[Zope-dev] RFC: ZTK custom publications, zope.app.publication, and zope.traversing

Jim Fulton jim at zope.com
Mon Jun 22 09:01:16 EDT 2009


On Jun 22, 2009, at 4:08 AM, Brian Sutherland wrote:

> On Sun, Jun 21, 2009 at 11:55:50AM -0400, Jim Fulton wrote:
>> - It aggressively proxies objects using
>> zope.security.checker.ProxyFactory.  Some people don't want
>>   to use proxies and those that do might want to use a different
>> proxy or checker implementation.
>
> Grok's publication sub-class is similar to mine:
>
>    http://svn.zope.org/grok/trunk/src/grok/publication.py?view=markup
>
> We I think we both want security proxies around views, but not during
> traversal. I've also heard of people who want proxies around the  
> context
> and view, but not during traversal.

Yup.  I've wanted something like that too.

> It's pretty difficult to do the above securely, or at least I was able
> to open massive security holes while prototyping my publication  
> object;)
> Witness grok's "if IBrowserView.providedBy" dance in the URL above.

It's actually pretty easy. All you have to do is make the traversal  
adapters public. There aren't very many of them.

>> Maybe in phase 3:
>>
>> - Create zope.publication from zope.app.publcatiobn
>> - use webtest rather than zope.app.testing.
>
> What's webtest?

http://pythonpaste.org/webtest/

It's sort of like zope.app.testing.functional or zope.testbrowser but  
for WSGI apps.  It *just* handles the publishing aspects of testing.   
Tests can then manage their own application setup.  I think this will  
make many tests simpler and cleaner as they can set up just enough of  
an application as they need for their tests.

Jim

--
Jim Fulton
Zope Corporation




More information about the Zope-Dev mailing list