[Zope3-Users] Re: Vocabularies beyond SimpleVocabulary
Philipp von Weitershausen
philipp at weitershausen.de
Tue Jun 13 02:32:38 EDT 2006
Piotr Chamera wrote:
> Philipp von Weitershausen wrote:
>> Piotr Chamera wrote:
>>> def getVocabulary(context, items_container, title_field):
>>> list = []
>>> root=zapi.getRoot(context)
>>> for (oid, oobj) in root.get("books").get(items_container).items():
>>> obj = removeAllProxies(oobj)
>>
>> Don't remove (security) proxies here! You're totally disabling security
>> with this.
>>
>>> list.append( SimpleTerm( obj, str(obj.__dict__[title_field]),
>>> obj.__dict__[title_field]))
>>
>>
>> This spelling is very awkward. It's probably also the reason why you
>> wanted to remove proxies above. You should write this as:
>>
>> list.append(SimpleTerm(obj, getattr(obj, title_field),
>> getattr(obj, title_field)))
>>
>>> return SimpleVocabulary( list )
>>
>
> I have removed proxies because I stored selected objects in attribute of
> another object with forms generated from schema. But I probably can
> remove proxy in set method of that attribute (property) or ... what else
> can I store as reference to object in attribute of another object to be
> secure?
Security proxies can't be stored. They're created upon access. Unless
you *really* know what you're doing, removeAllProxies or
removeSecurityProxies should not occur in your application code. If it
does, it's likely to cause security holes.
Philipp
More information about the Zope3-users
mailing list