Jim Fulton wrote:
Albertas Agejevas wrote:
Unpleasant things happen when views are security wrapped. Widgets
refuse to work, because they are registered as views, and get a custom
secuity checker (in zope.app.component.metaconfigure.view). The
default view custom checker only protects '__call__', leaves all other
attributes forbidden. This makes rendering a label or errors of a widget
fail. Defining security permissions for the widget class does not
help as the custom checker overrides them.
The TextWidget is registered in zope/app/form/browser/configure.zcml
Gary Poster helped me find 3 ways to overcome the security wrapped
1. ZCML only fix: add allowed_interface="...ITextBrowserWidget" to the
text widget ZCML registration, and the relevant interfaces to all
other widgets (maybe just IInputWidget is enough).
2. Make the view custom permission checker merge permissions registered
for the view class with the permissions allowed by the view
3. Make the provided interface the default allowed interface.
Fall back on allowing just __call__ for the views that only
I feel that the last option is best.
I'm surprised it doesnt' do that already.
Why not just use:
That's what I would do.
I might even hack the TextWidget so I could just do:
I'd be happy to deprecate the view directive.
http://worldcookery.com -- Professional Zope documentation and training
2nd edition of Web Component Development with Zope 3 is now shipping!
Zope3-dev mailing list