[Zope-CMF] CMF add views and <browser:page />

Martin Aspeli optilude at gmx.net
Mon Dec 8 19:33:21 EST 2008 

yuppie wrote:
>> In CMFDefault, we have some base classes (tied to formlib) and we do 
>> manual security with a ClassSecurityInfo and InitializeClass(). This 
>> feels like a step backwards to me, at least in Plone, where we encourage 
>> people to use browser views with declarative (ZCML) security. It's 
>> difficult to explain that add forms are "special" so that they need to 
>> have manual security, explicit docstrings (for better or for worse), and 
>> be registered as an <adapter />, not a <browser:page />.
>>
>> Did we envisage a solution to this?
> 
> No.
> 
>> How about a new <cmf:addview /> 
>> directive that mimics <browser:page />, but registers the 
>> (context,request,fti) adapter? I could probably put that together if 
>> people think it's a good idea.
> 
> CMF add views are different because they are looked up by a special 
> traverser, using the additional type info object. You have to be aware 
> of that. No matter if you use <adapter /> or <cmf:addview />.

Sure.

> It is not obvious why you have to use explicit Zope 2 style security for 
> add views and declarative Zope 3 style security for other views. But I'd 
> rather like to see the 'permission' attribute of <adapter /> implemented 
> for Zope 2 instead of a new <cmf:addview /> directive.

Mmmm... I'm not sure most people would find it natural to think about 
the add form as an adapter like this.

Also, Five's <browser:page /> does quite a lot of stuff that we now 
can't have for CMF add views:

     o It allows a template to be registered
     o It allows an attribute other than __call__ to be used to render 
the view
     o It sets up security on attributes, by interface or explicit list
     o It sets up security on the view class itself

I don't think the adapter permission attribute would be sufficient in 
any case. In Zope 3, it's tied to a type of low-level security proxy 
that doesn't really exist in Zope 2. The ClassSecurityInfo stuff only 
affects restricted python/traversal, whereas Zope 3 security proxies are 
applied everywhere.

Martin

-- 
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book

More information about the Zope-CMF mailing list