[Zope3-Users] question: can I make a view trusted?

Shaun Cutts shaun at cuttshome.net
Thu Feb 16 22:47:39 EST 2006


I'd be grateful for an answer to the following:

I have a container class that displays rows from a database. I have a
default view for those containers that I want to have display a table of
rows with column headers being the titles of the fields in the interface
supported by the contained objects support. My container has a class
variable "containedInterface" which can be specialized to subclasses to
specify the interface to the rows of the contained object.

In the view, I have the following code to get the column names:

    def getColumnNames( self ):
        def getNameForField( pair ):
            fname, fld = pair
            if IField.providedBy( fld ):
                return fld.title
            else:
                return unicode( fname )
        return map(
            getNameForField,
            self.context.containedInterface.namesAndDescriptions( all =
True ) )

The problem is that "fld.title" access gives me a ForbiddenAttribute
error when I access the schema.Date object (as it happens).

It would seem nonsensical to declare permissions on IDate in order to do
this. I guess I could add an accessor to either the container or the
contained object that did the dirty work, and then passed the result to
the view, and declare that accessible(?).

But from a design point of view, neither the container nor the contained
object should be concerned with how they are displayed. That's the whole
point of views, right? So I think its better not to clutter up their
definitions with extra accessors. (? Again)

Thus as far as I can tell, given some dubious assumptions perhaps, the
only way to do this is if I somehow made the view trusted (or at least
this function), so it wouldn't have to worry about the security
restrictions. Is this possible? Is it a good idea?

Thanks very much,
- Shaun Cutts

PS... perhaps I could declare the "containedInterface" itself to be
content? I'm going to try fiddling around with that, but I'm sending
this message anyway, because even if that works, it seems too strange to
be the right solution, and surely this is a common problem.




More information about the Zope3-users mailing list