):
>    obj = getattr(self, propiedad, None)
>    if obj is None: return obj # Añadir busqueda al catalogo
>    else:
>        if type(obj) == type(str('')) and obj.startswith('[') and 
>obj.endswith(']'):
>            return self.Expresion({'Expresion': obj[1:-1]})['Resultado']
>    return obj
>
>I wonder why I can do:
>
><tal:b tal:replace='python: here.Propiedad("Modificacion")' />
>
>but not:
>
><tal:b tal:replace='here/Modificacion' />
> ...
>When I try here/Modificacion an unauthorized error trying to access 
>Modificacion

What you see is an authentication weekness with "__bobo_traverse__":

  Zope's security machinery requires acquisition wrappers
  to work reliably.

  When "__bobo_traverse__" returns a non acquisition wrapped
  object without public security declarations, then the
  normal security check would not help.

  Zope therefore tries to check whether a standard 'getattr' would
  return the same object and accept it in this case.
  Otherwise, it will raise "Unauthorized" with the intent
  that an unmotivated "Unauthorized" is better than giving
  access to some piece of information that should be protected.


In my view, the behaviour is buggy as "__bobo_traverse__" has
no way to return a non-trivial elementary data type -- but
almost surely, it will not be changed...



-- 
Dieter


More information about the Zope mailing list