Hi all, we are currently using plone.app.tiles for a project, and we came
across an issue.
For one of our tiles, we are using
a z3c.relationfield.schema.RelationChoice field, which renders a nice
pop-up with elements to add as related.
The thing is, when you have a folder and want to expand it to choose an
element from inside, you'll get an "Insufficient privileges" error, if you
have some unpublished content.
Digging the problem, i found that when you click in that folder, the widget
tries to fetch the content using an URL like:
HOST/Plone/myfolder/..../@@edit-tile/mi.tile/...../++widget++widget_name/@@contenttree-fetch
Then, i put a pdb
in plone.app.tiles.browser.edit.DefaultEditForm.getContent and found that,
it doesn't matter if you're logged in or not, you'll be anonymous at that
point.
So, the issue arises when calling
tile = self.context.restrictedTraverse('@@%s/%s' % (typeName, tileId,))
After inspecting the backtrace, i found an interesting bit of code in
plone.z3cform.traversal:
57 # Since we cannot check security during traversal,
58 # we delegate the check to the widget view.
59 alsoProvides(self.request, IDeferSecurityCheck)
60 form.update()
So, what i did to solve the issue, was to create a custom edit form for my
tile, and override the "getContent" method, replacing that line up there
with:
if IDeferSecurityCheck.providedBy(self.request):
tile = self.context.unrestrictedTraverse('@@%s/%s' % (typeName,
tileId,))
else:
tile = self.context.restrictedTraverse('@@%s/%s' % (typeName, tileId,))
What do you think about this ? is this a proper solution ? do you think it
would be ok to add that change as part of p.a.t ?
Kind regards,
Franco
_______________________________________________
Product-Developers mailing list
[email protected]
https://lists.plone.org/mailman/listinfo/plone-product-developers
