[Zope] __bobo_traverse__ help

Dieter Maurer dieter at handshake.de
Thu Nov 9 15:00:20 EST 2006


Garito wrote at 2006-11-9 03:07 +0100:
> ...
>> What you see is an authentication weekness with "__bobo_traverse__":
>>
>>   Zope's security machinery requires acquisition wrappers
>>   to work reliably.
>>
>>   When "__bobo_traverse__" returns a non acquisition wrapped
>>   object without public security declarations, then the
>>   normal security check would not help.
>>
>>   Zope therefore tries to check whether a standard 'getattr' would
>>   return the same object and accept it in this case.
>>   Otherwise, it will raise "Unauthorized" with the intent
>>   that an unmotivated "Unauthorized" is better than giving
>>   access to some piece of information that should be protected.
>>
>>
>> In my view, the behaviour is buggy as "__bobo_traverse__" has
>> no way to return a non-trivial elementary data type -- but
>> almost surely, it will not be changed...
> ...
>Then: what solution did you think will be the best solution for my request?

You may try to return a wrapper that behaves the same way
as the original object (by deriving from the respective type)
but has "__roles__ = None" as additional attribute (which declares
the object public).



-- 
Dieter


More information about the Zope mailing list