HI, list:

I am new to z3c.form. In my first AddForm, I encountered the following problem:

When the form is submitted which contains some input error, like
missing required fields, the rendering of the error message causes an
system error. The traceback:

line 68, in __call__
line 164, in traversePathElement
    return traversable.traverse(nm, further_path)
   - __traceback_info__: (<ErrorViewSnippet for RequiredMissing>, 'widget')
line 52, in traverse
    raise TraversalError(subject, name)
   - __traceback_info__: (<ErrorViewSnippet for RequiredMissing>, 'widget', [])
TraversalError: (<ErrorViewSnippet for RequiredMissing>, 'widget')

After a little debugging, I was able to find that the chain leading to
the error is as follows:

1. div-form.pt in the z3c.formui package contains the following error

  <li tal:repeat="error view/widgets/errors">
    <tal:block condition="error/widget">
      <span tal:replace="error/widget/label" />:
    <span tal:replace="structure error/render">Error Type</span>

error/widget is accessed here, with error being an ErrorViewSnippet object.

2. The ErrorViewSnipped is created in field.py using:

  view = zope.component.getMultiAdapter(
      (error, self.request, widget, widget.field,
       self.form, self.content), interfaces.IErrorViewSnippet)

As in my application, self.content is a custom ISite folder, which is
security proxied, the getMultiAdapter method returns a security
proxied ErrorViewSnippet object.

3. Access to ErrorViewSnippet is defined in z3c.form/configure.zcml as:


The IErrorViewSnippet interface contains only 3 attributes: error,
update, render. Those are accessible to everyone. But there is no
security declaration for the 'widget' attribute, so access to it is

(Pdb) snippet
<ErrorViewSnippet for RequiredMissing>
(Pdb) type(snippet)
<type 'zope.security._proxy._Proxy'>
(Pdb) from zope.security.proxy import getChecker
(Pdb) getChecker(snippet).get_permissions
{'update': Global(CheckerPublic,zope.security.checker), 'render':
Global(CheckerPublic,zope.security.checker), 'error':
(Pdb) from zope.security import canAccess
(Pdb) canAccess(snippet, 'widget')
*** ForbiddenAttribute: ('widget', <ErrorViewSnippet for RequiredMissing>)

So it seems the default z3c.form security declaration only allows
access to 'update', 'error' and 'render' attributes of an
ErrorViewSnippet object. I tried to work this around the by adding the
'widget' attribute to the IErrorViewSnippet interface and the system
error is no longer raised. However, this time, another exception is
raised saying the 'label' property of the widget is not accessible.

How can I setup my security properly to use z3c.form smoothly?
Shouldn't 'widget'  not be in IErrorViewSnippet since it is evidently
externally used in the rendering template?

Thanks for suggestions.

Hong Yuan

Zope3-users mailing list

Reply via email to