Serious bug in (un)restrictedTraverse
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Invalid
|
Medium
|
Unassigned |
Bug Description
ZCatalog brains' getObject method is now very simply implemented, but in a way that can lead to end user confusion.
The intent is to return None for a brain that no longer maps to an object, but the impementation is such that it also returns None when the user doing the getObject isn't allowed to access the object being mapped to.
This in itself is confusing, an Unauthorized should be raised instead of None being returned.
However, more seriously, it means that unrestricted code that calls getObject no longer works since there may not be an active security manager.
FWIW, the (ugly) workaround I'm currently using is:
container.
...in place of any brain.getObject()'s
AFAIK Casey is no longer working for ZC and I don't know if he is still working on Zope. Maybe this issue must be resolved by someone else.