[Zope3-checkins] SVN: Zope3/trunk/src/zope/app/dublincore/timeannotators.py Unwrap DCadapter in time annotators.

Garrett Smith garrett at mojave-corp.com
Sun Feb 27 00:36:21 EST 2005 

Albertas Agejevas wrote:
...
>>> removeSecurityProxy, in essence, does the same thing.  I know it's a
>>> hack, but I have failed to find a cleaner solution, and I'm waiting
>>> for Jim to tell me what to do :-)
>> 
>> It's an unacceptable hack, and totally unnecessary. People have gone
>> to a lot of effort to get rid of misused removeSecurityProxy.
> 
> Well, this one will not going to get forgotten and cause trouble for
> people getting rid of misued removeSecurityProxies.  You might have
> noticed in my commit message there's a bug in the collector
> (http://www.zope.org/Collectors/Zope3-dev/373).  Also, there are
> prominent comments in the code pointing to the bug.
> 
> Unfortunately, Jim was not around on IRC when I hit this problem, and
> Stephan suggested that I do the hack, file a bug, move along with
> my work, and point Jim to it later.

Then the code should have an XXX, otherwise a) it looks like your hack
is intended for the long haul (which was the reason I responded in the
first place) and b) it may not be addressed until someone reports a
security bug in the field.

And looking at the bug report:

"""
Suggested solution: unwrap the dc adapter with removeSecurityProxy in
the IObjectModifiedEvent handler. After all, not all principals that can
add/modify objects must have the zope.app.dublincore.change permission.

I'll commit this solution in a few moments as it keeps my functional
tests from passing. The solution will not have tests as the situation
requires a lot of setup to reproduce.
"""

You present a rationale for why it's a Good Thing, so I assumed you
intended it not as a hack but as a design decision. Oops.

>> A much better hack would be to register your own event handler, in
>> your app, to remove proxy and keep the core free of that.
> 
> I don't care for DC!  Zope 3 calls the handler, because the object is
> attribute annotatable.  I need it to be annotatable, and I also want
> my app to work on an untweaked Zope 3 instance.

I think we need to avoid tweaking the trunk solely for our own
conveinence. Branches are good for that.

 -- Garrett

More information about the Zope3-Checkins mailing list