>> In CMFDefault, we have some base classes (tied to formlib) and we do
>> manual security with a ClassSecurityInfo and InitializeClass(). This
>> feels like a step backwards to me, at least in Plone, where we encourage
>> people to use browser views with declarative (ZCML) security. It's
>> difficult to explain that add forms are "special" so that they need to
>> have manual security, explicit docstrings (for better or for worse), and
>> be registered as an <adapter />, not a <browser:page />.
>> Did we envisage a solution to this?
>> How about a new <cmf:addview />
>> directive that mimics <browser:page />, but registers the
>> (context,request,fti) adapter? I could probably put that together if
>> people think it's a good idea.
> CMF add views are different because they are looked up by a special
> traverser, using the additional type info object. You have to be aware
> of that. No matter if you use <adapter /> or <cmf:addview />.
> It is not obvious why you have to use explicit Zope 2 style security for
> add views and declarative Zope 3 style security for other views. But I'd
> rather like to see the 'permission' attribute of <adapter /> implemented
> for Zope 2 instead of a new <cmf:addview /> directive.
Mmmm... I'm not sure most people would find it natural to think about
the add form as an adapter like this.
Also, Five's <browser:page /> does quite a lot of stuff that we now
can't have for CMF add views:
o It allows a template to be registered
o It allows an attribute other than __call__ to be used to render
o It sets up security on attributes, by interface or explicit list
o It sets up security on the view class itself
I don't think the adapter permission attribute would be sufficient in
any case. In Zope 3, it's tied to a type of low-level security proxy
that doesn't really exist in Zope 2. The ClassSecurityInfo stuff only
affects restricted python/traversal, whereas Zope 3 security proxies are
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book
Zope-CMF maillist - Zope-CMF@lists.zope.org
See https://bugs.launchpad.net/zope-cmf/ for bug reports and feature requests