[Product-Developers] plone.app.tiles : About permissions when traversing

Franco Pellegrini frapell at gmail.com
Thu Jan 19 22:17:21 UTC 2012

Hi all, we are currently using plone.app.tiles for a project, and we came
across an issue.
For one of our tiles, we are using
a z3c.relationfield.schema.RelationChoice field, which renders a nice
pop-up with elements to add as related.

The thing is, when you have a folder and want to expand it to choose an
element from inside, you'll get an "Insufficient privileges" error, if you
have some unpublished content.

Digging the problem, i found that when you click in that folder, the widget
tries to fetch the content using an URL like:


Then, i put a pdb
in plone.app.tiles.browser.edit.DefaultEditForm.getContent and found that,
it doesn't matter if you're logged in or not, you'll be anonymous at that
So, the issue arises when calling

tile = self.context.restrictedTraverse('@@%s/%s' % (typeName, tileId,))

After inspecting the backtrace, i found an interesting bit of code in

57  # Since we cannot check security during traversal,
58  # we delegate the check to the widget view.
59  alsoProvides(self.request, IDeferSecurityCheck)
60  form.update()

So, what i did to solve the issue, was to create a custom edit form for my
tile, and override the "getContent" method, replacing that line up there

if IDeferSecurityCheck.providedBy(self.request):
    tile = self.context.unrestrictedTraverse('@@%s/%s' % (typeName,
    tile = self.context.restrictedTraverse('@@%s/%s' % (typeName, tileId,))

What do you think about this ? is this a proper solution ? do you think it
would be ok to add that change as part of p.a.t ?

Kind regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plone.org/pipermail/plone-product-developers/attachments/20120119/bf03f242/attachment.html>

More information about the Product-Developers mailing list