search

plone / plone.app.widgets

Integrating plone.widgets into plone
Other
7 stars 38 forks source link

Error: Vocabulary lookup not allowed #162

Closed holdenhao closed 5 years ago

holdenhao commented 7 years ago

I am using p.a.widgets 1.9.1 on Plone 4.3.12 and I get the lookup error on my tuple field behavior.

the behavior:

class IMultiParkingUnit(model.Schema):

    directives.widget('parking_units',
        AjaxSelectWidget,
        vocabulary = 'my.package.vocabulary.ParkingUnits',
        pattern_options = {
            'allowNewItems':False,
            },
        )
    parking_units = schema.Tuple(
        title = _(u"Parking Units"),
        value_type = schema.TextLine(),
        required = False,
        missing_value = (),
    )

the vocabulary:

@provider(IVocabularyFactory)
def PakingUnitsFactory(context,query=''):

    catalog = api.portal.get_tool(name='portal_catalog')
    brains = catalog.searchResults({
              'portal_type':'my.package.parkingunit','Title':query})
    results = [ (brain.UID, brain.Title) for brain in brains ]
    terms = [ SimpleTerm(value=pair[0], token=pair[0], title=pair[1]) for pair in results ]
    return SimpleVocabulary(terms)

_permissions['my.package.vocabulary.ParkingUnits'] = 'View'

The setting of the 'View' permission for my custom vocabulary above should have allowed a regular site user to use the AjaxSelectWidget. However, the system returns the lookup error. Debugging p.a.widgets, I found that the DXFieldPermissionChecker validate method is returning the default 'Modify portal content' as the required permission needed by a regular user. I really do not want to give the user modify permission on the container.

In p.a.w.b.vocabulary.py

class VocabularyView(BaseVocabularyView):
......
        if factory_name in _permissions\
                and INavigationRoot.providedBy(context):
            # Short circuit if permission is in global registry
            authorized = sm.checkPermission(
                _permissions[factory_name], context
            ) 
        elif field_name:
            # Check field specific permission
            permission_checker = queryAdapter(
                context, IFieldPermissionChecker
            )
            if permission_checker is not None:
                authorized = permission_checker.validate(
                    field_name, factory_name
                )

The above lines should have made my custom vocabulary permission to take effect but since it uses the "and" operator and the INavigtaionRoot interface test failed, the code in effect became the field_name check which sets the default permission to "Modify portal content".

petschki commented 6 years ago

btw. this is also an issue with p.a.widgets 1.10 and Plone 4.3.x ... if the user wants to categorize the content in the AddForm (keywords, related items, etc ...) the vocabulary lookup is unauthorized when the container is not editable ... @jensens or @ale-rt maybe someone of you can give me a hint where to backport this from p.a.content (since the vocabulary views are there in Plone 5), so I could commit a fix to the 1.x branch here ...

ale-rt commented 6 years ago

As far as I can see the same "problem" (feature?) should be present also on plone.app.content master:

Looking at the code (so I might miss something) you may solve this issue either providing an IFieldPermissionChecker adapter for your context or overriding the VocabularyView for your context.

I would say the adapter way is the one to go.

petschki commented 6 years ago

@ale-rt thanks for your suggestion. I think the solution for the general AddForm problem is to set the DEFAULT_PERMISSION to Add portal content like p.a.dexterity does here: https://github.com/plone/plone.app.dexterity/blob/master/plone/app/dexterity/permissions.py#L115 ... I'm preparing a pull request for this.

as far as I can see, the solution for @holdenhao would be a form schema hint directives.write_permission(parking_units='zope2.View') as described here https://docs.plone.org/external/plone.app.dexterity/docs/reference/form-schema-hints.html

petschki commented 6 years ago

DEFAULT_PERMISSION issue is fixed in 1.x branch. @holdenhao can you confirm my suggestion as solution for your problem? then we could close this thread.

petschki commented 5 years ago

@holdenhao 1.11 was released yesterday ... should fix this. If not, please reopen.