Martin Aspeli wrote:
> In CMFDefault, we have some base classes (tied to formlib) and we do
> manual security with a ClassSecurityInfo and InitializeClass(). This
> feels like a step backwards to me, at least in Plone, where we encourage
> people to use browser views with declarative (ZCML) security. It's
> difficult to explain that add forms are "special" so that they need to
> have manual security, explicit docstrings (for better or for worse), and
> be registered as an <adapter />, not a <browser:page />.
> Did we envisage a solution to this?
> How about a new <cmf:addview />
> directive that mimics <browser:page />, but registers the
> (context,request,fti) adapter? I could probably put that together if
> people think it's a good idea.
CMF add views are different because they are looked up by a special
traverser, using the additional type info object. You have to be aware
of that. No matter if you use <adapter /> or <cmf:addview />.
It is not obvious why you have to use explicit Zope 2 style security for
add views and declarative Zope 3 style security for other views. But I'd
rather like to see the 'permission' attribute of <adapter /> implemented
for Zope 2 instead of a new <cmf:addview /> directive.
Zope-CMF maillist - Zope-CMF@lists.zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests