Re: [Zope3-dev] View permissions

Mon, 22 Jan 2007 14:46:24 -0800 

Albertas Agejevas wrote:

Hi all,

Unpleasant things happen when views are security wrapped.  Widgets
refuse to work, because they are registered as views, and get a custom
secuity checker (in zope.app.component.metaconfigure.view).  The
default view custom checker only protects '__call__', leaves all other
attributes forbidden. This makes rendering a label or errors of a widget
fail.  Defining security permissions for the widget class does not
help as the custom checker overrides them.

The TextWidget is registered in zope/app/form/browser/configure.zcml
as follows:

  <view
      type="zope.publisher.interfaces.browser.IBrowserRequest"
      for="zope.schema.interfaces.ITextLine"
      provides="zope.app.form.interfaces.IInputWidget"
      factory=".TextWidget"
      permission="zope.Public"
      />

Gary Poster helped me find 3 ways to overcome the security wrapped
widget problem:

  1. ZCML only fix: add allowed_interface="...ITextBrowserWidget" to the
     text widget ZCML registration, and the relevant interfaces to all
     other widgets (maybe just IInputWidget is enough).

  2. Make the view custom permission checker merge permissions registered
     for the view class with the permissions allowed by the view
     registration.

  3. Make the provided interface the default allowed interface.
     Fall back on allowing just __call__ for the views that only
     provide zope.interface.Interface.

I feel that the last option is best.


Why not just use:

   <adapter
       for="zope.schema.interfaces.ITextLine
            zope.publisher.interfaces.browser.IBrowserRequest"
       provides="zope.app.form.interfaces.IInputWidget"
       factory=".TextWidget"
       permission="zope.Public"
       />

That's what I would do.

I might even hack the TextWidget so I could just do:

   <adapter
       factory=".TextWidget"
       permission="zope.Public"
       />

I'd be happy to deprecate the view directive.

Jim

--
Jim Fulton           mailto:[EMAIL PROTECTED]       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org
_______________________________________________
Zope3-dev mailing list
Zope3-dev@zope.org
Unsub: http://mail.zope.org/mailman/options/zope3-dev/archive%40mail-archive.com

Reply via email to