[Zope3-Users] z3c.form permission problem
Andre Schubert
schubert.andre at web.de
Tue Oct 27 15:15:20 EDT 2009
Hi all,
i have found a problem within z3c.form.
I have the following scenario.
Lets say i have a object Foo with two attributes A and B.
I have setup a z3c.form EditForm for all objects Foo.
If there is a user UserA with read/write access to Foo.A and Foo.B,
the form is rendered correctly with two input fields for Foo.A and
Foo.B.
If there is a user UserB with read/write access to Foo.A and read
access to Foo.B,
the form is rendered correctly with one input Field for Foo.A and one
display Field for Foo.B.
If there is a user UserC with read/write access to Foo.A and no
access to Foo.B,
i cant see the form, because of a Unauthorized Exception.
After searching through the source, i have found, that in
z3c.form.field.FieldWidgets.update()
there is a check canWrite which switches between INPUT and DISPLAY
wheter a user has
write permissions or not. What i doesnt have found is a canAccess.
After inserting a canAccess
near to canWrite the result is the following for UserC, the form is
rendered with only one input
Field for Foo.A and none for Foo.B.
It would be great if someone with more knowledge could take a look at
this.
Best Regards,
Andre
More information about the Zope3-users
mailing list