Finished fix for collector #558. restrictedTraverse() was not providing

adequate context for the security manager, resulting in excessive Unauthorized errors. The previous fix corrected traversal using __bobo_traverse__(); this fix corrects traversal using getattr(). The problem was solved by simply making use of AccessControl.ZopeGuards.guarded_getattr().

Finished fix for collector #558. restrictedTraverse() was not providing
adequate context for the security manager, resulting in excessive Unauthorized errors. The previous fix corrected traversal using __bobo_traverse__(); this fix corrects traversal using getattr(). The problem was solved by simply making use of AccessControl.ZopeGuards.guarded_getattr().
52193d9b · Shane Hathaway · f97d3008 · 52193d9b · 52193d9b
Commit 52193d9b authored Sep 18, 2002 by Shane Hathaway
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 27 deletions

lib/python/OFS/Traversable.py lib/python/OFS/Traversable.py +7 -16

lib/python/Products/PageTemplates/Expressions.py lib/python/Products/PageTemplates/Expressions.py +5 -11

No files found.
--- a/lib/python/OFS/Traversable.py
+++ b/lib/python/OFS/Traversable.py
@@ -12,13 +12,14 @@
 ##############################################################################
 '''This module implements a mix-in for traversable objects.

-$Id: Traversable.py,v 1.16 2002/09/12 21:20:52 shane Exp $'''
-__version__='$Revision: 1.16 $'[11:-2]
+$Id: Traversable.py,v 1.17 2002/09/18 15:48:59 shane Exp $'''
+__version__='$Revision: 1.17 $'[11:-2]


 from Acquisition import Acquired, aq_inner, aq_parent, aq_base
 from AccessControl import getSecurityManager
 from AccessControl import Unauthorized
+from AccessControl.ZopeGuards import guarded_getattr
 from urllib import quote

 _marker=[]
@@ -134,21 +135,11 @@ class Traversable:
                            raise Unauthorized, name

                else:
-                    o=get(object, name, M)
-                    if o is not M:
-                        if restricted:
-                            # waaaa
-                            if hasattr(aq_base(object), name):
-                                # value wasn't acquired
-                                if not securityManager.validate(
-                                    object, object, name, o):
-                                    raise Unauthorized, name
-                            else:
-                                if not securityManager.validate(
-                                    object, N, name, o):
-                                    raise Unauthorized, name
-
+                    if restricted:
+                        o = guarded_getattr(object, name, M)
                    else:
+                        o = get(object, name, M)
+                    if o is M:
                        o=object[name]
                        if (restricted and not securityManager.validate(
                            object, object, N, o)):

--- a/lib/python/Products/PageTemplates/Expressions.py
+++ b/lib/python/Products/PageTemplates/Expressions.py
@@ -17,7 +17,7 @@ Page Template-specific implementation of TALES, with handlers
 for Python expressions, string literals, and paths.
 """

-__version__='$Revision: 1.38 $'[11:-2]
+__version__='$Revision: 1.39 $'[11:-2]

 import re, sys
 from TALES import Engine, CompilerError, _valid_name, NAME_RE, \
@@ -47,6 +47,7 @@ def installHandlers(engine):
 if sys.modules.has_key('Zope'):
    import AccessControl
    from AccessControl import getSecurityManager
+    from AccessControl.ZopeGuards import guarded_getattr
    try:
        from AccessControl import Unauthorized
    except ImportError:
@@ -59,6 +60,7 @@ if sys.modules.has_key('Zope'):
             call_with_ns
 else:
    from PythonExpr import getSecurityManager, PythonExpr
+    guarded_getattr = getattr
    try:
        from zExceptions import Unauthorized
    except ImportError:
@@ -331,16 +333,8 @@ def restrictedTraverse(self, path, securityManager,
                raise Unauthorized, name
        else:
            # Try an attribute.
-            o = get(object, name, M)
-            if o is not M:
-                # Check access to the attribute.
-                if has(object, 'aq_acquire'):
-                    object.aq_acquire(
-                        name, validate2, validate)
-                else:
-                    if not validate(object, object, name, o):
-                        raise Unauthorized, name
-            else:
+            o = guarded_getattr(object, name, M)
+            if o is M:
                # Try an item.
                try:
                    # XXX maybe in Python 2.2 we can just check whether