[Zope3-dev] ILocation code in zope/app/form/editview.py
Gary Poster
gary at zope.com
Tue Mar 8 14:48:32 EST 2005
Roger pointed out a problem with the new security checks in
zope/app/form/utility.py, setUpEditWidgets, when used in conjunction
with the LocationProxy.
I've looked at it a bit: it's a bit thorny, with proxies inside of
proxies and some odd code. Jim's suggestion was to try and bypass the
whole problem: get rid of the LocationProxy in editview. I like this
idea, but we need to make sure that everyone agrees. Here's the
current pertinent code.
def _setUpWidgets(self):
adapted = self.schema(self.context)
if adapted is not self.context:
if not ILocation.providedBy(adapted):
adapted = LocationProxy(adapted)
adapted.__parent__ = self.context
self.adapted = adapted
setUpEditWidgets(self, self.schema, source=self.adapted,
names=self.fieldNames)
Jim's proposal is that this become the following:
def _setUpWidgets(self):
self.adapted = self.schema(self.context)
setUpEditWidgets(self, self.schema, source=self.adapted,
names=self.fieldNames)
If the adapter is trusted and implements ILocation, the trusted adapter
factory will set the __parent__ and __name__ itself. Most or all
trusted adapters will want to do this. If a normal adapter wants to
care about the location of its context, it receives it and can do with
it what it wills. This may also have been added before the local site
was a thread global, so local component lookup was harder.
Roger, this would mean that my suggestion of having your adapters
implement ILocation would in fact be the proper thing to do.
Thoughts?
Gary
More information about the Zope3-dev
mailing list