[Grok-dev] Re: Using z3c.jsonrpc with grok and ForbiddenAttribute
Philipp von Weitershausen
philipp at weitershausen.de
Sat May 31 04:01:36 EDT 2008
Calvin Hendryx-Parker wrote:
> I'd like to be able to use z3c.jsonrpc with Grok so I can provide
> JSON-RPC specific methods to some of my models. I finally got it
> installed and I have added the needed ZCML to wire it up to my model,
> but now I'm running into security issues.
> Here is my example, I have a Note class that is a grok.Model and I have
> put a marker interface on it so I can associate my jsonrpc with it like
> Now from my GUI app, I'm using MochiKit's JsonRpcProxy to access this
> "edit" method on my model. When I make the request I get this:
> ** zope.security.interfaces.ForbiddenAttribute: ('get',
> <factoryapp.factory.FactoryApp object at 0x2d138f0>)
> The error seems to happen as it starts to traverse my application and it
> doesn't even get to my Note instance which is a few levels down the path.
> What ZCML voodoo am I missing to allow me to use z3c.jsonrpc with my app?
z3c.jsonrpc installs its own publication which means all jsonrpc
requests will use this publication instead of Grok's. The problem with
that is that Grok's publication never uses security proxies (and
therefore you will never get ForbiddenAttribute errors in Grok).
Unfortunately, being based on Zope's regular publication, jsonrpc *does*
wrap all objects in security proxies. That's why even the simplest
traversal steps fail.
If you look at grok.publication, you will see that Grok actually has to
redefine Zope's publications for Browser, XMLRPC and regular HTTP views.
I suspect in order to make z3c.jsonrpc work with Grok, you'll have to do
the same: create a new publication class by mixing
ZopePublicationSansProxy and JSONRPCPublication. Then hook it up using a
<publisher /> directive (copy the one from z3c.jsonrpc/configure.zcml)
but make sure you give it a higher priority.
More information about the Grok-dev