[Zope3-Users] browser:containerViews
Christian Lück
christian.lueck at ruhr-uni-bochum.de
Thu Jan 5 21:56:39 EST 2006
Hm, I think I have to put it even more excat:
A user excluded from 'contents' but included in 'add' can call an
IAdding view for the Interface in question. Even though the addMenuItems
are gone, the user can query the page by hand in the browser address
field. When he presses the add-button he is redirected to the login
form. But the object *is* created.
The whole problem disappears when I set the permssion on 'contents' more
loose ( =paradigm.AddCategory instead of EditCategory; AddCategory
granted to the user).
I think the issue is the redirection after object creation. The
createAndAdd() method is being done but when it comes to nextURL() or
so, something obscure happens...
I use 3.2.0b2
Here's the whole configure.zcml:
(ICategoryDB is a container for ICategory, ICategory is one for IPredicate.)
<configure
xmlns='http://namespaces.zope.org/browser'
xmlns:zope='http://namespaces.zope.org/zope'>
<!-- ICategoryDB -->
<addform
schema="paradigm.categorydb.interfaces.ICategoryDB"
content_factory="paradigm.categorydb.categorydb.CategoryDB"
name="AddCategoryDB.html"
label="Add a CategoryDB."
permission="zope.ManageContent"
/>
<addMenuItem
class="paradigm.categorydb.categorydb.CategoryDB"
title="CategoryDB"
description="Add a CategoryDB."
view="AddCategoryDB.html"
permission="zope.ManageContent"
/>
<editform
schema="paradigm.categorydb.interfaces.ICategoryDB"
name="Edit.html"
label="Change CategoryDB."
menu="zmi_views" title="Edit"
permission="zope.ManageContent"
/>
<containerViews
for="paradigm.categorydb.interfaces.ICategoryDB"
index="zope.View"
contents="paradigm.EditCategory" *<==========*
add="paradigm.AddCategory"
/>
<!-- ICategory -->
<addform
schema="paradigm.categorydb.interfaces.ICategory"
content_factory="paradigm.categorydb.category.Category"
name="AddCategory.html"
label="Add a Category."
permission="paradigm.AddCategory"
set_before_add="name"
/>
<addMenuItem
class="paradigm.categorydb.category.Category"
title="Category"
description="Add a Category."
view="AddCategory.html"
permission="paradigm.AddCategory"
/>
<editform
schema="paradigm.categorydb.interfaces.ICategory"
name="Edit.html"
label="Change Category."
menu="zmi_views" title="Edit"
permission="paradigm.EditCategory"
/>
<containerViews
for="paradigm.categorydb.interfaces.ICategory"
index="zope.View"
contents="paradigm.EditCategory"
add="paradigm.AddCategory"
/>
<page
for="paradigm.categorydb.interfaces.ICategory"
name="details.html"
class=".category.CategoryDetailsView"
menu="zmi_views" title="Details"
permission="zope.View"
/>
<defaultView
for="paradigm.categorydb.interfaces.ICategory"
name="details.html"
/>
<!-- IPredicate -->
<addform
schema="paradigm.categorydb.interfaces.IPredicate"
content_factory="paradigm.categorydb.predicate.Predicate"
name="AddPredicate.html"
label="Add a Predicate."
permission="paradigm.AddCategory"
set_before_add="name"
/>
<addMenuItem
class="paradigm.categorydb.predicate.Predicate"
title="Predicate"
description="Add a Predicate."
view="AddPredicate.html"
permission="paradigm.AddCategory"
/>
<editform
schema="paradigm.categorydb.interfaces.IPredicate"
name="Edit.html"
label="Change Predicate."
menu="zmi_views" title="Edit"
permission="paradigm.EditCategory"
/>
<!--containerViews
for="paradigm.categorydb.interfaces.IPredicate"
index="zope.View"
contents="paradigm.EditCategory" *<==========*
add="paradigm.AddCategory"
/-->
<!-- skin dependend menu items -->
<menuItems
for="paradigm.categorydb.interfaces.ICategory"
menu="category"
layer="paradigm">
<menuItem
action="details.html"
title="Details"
/>
<menuItem
action="+"
title="Add Content"
/>
</menuItems>
<menuItems
for="paradigm.categorydb.interfaces.ICategoryDB"
menu="category"
layer="paradigm">
<menuItem
action="+"
title="Add Content"
/>
</menuItems>
</configure>
(top of obscure: The addMenuItems in rotterdam are gone but the 'Add
Content' items in my own skin are there.)
Regards,
Christian
Christian Lück wrote:
> Hi!
>
> The differentiation of the 'contents' and 'add' attributes of
> browser:containerViews seems weird.
> To actually 'add' content the permission which is set for 'contents'
> nescessarily has to be granted to the principal. To put more formal: not
> permission('contents') => not permission('add')
> All Principals excluded from 'contents' are excluded from 'add'.
>
> A consequence of this is: Each principal, that you want to grant the
> permission to add, gets the Cut/Insert/Delete-menu and is able to delete
> content, because this menu is controled by the 'contents' attribute.
> So it is impossible to distinguish members (which can add) and editors
> (which can cut and delete).
> To include a principal to 'add' you nescessarily have to include him to
> 'contents' and its cut/delete-menu.
>
> An Example:
>
> <containerViews
> for="paradigm.categorydb.interfaces.ICategory"
> index="zope.View"
> contents="paradigm.EditCategory"
> add="paradigm.AddCategory"
> />
>
> paradigm.AddCategory is granted to members, members can add content.
> paradigm.EditCategory is granted to Editors, only a few editors can
> delete etc. contents.
>
> With this setting a member with granted paradigm.AddCategory can *not*
> add content, but is prompted to the login form.
>
> To let a menber add content I have to change the registration to:
>
> <containerViews
> for="paradigm.categorydb.interfaces.ICategory"
> index="zope.View"
> contents="paradigm.AddCategory" <----------------
> add="paradigm.AddCategory"
> />
>
> But then the member can has the right to delete etc.
>
> But maybe only my application is "weird". I don't want all folks be able
> to delitte, i want them to add! ;) I want stable content with lots of
> relations...
>
> Regards,
> Christian
>
> _______________________________________________
> Zope3-users mailing list
> Zope3-users at zope.org
> http://mail.zope.org/mailman/listinfo/zope3-users
>
More information about the Zope3-users
mailing list