Don't publish acquired attributes if acquired object has no docstring.

See https://bugs.launchpad.net/zope2/+bug/713253/

Don't publish acquired attributes if acquired object has no docstring.
See https://bugs.launchpad.net/zope2/+bug/713253/
2458a7fa · Tres Seaver · 3bd76737 · 2458a7fa · 2458a7fa · 2458a7fa
Commit 2458a7fa authored Feb 06, 2011 by Tres Seaver
4 changed files
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -5,12 +5,15 @@ This file contains change information for the current Zope release.
 Change information for previous versions of Zope can be found at
 http://docs.zope.org/zope2/releases/.

-2.12.15 (unreleased)
+2.12.15 (2011-02-04)
 --------------------

 Bugs Fixed
 ++++++++++

+- LP #713253: Prevent publication of acquired attributes, where the acquired
+  object does not have a docstring.
+
 - Fix `LazyMap` to avoid unnecessary function calls.

 2.12.14 (2010-12-07)

--- a/setup.py
+++ b/setup.py
@@ -16,7 +16,7 @@ import os
 from setuptools import setup, find_packages, Extension

 setup(name='Zope2',
-    version='2.12.15dev',
+    version='2.12.15',
    url='http://www.zope.org',
    license='ZPL 2.1',
    description='Zope2 application server / web framework',

--- a/src/ZPublisher/BaseRequest.py
+++ b/src/ZPublisher/BaseRequest.py
@@ -120,23 +120,21 @@ class DefaultPublishTraverse(object):
                    # Again, clear any error status created by __bobo_traverse__
                    # because we actually found something:
                    request.response.setStatus(200)
-                    return subobject
                except AttributeError:
                    pass

                # Lastly we try with key access:
-                try:
-                    subobject = object[name]
-                except TypeError: # unsubscriptable
-                    raise KeyError(name)
+                if subobject is None:
+                    try:
+                        subobject = object[name]
+                    except TypeError: # unsubscriptable
+                        raise KeyError(name)
                

        # Ensure that the object has a docstring, or that the parent
        # object has a pseudo-docstring for the object. Objects that
        # have an empty or missing docstring are not published.
        doc = getattr(subobject, '__doc__', None)
-        if doc is None:
-            doc = getattr(object, '%s__doc__' % name, None)
        if not doc:
            raise Forbidden(
                "The object at %s has an empty or missing " \

--- a/src/ZPublisher/tests/testBaseRequest.py
+++ b/src/ZPublisher/tests/testBaseRequest.py
@@ -304,6 +304,14 @@ class TestBaseRequest(unittest.TestCase, BaseRequest_factory):
        r = self._makeOne(root)
        self.assertRaises(NotFound, r.traverse, 'folder/objBasic/noview')

+    def test_traverse_acquired_attribute_without_docstring(self):
+        from ZPublisher import NotFound
+        root, folder = self._makeRootAndFolder()
+        root._setObject('objBasic',
+                        self._makeObjectWithEmptyDocstring())
+        r = self._makeOne(root)
+        self.assertRaises(NotFound, r.traverse, 'folder/objBasic')
+
    def test_traverse_class_without_docstring(self):
        from ZPublisher import NotFound
        root, folder = self._makeRootAndFolder()