[Zope3-dev] View permissions

Jim Fulton jim at zope.com
Mon Jan 22 17:46:48 EST 2007 

Albertas Agejevas wrote:
> Hi all,
> 
> Unpleasant things happen when views are security wrapped.  Widgets
> refuse to work, because they are registered as views, and get a custom
> secuity checker (in zope.app.component.metaconfigure.view).  The
> default view custom checker only protects '__call__', leaves all other
> attributes forbidden. This makes rendering a label or errors of a widget
> fail.  Defining security permissions for the widget class does not
> help as the custom checker overrides them.
> 
> The TextWidget is registered in zope/app/form/browser/configure.zcml
> as follows:
> 
>   <view
>       type="zope.publisher.interfaces.browser.IBrowserRequest"
>       for="zope.schema.interfaces.ITextLine"
>       provides="zope.app.form.interfaces.IInputWidget"
>       factory=".TextWidget"
>       permission="zope.Public"
>       />
> 
> Gary Poster helped me find 3 ways to overcome the security wrapped
> widget problem:
> 
>   1. ZCML only fix: add allowed_interface="...ITextBrowserWidget" to the
>      text widget ZCML registration, and the relevant interfaces to all
>      other widgets (maybe just IInputWidget is enough).
> 
>   2. Make the view custom permission checker merge permissions registered
>      for the view class with the permissions allowed by the view
>      registration.
> 
>   3. Make the provided interface the default allowed interface.
>      Fall back on allowing just __call__ for the views that only
>      provide zope.interface.Interface.
> 
> I feel that the last option is best.

Why not just use:

    <adapter
        for="zope.schema.interfaces.ITextLine
             zope.publisher.interfaces.browser.IBrowserRequest"
        provides="zope.app.form.interfaces.IInputWidget"
        factory=".TextWidget"
        permission="zope.Public"
        />

That's what I would do.

I might even hack the TextWidget so I could just do:

    <adapter
        factory=".TextWidget"
        permission="zope.Public"
        />

I'd be happy to deprecate the view directive.

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope3-dev mailing list