[Zope3-checkins] SVN: Zope3/trunk/src/zope/app/dublincore/timeannotators.py Unwrap DCadapter in time annotators.

Garrett Smith garrett at mojave-corp.com
Fri Feb 25 21:10:54 EST 2005


Albertas Agejevas wrote:
> Zope3/trunk/src/zope/app/dublincore/timeannotators.py Unwrap DCadapter
> in time annotators.
> 
> 
> On Fri, Feb 25, 2005 at 04:58:24PM -0600, Garrett Smith wrote:
>> - The annotator should either explicitly check before setting a DC
>> attr, or handle the Unauthorized with a no-op (IMO the later is
>> preferable). 
>> 
>> - You (IOW your app) should make sure any principal/role with the
>> zope.ManageContent permission also has zope.app.dublincore.change.
> 
> I disagee with you on both counts.  Imagine a forum where anonymous
> users post comments.  Your suggestions imply that either DC write
> access will be public, or modification times will not be updated.
> This is bogus.

"anonymous users post comments" -> they have permission to create
comments and modify some parent. You let them do this, but not modify DC
on the objects they create? Strange.

> A more plausible model would be if the event subscribers could be
> declared as "trusted" if they do system-level things, like updating
> the DC metadata or indexes.

You'd have to setup permission for the handler then. Why not just grant
the role permission to modify DC?

> removeSecurityProxy, in essence, does the same thing.  I know it's a
> hack, but I have failed to find a cleaner solution, and I'm waiting
> for Jim to tell me what to do :-)

It's an unacceptable hack, and totally unnecessary. People have gone to
a lot of effort to get rid of misused removeSecurityProxy.

A much better hack would be to register your own event handler, in your
app, to remove proxy and keep the core free of that.

 -- Garrett


More information about the Zope3-Checkins mailing list