[Zope3-dev] setUpEditWidgets fails

Roger Ineichen dev at projekt01.ch
Tue Mar 8 11:08:13 EST 2005 

Hi Gary

Behalf Of Gary Poster
> Sent: Tuesday, March 08, 2005 4:36 PM
> To: dev at projekt01.ch
> Cc: zope3-dev at zope.org
> Subject: Re: [Zope3-dev] setUpEditWidgets fails
> 
> 
> On Mar 8, 2005, at 10:05 AM, Roger Ineichen wrote:
> 
> > Hi Gary
> 
> Hi Roger
> 
> > I have problems with our implementations using the method
> > setUpEditWidgets().
> >
> > We have trusted adapters as "source" objects.
> >
> > What I can see is, the method canWrite zope.security.checker
> > raises a error.
> 
> Hm.  That *should* mean that, before my change, if a user tried to 
> submit at least one of the fields on the form then they would get the 
> Unauthorized.  That's what the doctests try to show. :-)

Ok, that's right

> I should mention that, while I want this behavior, I think it's the 
> right one (especially given the availability of the new degrade* 
> options), and Jim agrees with it, if it is problematic for you (or 
> others) then I want to work with you.

That's also Ok.

> > The checker which is used is a zope.security.checker.Checker
> > instance.
> >
> > Is there a way to print out checker definitions?
> > It whould be nice to have a method like dumpChecker(obj)
> > which reports what the proxy/checker is doing like:
> >
> > Allowed attrs:
> > --------------
> > - title
> > - description
> > - body
> 
> If you get the checker (proxied_obj.__Security_checker__)  
> and it is a 
> zope.security.checker then you can look at the 
> checker.get_permissions 
> and the checker.set_permissions to see the information you want--each 
> are a dictionary of attribute name : permission needed.
> 
> To get precisely the results you want, within the context of an 
> interaction you could use the canAccess and canWrite as you walk over 
> the names in all of the interfaces--

Yes, I see.

> (untested, just a sketch, but hopefully not too far from working)
> 
> --8<----8<----8<----8<----8<----8<----8<----8<----8<----
> 
> import zope.security
> import zope.security.interfaces
> import interface
> 
> CANACCESS = "Can access"
> UNAUTHORIZEDACCESS = "Unauthorized access"
> FORBIDDENACCESS = "Forbidden access"
> CANWRITE = "Can write"
> UNAUTHORIZEDWRITE = "Unauthorized write"
> FORBIDDENWRITE = "Forbidden write"
> 
> def analyzeAccess(obj):
>      """Analyzes the abilities of the current interaction in 
> relation to 
> obj"""
>      results = {}
>      for i in interface.providedBy(obj):
>          for name in i:
>              if name not in results:
>                  res = results[name] = []
>                  try:
>                      access = zope.security.canAccess(obj)
>                  except zope.security.interfaces.Forbidden:
>                      res.append(FORBIDDENACCESS)
>                  else:
>                      res.append(access and CANACCESS or 
> UNAUTHORIZEDACCESS)
>                  try:
>                      write = zope.security.canWrite(obj)
>                  except zope.security.interfaces.Forbidden:
>                      res.append(FORBIDDENWRITE)
>                  else:
>                      res.append(write and CANWRITE or 
> UNAUTHORIZEDWRITE)
>      return results
> 
> --8<----8<----8<----8<----8<----8<----8<----8<----8<----
> 
> Results similar to what you listed could be done with
> 
> import pprint
> 
> pprint.pprint(analyzeAccess(obj))
> 
> ...or you could adapt the function to return other non-string 
> values...

This whould be nice to implement...

> > Does somebody know where trusted adapters are used in a edit view?
> 
> The trusted adapters are the source--the value that the form is using 
> to draw itself.  Because your adapter is trusted, the checker 
> that you 
> care about is the one configured for the adapter, not for the 
> original 
> object.
> 
> Let me know how else I can help.

I found someting that's not Ok. It hasn't to do with your
refactoring. This looks good. But It shows a error where 
I didn't see before.

In the "EditView" there is a location proxy used if the self.context
isn't the adapted object. Which is true for trusted adapters.

---------
if adapted is not self.context:
    if not ILocation.providedBy(adapted):
        adapted = LocationProxy(adapted)
    adapted.__parent__ = self.context
--------- 

This ends in a proxied object.

The adapted Adapter is registred with trusted="True".
This sould force a trusted not proxied adapted object.

Hm, this sounds like the LocationProxy is proxying my
trusted adapter.

Another Hm, Why is the trusted adapter still working
if I comment out the LocationProxy part?

Do I not need a LocationProxy on trusted adapted objects?

The other part in the setupEditWidget works correct.

Thanks a lot,

Regards
Roger

> Gary
> 
> _______________________________________________
> Zope3-dev mailing list
> Zope3-dev at zope.org
> Unsub: 
> http://mail.zope.org/mailman/options/zope3-dev/dev%40projekt01.ch
> 
>

More information about the Zope3-dev mailing list