On Thu, 2005-03-03 at 19:36 +0100, Dieter Maurer wrote: > Roché Compaan wrote at 2005-3-3 09:53 +0200: > > ... > >- return self.aq_parent.restrictedTraverse(self.getPath(), None) > >+ obj = self.aq_parent.unrestrictedTraverse(self.getPath(), None) > >+ if obj and securityManager.validate(obj, obj, None, None): > > I think this is not correct: "validate" needs at least a > "value" parameter (this is the forth parameter).
I thought this much but what value? And doesn't this make the implementation of restrictedTraverse suspect too? When code is calling getObject on a catalog brain we don't know what attribute or method of that object the calling code will access. Does it then make any sense at all to do security checks in getObject? IMO it doesn't. _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )