Added an _unrestrictedGetObject method to catalog brains.

doc/CHANGES.txt

@@ -30,6 +30,9 @@ Zope Changes
       - Added lazy: TAL expression and fixed defer: expression for python
         expression
 
+      - ZCatalog.CatalogBrains: An _unrestrictedGetObject method has
+        been added.
+
     Bugs fixed
   
       - Collector #1754: Fixed import of 'transaction' in
@@ -59,7 +62,7 @@ Zope Changes
         cannot access (raising Unauthorized).  Sites which rely on the old
         behavior can restore setting a new zope.conf option,
         'catalog-getObject-raises', to "off".
-        
+
         This compatibility option will be removed in Zope 2.10.
 
       - PluginIndexes: the ZCatalog's "Indexes" tab now show the number of

lib/python/Products/ZCatalog/CatalogBrains.py

@@ -14,12 +14,10 @@
 __version__ = "$Revision$"[11:-2]
 
 import Acquisition, Record
-from zExceptions import NotFound
-from zExceptions import Unauthorized
 from ZODB.POSException import ConflictError
 
-# Switch for new behavior, raise NotFound instead of returning None.
-# Use 'catalog-getOb-raises off' in zope.conf to restore old behavior.
+# Switch for new behavior, raise exception instead of returning None.
+# Use 'catalog-getObject-raises off' in zope.conf to restore old behavior.
 GETOBJECT_RAISES = True
 
 class AbstractCatalogBrain(Record.Record, Acquisition.Implicit):
@@ -45,6 +43,20 @@ class AbstractCatalogBrain(Record.Record, Acquisition.Implicit):
         #     avoid bare except band-aids and find a real solution.
         return self.REQUEST.physicalPathToURL(self.getPath(), relative)
 
+    def _unrestrictedGetObject(self):
+        """Return the object for this record
+
+        Same as getObject, but does not do security checks.
+        """
+        try:
+            return self.aq_parent.unrestrictedTraverse(self.getPath())
+        except ConflictError:
+            raise
+        except:
+            if GETOBJECT_RAISES:
+                raise
+            return None
+
     def getObject(self, REQUEST=None):
         """Return the object for this record
 

lib/python/Products/ZCatalog/tests/testCatalog.py

@@ -626,7 +626,7 @@ class TestZCatalogGetObject(unittest.TestCase):
         self.assertEqual(brain.getObject().getId(), 'ob')
 
     def test_getObject_missing_raises_NotFound(self):
-        # Check that if the object is missing None is returned
+        # Check that if the object is missing we raise
         from zExceptions import NotFound
         self._init_getObject_flag(True)
         root = self.root
@@ -699,6 +699,64 @@ class TestZCatalogGetObject(unittest.TestCase):
         self.failIf(ob is None)
         self.assertEqual(ob.getId(), 'ob')
 
+    # Now test _unrestrictedGetObject
+
+    def test_unrestrictedGetObject_found(self):
+        # Check normal traversal
+        root = self.root
+        catalog = root.catalog
+        root.ob = Folder('ob')
+        catalog.catalog_object(root.ob)
+        brain = catalog.searchResults()[0]
+        self.assertEqual(brain.getPath(), '/ob')
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+
+    def test_unrestrictedGetObject_restricted(self):
+        # Check that if the object's security does not allow traversal,
+        # it's still is returned
+        root = self.root
+        catalog = root.catalog
+        root.fold = Folder('fold')
+        root.fold.ob = Folder('ob')
+        catalog.catalog_object(root.fold.ob)
+        brain = catalog.searchResults()[0]
+        # allow all accesses
+        pickySecurityManager = PickySecurityManager()
+        setSecurityManager(pickySecurityManager)
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+        # disallow just 'ob' access
+        pickySecurityManager = PickySecurityManager(['ob'])
+        setSecurityManager(pickySecurityManager)
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+        # disallow just 'fold' access
+        pickySecurityManager = PickySecurityManager(['fold'])
+        setSecurityManager(pickySecurityManager)
+        self.assertEqual(brain._unrestrictedGetObject().getId(), 'ob')
+
+    def test_unrestrictedGetObject_missing_raises_NotFound(self):
+        # Check that if the object is missing we raise
+        from zExceptions import NotFound
+        self._init_getObject_flag(True)
+        root = self.root
+        catalog = root.catalog
+        root.ob = Folder('ob')
+        catalog.catalog_object(root.ob)
+        brain = catalog.searchResults()[0]
+        del root.ob
+        self.assertRaises((NotFound, AttributeError, KeyError),
+                          brain._unrestrictedGetObject)
+
+    def test_unrestrictedGetObject_missing_returns_None(self):
+        # Check that if the object is missing None is returned
+        self._init_getObject_flag(False)
+        root = self.root
+        catalog = root.catalog
+        root.ob = Folder('ob')
+        catalog.catalog_object(root.ob)
+        brain = catalog.searchResults()[0]
+        del root.ob
+        self.assertEqual(brain._unrestrictedGetObject(), None)
+
 
 def test_suite():
     suite = unittest.TestSuite()