--On Freitag, 25. Februar 2005 20:21 Uhr +0100 Dieter Maurer <[EMAIL PROTECTED]> wrote:
Roché Compaan wrote at 2005-2-25 17:22 +0200:Last year in March the following checkin was made that changed ZCatalog's getObject to use restrictedTraverse instead of unrestrictedTraverse. See:
http://mail.zope.org/pipermail/zope-checkins/2004-March/026846.html
In my opininion this is wrong,
I agree with you!
... I would propose that getObject does an unrestrictedTraverse of the path and then checks if the user has permission to access that the object.
I argued precisely this approach with the person who made the change. I had the impression that I have convinced him -- but apparently, he did not change the code accordingly :-(
Maybe, a bug report to the collector will help?
<http://www.zope.org/Collectors/Zope>
Best to include a patch as well :-)
-aj
_______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
