Hi Yuan,
I think I am having the same problem, as in all the errors look the same. I
have just committed a fix for my problem so hopefully it is the same problem.
I did like you said added the widget to the interface and declared that all
the widgets require the zope.Public permission to access the attribute.
Michael
On Thursday 20 September 2007 17:17:05 Yuan HOng wrote:
> HI, list:
>
> I am new to z3c.form. In my first AddForm, I encountered the following
> problem:
>
> When the form is submitted which contains some input error, like
> missing required fields, the rendering of the error message causes an
> system error. The traceback:
>
> ...
> File
> "/usr/lib/python2.5/site-packages/zope.app.pagetemplate-3.4.0b1dev_r75616-p
>y2.5.egg/zope/app/pagetemplate/engine.py", line 68, in __call__
> request=request)
> File
> "/usr/lib/python2.5/site-packages/zope.traversing-3.5.0a1.dev_r78730-py2.5.
>egg/zope/traversing/adapters.py", line 164, in traversePathElement
> return traversable.traverse(nm, further_path)
>- __traceback_info__: (, 'widget')
> File
> "/usr/lib/python2.5/site-packages/zope.traversing-3.5.0a1.dev_r78730-py2.5.
>egg/zope/traversing/adapters.py", line 52, in traverse
> raise TraversalError(subject, name)
>- __traceback_info__: (, 'widget',
> []) TraversalError: (, 'widget')
>
> After a little debugging, I was able to find that the chain leading to
> the error is as follows:
>
> 1. div-form.pt in the z3c.formui package contains the following error
> presentation:
>
>
>
> :
>
> Error Type
>
>
> error/widget is accessed here, with error being an ErrorViewSnippet object.
>
> 2. The ErrorViewSnipped is created in field.py using:
>
> view = zope.component.getMultiAdapter(
> (error, self.request, widget, widget.field,
>self.form, self.content), interfaces.IErrorViewSnippet)
>
> As in my application, self.content is a custom ISite folder, which is
> security proxied, the getMultiAdapter method returns a security
> proxied ErrorViewSnippet object.
>
> 3. Access to ErrorViewSnippet is defined in z3c.form/configure.zcml as:
>
> factory=".error.ErrorViewSnippet"
> trusted="True"
> permission="zope.Public"
> />
>
> The IErrorViewSnippet interface contains only 3 attributes: error,
> update, render. Those are accessible to everyone. But there is no
> security declaration for the 'widget' attribute, so access to it is
> denied:
>
> (Pdb) snippet
>
> (Pdb) type(snippet)
>
> (Pdb) from zope.security.proxy import getChecker
> (Pdb) getChecker(snippet).get_permissions
> {'update': Global(CheckerPublic,zope.security.checker), 'render':
> Global(CheckerPublic,zope.security.checker), 'error':
> Global(CheckerPublic,zope.security.checker)}
> (Pdb) from zope.security import canAccess
> (Pdb) canAccess(snippet, 'widget')
> *** ForbiddenAttribute: ('widget', )
>
> So it seems the default z3c.form security declaration only allows
> access to 'update', 'error' and 'render' attributes of an
> ErrorViewSnippet object. I tried to work this around the by adding the
> 'widget' attribute to the IErrorViewSnippet interface and the system
> error is no longer raised. However, this time, another exception is
> raised saying the 'label' property of the widget is not accessible.
>
> How can I setup my security properly to use z3c.form smoothly?
> Shouldn't 'widget' not be in IErrorViewSnippet since it is evidently
> externally used in the rendering template?
>
> Thanks for suggestions.
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users
