Hi Martin!

Martin Aspeli wrote:
> [...]
> In CMFDefault, we have some base classes (tied to formlib) and we do 
> manual security with a ClassSecurityInfo and InitializeClass(). This 
> feels like a step backwards to me, at least in Plone, where we encourage 
> people to use browser views with declarative (ZCML) security. It's 
> difficult to explain that add forms are "special" so that they need to 
> have manual security, explicit docstrings (for better or for worse), and 
> be registered as an <adapter />, not a <browser:page />.
> Did we envisage a solution to this?


> How about a new <cmf:addview /> 
> directive that mimics <browser:page />, but registers the 
> (context,request,fti) adapter? I could probably put that together if 
> people think it's a good idea.

CMF add views are different because they are looked up by a special 
traverser, using the additional type info object. You have to be aware 
of that. No matter if you use <adapter /> or <cmf:addview />.

It is not obvious why you have to use explicit Zope 2 style security for 
add views and declarative Zope 3 style security for other views. But I'd 
rather like to see the 'permission' attribute of <adapter /> implemented 
for Zope 2 instead of a new <cmf:addview /> directive.



Zope-CMF maillist  -  Zope-CMF@lists.zope.org

See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests

Reply via email to