[Zope3-Users] Re: Vocabularies beyond SimpleVocabulary

Piotr Chamera piotr_chamera at poczta.onet.pl
Tue Jun 13 05:30:20 EDT 2006


> Philipp von Weitershausen wrote:
>> Piotr Chamera wrote:

>>I have removed proxies because I stored selected objects in attribute of
>>another object with forms generated from schema. But I probably can
>>remove proxy in set method of that attribute (property) or ... what else
>>can I store as reference to object in attribute of another object to be
>>secure?
> 
> Security proxies can't be stored. They're created upon access. Unless
> you *really* know what you're doing, removeAllProxies or
> removeSecurityProxies should not occur in your application code. If it
> does, it's likely to cause security holes.

I have two objects "author" and "work" in many to many relationship.
I want to store works related to given author in author's attribute and 
authors in atribute of work.

     .setAuthors [2] <---- form <---- authors vocabulary <---- [1]
work                                                              author
      [1] ---->  works  vocabulary  ----> form ----> .setWorks [2]

As You pointed, removing proxy in point [1] is insecure.
If I pass proxy to vocabulary (can I?) and remove proxy in point [2] is 
it insecure too?

How can I achieve this design in secure way?

Piotr Chamera





More information about the Zope3-users mailing list