[Zope3-dev] setUpEditWidgets fails

Gary Poster gary at zope.com
Tue Mar 8 10:36:14 EST 2005 

On Mar 8, 2005, at 10:05 AM, Roger Ineichen wrote:

> Hi Gary

Hi Roger

> I have problems with our implementations using the method
> setUpEditWidgets().
>
> We have trusted adapters as "source" objects.
>
> What I can see is, the method canWrite zope.security.checker
> raises a error.

Hm.  That *should* mean that, before my change, if a user tried to 
submit at least one of the fields on the form then they would get the 
Unauthorized.  That's what the doctests try to show. :-)

I should mention that, while I want this behavior, I think it's the 
right one (especially given the availability of the new degrade* 
options), and Jim agrees with it, if it is problematic for you (or 
others) then I want to work with you.

> The checker which is used is a zope.security.checker.Checker
> instance.
>
> Is there a way to print out checker definitions?
> It whould be nice to have a method like dumpChecker(obj)
> which reports what the proxy/checker is doing like:
>
> Allowed attrs:
> --------------
> - title
> - description
> - body

If you get the checker (proxied_obj.__Security_checker__)  and it is a 
zope.security.checker then you can look at the checker.get_permissions 
and the checker.set_permissions to see the information you want--each 
are a dictionary of attribute name : permission needed.

To get precisely the results you want, within the context of an 
interaction you could use the canAccess and canWrite as you walk over 
the names in all of the interfaces--

(untested, just a sketch, but hopefully not too far from working)

--8<----8<----8<----8<----8<----8<----8<----8<----8<----

import zope.security
import zope.security.interfaces
import interface

CANACCESS = "Can access"
UNAUTHORIZEDACCESS = "Unauthorized access"
FORBIDDENACCESS = "Forbidden access"
CANWRITE = "Can write"
UNAUTHORIZEDWRITE = "Unauthorized write"
FORBIDDENWRITE = "Forbidden write"

def analyzeAccess(obj):
     """Analyzes the abilities of the current interaction in relation to 
obj"""
     results = {}
     for i in interface.providedBy(obj):
         for name in i:
             if name not in results:
                 res = results[name] = []
                 try:
                     access = zope.security.canAccess(obj)
                 except zope.security.interfaces.Forbidden:
                     res.append(FORBIDDENACCESS)
                 else:
                     res.append(access and CANACCESS or 
UNAUTHORIZEDACCESS)
                 try:
                     write = zope.security.canWrite(obj)
                 except zope.security.interfaces.Forbidden:
                     res.append(FORBIDDENWRITE)
                 else:
                     res.append(write and CANWRITE or UNAUTHORIZEDWRITE)
     return results

--8<----8<----8<----8<----8<----8<----8<----8<----8<----

Results similar to what you listed could be done with

import pprint

pprint.pprint(analyzeAccess(obj))

...or you could adapt the function to return other non-string values...

> Does somebody know where trusted adapters are used in a edit view?

The trusted adapters are the source--the value that the form is using 
to draw itself.  Because your adapter is trusted, the checker that you 
care about is the one configured for the adapter, not for the original 
object.

Let me know how else I can help.

Gary

More information about the Zope3-dev mailing list