开发者

Anonymous users creating content types: which approaches instead of invokeFactory can be used?

问答 作者:

I've come across this little function that let anonymous users call invoke factory.

security.declarePrivate('anonymousInvokeFactory') 
def anonymousInvokeFactory(self, container, type_name, id, 
    REQUEST=None, *args, **kw): 
    """ 
    Anonymous cannot add objects with InvokeFactory, so this is a 
    special 
    method to do it with. Must be called from other function to limit 
    possibillities of abuse. 
    """ 
    # remember original user 
    mtool = getToolByName(self, 'portal_membership') 
    originalUser = mtool.getAuthenticatedMember() 
    # wrap the request in new security to be able to add content 
    user = self.getWrappedOwner() 
    newSecurityManager(REQUEST, user) 
    container.invokeFactory(type_name, id, REQUEST=REQUEST, *args, **kw) 
    # set original user again 
    newSecurityManager(REQUEST, originalUser) 
    return id

I seems perfect for a situation where I'm using some proxyManager metadata. But I haven't seen this little snippet anywhere besides this nabble entry - is it safe? Which disadvantages can you see in this approach? EDIT: I've found now in official community plone docs effort some references.

My scenario: the anonymous user is creating an Archetype object on ZODB, in a specific context only,开发者_如何学运维 that only accepts this type of object. He can not see any objects, he is just calling a form that is going to create these objects. These objects are going to be created, and their attributes (fields) need to be populated as well. The _createObjectType approach creates the object but it doesn't add the fields even using **kwargs. EDIT2: It's possible to edit using default acessors like obj.setTitle. I'm now using this approach, and it works flawlessly.

I would be weary of using anything that sets up a new security manager. A better way to do this would be to bypass security when creating the object.

You can do something like:

        pt = getToolByName(context, 'portal_types')
        type_info = pt.getTypeInfo('portal_type')
        ob = type_info._constructInstance(context, id)
        # CMFCore compatibility
        if hasattr(type_info, '_finishConstruction'):
            return type_info._finishConstruction(ob)
        else:
            return ob

source: uwosh.pfg.d2c

继续阅读:plone

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9