Piotr Chamera wrote: > Philipp von Weitershausen wrote: >> Piotr Chamera wrote: >>> def getVocabulary(context, items_container, title_field): >>> list = [] >>> root=zapi.getRoot(context) >>> for (oid, oobj) in root.get("books").get(items_container).items(): >>> obj = removeAllProxies(oobj) >> >> Don't remove (security) proxies here! You're totally disabling security >> with this. >> >>> list.append( SimpleTerm( obj, str(obj.__dict__[title_field]), >>> obj.__dict__[title_field])) >> >> >> This spelling is very awkward. It's probably also the reason why you >> wanted to remove proxies above. You should write this as: >> >> list.append(SimpleTerm(obj, getattr(obj, title_field), >> getattr(obj, title_field))) >> >>> return SimpleVocabulary( list ) >> > > I have removed proxies because I stored selected objects in attribute of > another object with forms generated from schema. But I probably can > remove proxy in set method of that attribute (property) or ... what else > can I store as reference to object in attribute of another object to be > secure?
Security proxies can't be stored. They're created upon access. Unless you *really* know what you're doing, removeAllProxies or removeSecurityProxies should not occur in your application code. If it does, it's likely to cause security holes. Philipp _______________________________________________ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users