[Zope3-dev] Re: Finding context in a vocabulary

[Philipp von Weitershausen]

Peter Mayne wrote:
> Stephan Richter wrote:
> 
>> You can go up the tree using zapi.getParent(obj). You have to inspect 
>> your context manually and specifically for your use case to collect 
>> the data. Look at the ManagableVocabulary code in the bug tracker for 
>> another advanced example.
> 
> 
> My vocabulary works fine. Thanks.
> 
> Along the way, after I chose a target for my reference, and selected 
> "Add", I was getting
> 
>   File "/tmp/ZopeX3-3.0.0c1/build/lib.linux-i686-2.3/ZODB/serialize.py", 
> line 296, in _dump
> UnpickleableError: Cannot pickle <type 'zope.security._proxy._Proxy'> 
> objects
> 
> Looking at bugtracker's ManageVocabulary, I added
> 
>     context = removeSecurityProxy(context)
> 
> at the beginning of my __init__(), and things worked as I expected.
> 
> I'm not sure I understand what's going on here, and the handbook doesn't 
> go into removeSecurityProxy in any depth. Without the example of 
> ManageVocabulary, I would have been lost at this point.

In Zope, objects are security proxied towards components that are 
user-invoked. When a user invokes a view which gets an annotation 
adapter for an object, the object will be security proxied. Normally, 
this behaviour is wanted because it makes security more fine-grained. 
However, in case of adapters that work on annotations (e.g. 
ZopeDublinCore), we usually use *trusted* adapters, which means that 
their context will NOT be proxied. In order to still enforce security, 
you have to provide security declarations for the adapter class itself, 
which normally isn't necessary. The Bugtracker code hasn't been updated 
yet but it should. Take a look at the ZopeDublinCore configuration 
(<adapter ... trusted="yes" /> and its security declarations) and you'll 
see how to do it.

Philipp