Jim Fulton wrote:
Dominik Huber wrote:
A few months ago the following code block was removed in
editview.py, editwizard.py and schemadisplay.py (revision 29418):
adapted = self.schema(self.context)
if adapted is not self.context:
if not ILocation.providedBy(adapted):
adapted = LocationProxy(adapted)
adapted.__parent__ = self.context
self.adapted = adapted
setUpEditWidgets(self, self.schema, source=self.adapted,
As a consequence each trusted adapter class should now implement
One could, as an alternative, use an non-trusted adapter
that is public and rely on the underlying object protection.
We can only use trusted adapters for our use case.
that the TrustedAdapterFactory can set the location of adapter
instances correctly. Otherwise, only the global authentication is
involved and the edit view fails if any local principal tries to
edit a certain field (security.canWrite(source, name) in
zope.app.form.utility line 207).
I would like to revert those changes. IMO a framework like the form
framework knows the context (location) and adapts that context to a
certain schema. If the following procedures depends on location
information, the framework itself should pass such informations in a
smart way. It's an unnecessary
<se?lp=ende&p=/Mn4k.&search=expense> to force all schema adapters
to implement ILocation:
- The solution using the location proxy seems fairly famillar
compared with the container framework and containment that does not
Except that the object being location proxied is already security
proxied. Location proxies were not designed to proxy
I cannot assess this location-proxied securtiy proxy issue. Therefor I
have a question about the order of containment proxies:
1. contained proxy > security proxy > component
2. security proxy > contained proxy > component
So far I thought a component is created and proxied by their factory,
afterwards it is contained proxied by the container if it does not
provide ILocation. Therefor my statemets bases of 1.
So for me it is not very obvious what the difference should be between
location proxied containement and location proxied trusted adapters:
location proxy > security proxy > trusted adapter
The form framework does not work using trusted adapters which do not
provide ILocation in combination with the local authentication
information. This raises an Unauthorized exception if a local
principal with enough privileges tries to access the edit view.
(Reason: Because the unlocatable adapter invoke the global
We have three oportunities:
a) status quo
b) location proxy or simalar derivates
c) extend security.canWrite(obj, name, context=None)
Roger removed the location proxy code because at that time the
security information get lost using location proxies (Reason multiple
security proxies: security proxy > location proxy > security proxy >
trusted adapter). Afterward Garret fixed the proxy method of the
Checker class. Since that time proxied object will be only proxied if
their were not already proxied before (location proxy > security
proxy > trusted adapter)
- An adapter that implements more than one interface cannot be
registered with the implicit adapts and implements informations.
- A regular schema does not extend ILocation therefore it is not
obvious to write an adapter implementing ILocation.
If you answers the last two reasons with True then follows IMO a) is
So we have to choose an other implementation alternative
b), c) or d) would be ok for me.
Why not simply use an untrusted public adapter?
We have within the site 's' an extendable containerish component 'f'
(Class Fasade) that should fasade its containment . Inside 'f' we can
put any component for example component 'any' (Class Any) providing
'IAny'.The IWriteContainer declaration of 's' requires the permission
'zope.ManageContent'. The IWriteContainer declaration of 'any'
requires a dedicated permission for example 'zope.ManageInside'.
Now we should provide an edit-view for 'f' that invokes the contained
component 'any'. The edit-view should be accessable for local
principal of s which have the 'zope.ManageContent' permission.
Our design goal tries to satify the following two targets:
- demeter's law (No direct access to 'any').
- different permission between inside and outside 'f'
So we decided to access 'any' on the location of 'f' using an
IMO this adapter must be trusted to hide inside permission of 'any'.