[Product-Developers] plone.app.tiles : About permissions when traversing

Franco Pellegrini frapell at gmail.com
Thu Jan 19 22:17:21 UTC 2012


Hi all, we are currently using plone.app.tiles for a project, and we came
across an issue.
For one of our tiles, we are using
a z3c.relationfield.schema.RelationChoice field, which renders a nice
pop-up with elements to add as related.

The thing is, when you have a folder and want to expand it to choose an
element from inside, you'll get an "Insufficient privileges" error, if you
have some unpublished content.

Digging the problem, i found that when you click in that folder, the widget
tries to fetch the content using an URL like:

HOST/Plone/myfolder/..../@@edit-tile/mi.tile/...../++widget++widget_name/@@contenttree-fetch

Then, i put a pdb
in plone.app.tiles.browser.edit.DefaultEditForm.getContent and found that,
it doesn't matter if you're logged in or not, you'll be anonymous at that
point.
So, the issue arises when calling

tile = self.context.restrictedTraverse('@@%s/%s' % (typeName, tileId,))

After inspecting the backtrace, i found an interesting bit of code in
plone.z3cform.traversal:

57  # Since we cannot check security during traversal,
58  # we delegate the check to the widget view.
59  alsoProvides(self.request, IDeferSecurityCheck)
60  form.update()

So, what i did to solve the issue, was to create a custom edit form for my
tile, and override the "getContent" method, replacing that line up there
with:

if IDeferSecurityCheck.providedBy(self.request):
    tile = self.context.unrestrictedTraverse('@@%s/%s' % (typeName,
tileId,))
else:
    tile = self.context.restrictedTraverse('@@%s/%s' % (typeName, tileId,))

What do you think about this ? is this a proper solution ? do you think it
would be ok to add that change as part of p.a.t ?

Kind regards,
Franco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plone.org/pipermail/plone-product-developers/attachments/20120119/bf03f242/attachment.html>


More information about the Product-Developers mailing list