Re: [Zope3-Users] How to allow one user to access only his object
On Thu, 20 Oct 2005 22:19:58 -0700 Naotoshi Seo [EMAIL PROTECTED] wrote: This is easy problem in normal web application. Scripts which receive POST just print out new html (in this case Classname.post). However, I would like to use browser:editview and I have only idea, redirecting, to show the editview. If I need to make the feature, I'll make a Traverser for IMessage. something like... class MessageTraverser: implements(IPublishTraverse) __used_for__ = IMessage def publishTraverse(self, request, name): if name == 'edit.html': # verify password and return a message or raise NotFoundError. I referred a zwiki's traverser implementation. Best Regards, -- Tahara Yusei [EMAIL PROTECTED] ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Hi. class MessageTraverser: implements(IPublishTraverse) __used_for__ = IMessage def publishTraverse(self, request, name): if name == 'edit.html': # verify password and return a message or raise NotFoundError. How do I pass POSTed value to publishTraverse's request? zope:view for=.IMessageBoard type=zope.publisher.interfaces.browser.IBrowserRequest factory=.MessageBoardTraverser provides=zope.publisher.interfaces.browser.IBrowserPublisher permission=zope.Public / from zope.publisher.interfaces import NotFound from zope.app import zapi from zope.app.container.traversal import ContainerTraverser class MessageBoardTraverser(ContainerTraverser): __used_for__ = IMessageBoard def publishTraverse(self, request, name): if name == 'edit.html': subob = self._guessTraverse(request, name) if subob is not None: view = zapi.queryView(subob, name, request) if view is not None: return view raise NotFound(self.context, name, request) view = zapi.queryView(self.context, name, request) if view is not None: return view raise NotFound(self.context, name, request) def _guessTraverse(self, request, name): msgs = IMessageBoard(self.context).items() passwd = request['field.passwd'] for name, msg in msgs: if passwd == msg.passwd: return msg return None --- pages class=.modulename.Classname page name=password.html template=password.pt / page name=whatever attribute=post / class Classname(object): def post(self): nexturl = './edit.html' self.request.response.redirect(nexturl) At this post method, do I redirect to a URL like ./edit.html?field.passwd=KDJFKJA ? It is not cool. Are there any ways? Furthermore, returning object in publishTraverse() did not work. I had to create a view like zapi.queryView(subob, name, request). Why? Am I missing something? Furthermore, can I prohibit users to access directly as http://localhost:8080/messageboardobject/messageobject/edit.html? It looks I have to keep open this URL so that Traverser can open this. But, if this is possible, nothing was changed from before. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Hi. On Fri, 21 Oct 2005 05:06:32 -0700 Naotoshi Seo [EMAIL PROTECTED] wrote: At this post method, do I redirect to a URL like ./edit.html?field.passwd=KDJFKJA ? It is not cool. Are there any ways? Why you don't post to edit.html from password.html? Furthermore, returning object in publishTraverse() did not work. I had to create a view like zapi.queryView(subob, name, request). Why? Am I missing something? zapi.queryView has been deprecated. You should use queryMultiAdapter. queryMultiAdapter((self.context, request), name=name) Furthermore, can I prohibit users to access directly as http://localhost:8080/messageboardobject/messageobject/edit.html? It looks I have to keep open this URL so that Traverser can open this. But, if this is possible, nothing was changed from before. if MessageBoardTraverser works well, you can protect edit.html from invalid access. Best Regards, -- Tahara Yusei [EMAIL PROTECTED] ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Interface tests: NotImplemented or NotImplementedError
Fred Drake wrote: On 10/20/05, Chris Withers [EMAIL PROTECTED] wrote: What an unfortunate name, I'd have called it Uncomparable on some such... While the current name is unfortunate, and Uncomparable would make the two easier to distinguish, Uncomparable would also be wrong. (If a comparison cannot be performed between two objects, that should be an exception.) This value is only used to indicate that the comparison is not implemented by the specific method chosen; the other operand may well implement the comparison. This is done to allow third-party numeric types to be implement comparison with the built-in types in meaningful ways, instead of the outcome of the comparison being dependent on the order of the operands. Sorry, I meant some-other-less-confusing-name, not that the one I suggested was the right one ;-) At the very least NotImplementedComparision or NotImplementedOperandForType would be more explicit... cheers, Chris -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] Re: Compound Form Elements
On Oct 21, 2005, at 12:16 PM, James Allwyn wrote: Following Christian's tweaks to the browser.py file (creating a CustomSequenceWidget), I've got this working well in isolation - I can add a ContactData object on its own no problem. However, I've hit a brick wall about how to use the ContactData item as a form element within another schema (say, IPerson). I've tried to access it with variations upon: [...] contact_data = Tuple( title = u'Contact Details', value_type = Object( schema=IContactDatum, title=u'Contact Datum')) To me, this or List() are the only ones that make any sense... Here's why: One of the things you're doing with this interface is implicitly telling z3 how you want this field to be displayed (because, by default, it makes that decision based on the field type. With a List(), etc., you get the sub-schema displayed and then the option to add * or removed checked -- an auto-generated multi-widget. It it's not a standard field type, z3's not going to know what do do with it, and I think you'd have to use the widget sub-config in your zcml to tell it explicitly what widget to use when building add/edit forms. and invoking the browser class for the add view in the configure.zcml for the User: class=.contactdata.browser.ContactDataAddView In effect, this method doesn't use ContactData at all, it replicates its functionality out of a Tuple of ContactDatum objects in the IPerson itself. But what I want to do is be able to put a ContactData element into IPerson and have it 'just work', in the same way I can for, say, TextLine, or Bool. Hmm, we'll need some more details here... what do you mean by just work? In what context? Add/edit? Final rendering? If the later, I believe you will need to add your view class that processes the list so that ZPT can handle it with repeat (at least, that's what I would do...). d ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Hi. At this post method, do I redirect to a URL like ./edit.html?field.passwd=KDJFKJA ? It is not cool. Are there any ways? Why you don't post to edit.html from password.html? Yes, it worked. It seems I was being confused. zapi.queryView has been deprecated. You should use queryMultiAdapter. queryMultiAdapter((self.context, request), name=name) Okay, but, why returning a message object (subob) does not work? I just want to know. It is weird. if MessageBoardTraverser works well, you can protect edit.html from invalid access. It seems I was misunderstanding again. Yes, it prohibited the direct access http://localhost:8080/messageboardobject/messageobject/edit.html, rather, it prohibits all access under /messageobject/. I have other views like http://.../messageboardobject/messageobject/show.html. So, I added codes to publishTraverse() by imitating parent's ContainerTraverse like def publishTraverse(self, request, name): if name == 'edit.html': subob = self._guessTraverse(request, name) if subob is not None: view = zapi.queryMultiAdapter((subob, request), name=name) if view is not None: return view raise NotFound(subob, name, request) else: subob = self.context.get(name, None) if subob is None: view = zapi.queryMultiAdapter((self.context, request), name=name) if view is not None: return view raise NotFound(self.context, name, request) return subob After 'else:' this is traversing everything if there is accesses like 'messageboardobject/messageobject/show.html' except 'messageboardobject/edit.html'. Is this the most efficient way? And, why returning subob works here, and it did not work before (inside of 'if name == 'edit.html':'). How should I understand what returning subob does. This is optional question. If you know this, please let me know. Thanks. ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Sorry, this code did not make sense. This code trys to traverse 'messageboardobject/messageobject/edit.html' also. I could access directly. I tried to reject only this by replacing else: to elif string.find(name, 'editmine.html') == -1: But, name value receives only 'messageobject' in this case, right? How can I reject only 'messageboardobject/messageobject/edit.html' It looks there are smarter ways. def publishTraverse(self, request, name): if name == 'edit.html': subob = self._guessTraverse(request, name) if subob is not None: view = zapi.queryMultiAdapter((subob, request), name=name) if view is not None: return view raise NotFound(subob, name, request) else: subob = self.context.get(name, None) if subob is None: view = zapi.queryMultiAdapter((self.context, request), name=name) if view is not None: return view raise NotFound(self.context, name, request) return subob ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users
Re: [Zope3-Users] How to allow one user to access only his object
Hi. I made a traverser for Message objects also, and I prohibited access to editview.html at there. It worked. Thank you, TAHARA. from zope.publisher.interfaces import NotFound from zope.app import zapi from zope.app.container.traversal import ContainerTraverser from zope.publisher.interfaces import IPublishTraverse class MessageBoardTraverser(ContainerTraverser): __used_for__ = IMessageBoard def publishTraverse(self, request, name): if name == 'edit.html': subob = self._guessTraverse(request, name) if subob is not None: view = zapi.queryMultiAdapter((subob, request), name=name) if view is not None: return view raise NotFound(subob, name, request) return super(ConferenceTraverser, self).publishTraverse(request, name) def _guessTraverse(self, request, name): msgs = IMessageBoard(self.context).items() passwd = request['field.passwd'] for name, msg in msgs: if passwd == msg.passwd: return msg return None class MessageTraverser(object): implements(IPublishTraverse) __used__for__ = IMessage def __init__(self, context, request): self.context = context self.request = request def publishTraverse(self, request, name): if name == 'edit.html': raise NotFound(self.context, name, request) view = zapi.queryMultiAdapter((self.context, request), name=name) if view is not None: return view raise NotFound(self.context, name, request) ___ Zope3-users mailing list Zope3-users@zope.org http://mail.zope.org/mailman/listinfo/zope3-users