[Zope3-checkins] CVS: Zope3/src/zope/app/browser/container - adding.py:1.20

Jim Fulton jim at zope.com
Sun Sep 21 13:30:55 EDT 2003 

Update of /cvs-repository/Zope3/src/zope/app/browser/container
In directory cvs.zope.org:/tmp/cvs-serv12040/src/zope/app/browser/container

Modified Files:
	adding.py 
Log Message:
No longer use the (now gone) IZopeContainer adapter.

No longer use context wrappers or any form of context awareness.

Use an INameChooser adapter to pick names, when necessary.

Just use __setitem__ to set values.

Fixed a bug in using protected factories that prevented any local
users from being able to add things. Eek.

Refactored the protection of factories so that they aren't proxied
until accessed by untrusted code. This means that trusted code (like
addings) need to proxy factories to make sure that the user they are
acting on behalf of can actually use the factory.

Changed to use zope.app.publisher.browser.BrowserView, rather than
zope.publisher.browser.BrowserView so that the views are locations.


=== Zope3/src/zope/app/browser/container/adding.py 1.19 => 1.20 ===
--- Zope3/src/zope/app/browser/container/adding.py:1.19	Wed Sep  3 14:33:55 2003
+++ Zope3/src/zope/app/browser/container/adding.py	Sun Sep 21 13:30:24 2003
@@ -26,17 +26,22 @@
 
 from zope.app.interfaces.container import IAdding
 from zope.app.interfaces.container import IContainerNamesContainer
-from zope.app.interfaces.container import IZopeContainer
+from zope.app.interfaces.container import INameChooser
 
 from zope.app.event.objectevent import ObjectCreatedEvent
 from zope.app.pagetemplate.viewpagetemplatefile import ViewPageTemplateFile
 from zope.app.event import publish
-from zope.publisher.browser import BrowserView
+from zope.app.publisher.browser import BrowserView
 from zope.publisher.interfaces import IPublishTraverse
 
 from zope.app.i18n import ZopeMessageIDFactory as _
 from zope.interface import implements
 
+from zope.app.location import LocationProxy
+import zope.security.checker
+
+from zope.proxy import removeAllProxies
+
 class BasicAdding(BrowserView):
 
     implements(IAdding, IPublishTraverse)
@@ -45,8 +50,20 @@
 
     def add(self, content):
         """See zope.app.interfaces.container.IAdding"""
-        container = zapi.getAdapter(self.context, IZopeContainer)
-        name = container.setObject(self.contentName, content)
+
+        container = self.context
+        name = self.contentName
+        
+        chooser = zapi.getAdapter(container, INameChooser)
+        if IContainerNamesContainer.isImplementedBy(container):
+            # The container pick's it's own names.
+            # We need to ask it to pick one.
+            name = chooser.chooseName(self.contentName or '', content)
+        else:
+            chooser.checkName(name, container)
+
+        container[name] = content
+
         return container[name]
 
     contentName = None # usually set by Adding traverser
@@ -81,14 +98,10 @@
 
         factory = zapi.queryFactory(self.context, name)
         if factory is None:
-            return zapi.ContextSuper(BasicAdding, self).publishTraverse(
-                request, name)
+            return super(BasicAdding, self).publishTraverse(request, name)
 
         return factory
 
-    # See zope.app.interfaces.container.IAdding
-    publishTraverse = zapi.ContextMethod(publishTraverse)
-
     def action(self, type_name='', id=''):
         if not type_name:
             raise UserError(_(u"You must select the type of object to add."))
@@ -113,15 +126,22 @@
                 raise UserError(_(u"You must specify an id"))
             self.contentName = id
 
-        content = zapi.createObject(self, type_name)
+        factory = zapi.getFactory(self, type_name)
+        factory = LocationProxy(factory, self, type_name)
+        factory = zope.security.checker.ProxyFactory(factory)
+        content = factory()
+
+        # Can't store security proxies.
+        # Note that it is important to do this here, rather than
+        # in add, otherwise, someone might be able to trick add
+        # into unproxying an existing object,
+        content = removeAllProxies(content)
+
         publish(self.context, ObjectCreatedEvent(content))
 
         self.add(content)
         self.request.response.redirect(self.nextURL())
 
-    action = zapi.ContextMethod(action)
-
-
     def namesAccepted(self):
         return not IContainerNamesContainer.isImplementedBy(self.context)
 
@@ -142,4 +162,3 @@
                                       wrapped_self.request)
         result.sort(lambda a, b: cmp(a['title'], b['title']))
         return result
-    addingInfo = zapi.ContextMethod(addingInfo)

More information about the Zope3-Checkins mailing list