[Zope3-dev] Re: View permissions

Philipp von Weitershausen philipp at weitershausen.de
Tue Jan 23 10:51:30 EST 2007 

Jim Fulton wrote:
> Albertas Agejevas wrote:
>> Hi all,
>>
>> Unpleasant things happen when views are security wrapped.  Widgets
>> refuse to work, because they are registered as views, and get a custom
>> secuity checker (in zope.app.component.metaconfigure.view).  The
>> default view custom checker only protects '__call__', leaves all other
>> attributes forbidden. This makes rendering a label or errors of a widget
>> fail.  Defining security permissions for the widget class does not
>> help as the custom checker overrides them.
>>
>> The TextWidget is registered in zope/app/form/browser/configure.zcml
>> as follows:
>>
>>   <view
>>       type="zope.publisher.interfaces.browser.IBrowserRequest"
>>       for="zope.schema.interfaces.ITextLine"
>>       provides="zope.app.form.interfaces.IInputWidget"
>>       factory=".TextWidget"
>>       permission="zope.Public"
>>       />
>>
>> Gary Poster helped me find 3 ways to overcome the security wrapped
>> widget problem:
>>
>>   1. ZCML only fix: add allowed_interface="...ITextBrowserWidget" to the
>>      text widget ZCML registration, and the relevant interfaces to all
>>      other widgets (maybe just IInputWidget is enough).
>>
>>   2. Make the view custom permission checker merge permissions registered
>>      for the view class with the permissions allowed by the view
>>      registration.
>>
>>   3. Make the provided interface the default allowed interface.
>>      Fall back on allowing just __call__ for the views that only
>>      provide zope.interface.Interface.
>>
>> I feel that the last option is best.

I'm surprised it doesnt' do that already.

> Why not just use:
> 
>    <adapter
>        for="zope.schema.interfaces.ITextLine
>             zope.publisher.interfaces.browser.IBrowserRequest"
>        provides="zope.app.form.interfaces.IInputWidget"
>        factory=".TextWidget"
>        permission="zope.Public"
>        />
> 
> That's what I would do.
> 
> I might even hack the TextWidget so I could just do:
> 
>    <adapter
>        factory=".TextWidget"
>        permission="zope.Public"
>        />
> 
> I'd be happy to deprecate the view directive.

+1

-- 
http://worldcookery.com -- Professional Zope documentation and training
2nd edition of Web Component Development with Zope 3 is now shipping!

More information about the Zope3-dev mailing list