[Zope3-checkins] SVN:
Zope3/trunk/src/zope/app/dublincore/timeannotators.py Unwrap
DCadapter in time annotators.
Garrett Smith
garrett at mojave-corp.com
Fri Feb 25 21:10:54 EST 2005
Albertas Agejevas wrote:
> Zope3/trunk/src/zope/app/dublincore/timeannotators.py Unwrap DCadapter
> in time annotators.
>
>
> On Fri, Feb 25, 2005 at 04:58:24PM -0600, Garrett Smith wrote:
>> - The annotator should either explicitly check before setting a DC
>> attr, or handle the Unauthorized with a no-op (IMO the later is
>> preferable).
>>
>> - You (IOW your app) should make sure any principal/role with the
>> zope.ManageContent permission also has zope.app.dublincore.change.
>
> I disagee with you on both counts. Imagine a forum where anonymous
> users post comments. Your suggestions imply that either DC write
> access will be public, or modification times will not be updated.
> This is bogus.
"anonymous users post comments" -> they have permission to create
comments and modify some parent. You let them do this, but not modify DC
on the objects they create? Strange.
> A more plausible model would be if the event subscribers could be
> declared as "trusted" if they do system-level things, like updating
> the DC metadata or indexes.
You'd have to setup permission for the handler then. Why not just grant
the role permission to modify DC?
> removeSecurityProxy, in essence, does the same thing. I know it's a
> hack, but I have failed to find a cleaner solution, and I'm waiting
> for Jim to tell me what to do :-)
It's an unacceptable hack, and totally unnecessary. People have gone to
a lot of effort to get rid of misused removeSecurityProxy.
A much better hack would be to register your own event handler, in your
app, to remove proxy and keep the core free of that.
-- Garrett
More information about the Zope3-Checkins
mailing list