def filterFields(context, form_fields): omit_names = [] if IAlchemistContent.providedBy(context): md = utils.get_descriptor(context.__class__) for field in form_fields: # field:zope.formlib.form.FormField try: can_write = security.canWrite(context, field.__name__) can_read = security.canAccess(context, field.__name__) except AttributeError: log.warn('filterFields: item [%s] has no field named "%s"', context, field.__name__) can_write = can_read = False if can_write: continue if can_read: field.for_display = True field.custom_widget = md.get(field.__name__).view_widget else: omit_names.append(field.__name__) elif not IAlchemistContainer.providedBy(context): ctx = getattr(context, "context", None) if ctx: filterFields(ctx, form_fields) else: raise NotImplementedError return form_fields.omit(*omit_names)
def _extractContentInfo(self, item): request = self.request rename_ids = {} if "container_rename_button" in request: for rename_id in request.get('ids', ()): rename_ids[rename_id] = rename_id elif "rename_ids" in request: for rename_id in request.get('rename_ids', ()): rename_ids[rename_id] = rename_id retitle_id = request.get('retitle_id') id, obj = item info = {} info['id'] = info['cb_id'] = id info['object'] = obj info['url'] = urllib.quote(id.encode('utf-8')) info['rename'] = rename_ids.get(id) info['retitle'] = id == retitle_id zmi_icon = zapi.queryMultiAdapter((obj, self.request), name='zmi_icon') if zmi_icon is None: info['icon'] = None else: info['icon'] = zmi_icon() dc = IZopeDublinCore(obj, None) if dc is not None: info['retitleable'] = canWrite(dc, 'title') info['plaintitle'] = not info['retitleable'] title = self.safe_getattr(dc, 'title', None) if title: info['title'] = title formatter = self.request.locale.dates.getFormatter( 'dateTime', 'short') created = self.safe_getattr(dc, 'created', None) if created is not None: info['created'] = formatter.format(created) modified = self.safe_getattr(dc, 'modified', None) if modified is not None: info['modified'] = formatter.format(modified) else: info['retitleable'] = 0 info['plaintitle'] = 1 sized_adapter = ISized(obj, None) if sized_adapter is not None: info['size'] = sized_adapter return info
def _extractContentInfo(self, item): request = self.request rename_ids = {} if "container_rename_button" in request: for rename_id in request.get('ids', ()): rename_ids[rename_id] = rename_id elif "rename_ids" in request: for rename_id in request.get('rename_ids', ()): rename_ids[rename_id] = rename_id retitle_id = request.get('retitle_id') id, obj = item info = {} info['id'] = info['cb_id'] = id info['object'] = obj info['url'] = urllib.quote(id.encode('utf-8')) info['rename'] = rename_ids.get(id) info['retitle'] = id == retitle_id zmi_icon = queryMultiAdapter((obj, self.request), name='zmi_icon') if zmi_icon is None: info['icon'] = None else: info['icon'] = zmi_icon() dc = IZopeDublinCore(obj, None) if dc is not None: info['retitleable'] = canWrite(dc, 'title') info['plaintitle'] = not info['retitleable'] title = self.safe_getattr(dc, 'title', None) if title: info['title'] = title formatter = self.request.locale.dates.getFormatter( 'dateTime', 'short') created = self.safe_getattr(dc, 'created', None) if created is not None: info['created'] = formatter.format(created) modified = self.safe_getattr(dc, 'modified', None) if modified is not None: info['modified'] = formatter.format(modified) else: info['retitleable'] = 0 info['plaintitle'] = 1 sized_adapter = ISized(obj, None) if sized_adapter is not None: info['size'] = sized_adapter return info
def render(self): content = self.content if content.__name__ not in self.globalenviron['activeIds']: return super(RenameTitleColumn, self).render() if IItem.providedBy(content): if not canWrite(content, 'title'): return super(RenameTitleColumn, self).render() else: dc = ICMFDublinCore(content, None) if dc is not None: if not canWrite(dc, 'title'): return super(RenameTitleColumn, self).render() if IDocument.providedBy(content): return super(RenameTitleColumn, self).render() return u'<input type="text" name="newTitles:list" '\ 'size="14" value="%s" />' % cgi.escape(self.query())
def has_write_permission(self, context): """check that the user has the rights to edit the object, if not we assume he has no rights to make a version assumption is here that if he has the rights on any of the fields he may create a version.""" table = orm.class_mapper(context.__class__).mapped_table for column in table.columns: if canWrite(context, column.name): return True else: return False
def _copy_writeableFields(self, source, dest, context): """Only revert the fields which the user has edit rights for """ table = get_mapped_table(source.__class__) for column in table.columns: if column.primary_key: continue value = getattr(source, column.name) try: if canWrite(context, column.name): setattr(dest, column.name, value) except ForbiddenAttribute: setattr(dest, column.name, value)
def has_write_permission(self, context): """check that the user has the rights to edit the object, if not we assume he has no rights to make a version assumption is here that if he has the rights on any of the fields he may create a version.""" trusted = removeSecurityProxy(self.context) table = orm.class_mapper(trusted.__class__).mapped_table for column in table.columns: try: if canWrite(self.context, column.name): return True except ForbiddenAttribute: pass else: return False
def has_write_permission(self, context): """Check that the user has the rights to edit the object, if not we assume he has no rights to make a version assumption is here that if he has the rights on any of the fields he may create a version. """ trusted = removeSecurityProxy(self.context) # !+extended attributes? get complete list of attribuites off kls, as # in core.audit...get_field_names_to_audit(kls) # !+ replace with a more explict permission check? table = orm.class_mapper(trusted.__class__).mapped_table for column in table.columns: try: if canWrite(self.context, column.name): return True else: return False except ForbiddenAttribute: pass else: return False
def filterFields(context, form_fields): omit_names = [] if IAlchemistContent.providedBy(context): md = queryModelDescriptor(context.__class__) for field in form_fields: try: can_write = security.canWrite(context, field.__name__) can_read = security.canAccess(context, field.__name__) except AttributeError: can_write = can_read = False if can_write: continue if can_read: field.for_display = True field.custom_widget = md.get(field.__name__).view_widget else: omit_names.append(field.__name__) elif not IAlchemistContainer.providedBy(context): ctx = getattr(context, "context", None) if ctx: filterFields(ctx, form_fields) else: raise NotImplementedError return form_fields.omit(*omit_names)
def filterFields(context, form_fields): omit_names = [] if IAlchemistContent.providedBy(context): md = queryModelDescriptor(context.__class__) for field in form_fields: try: can_write = security.canWrite( context, field.__name__) can_read = security.canAccess( context, field.__name__) except AttributeError: can_write = can_read = False if can_write: continue if can_read: field.for_display = True field.custom_widget = md.get(field.__name__).view_widget else: omit_names.append(field.__name__) elif not IAlchemistContainer.providedBy(context): ctx=getattr(context, 'context', None) if ctx: filterFields(ctx, form_fields) else: raise NotImplementedError return form_fields.omit(*omit_names)
def setUpEditWidgets(view, schema, source=None, prefix=None, ignoreStickyValues=False, names=None, context=None, degradeInput=False, degradeDisplay=False): """Sets up widgets to collect input on a view. See `setUpWidgets` for details on `view`, `schema`, `prefix`, `ignoreStickyValues`, `names`, and `context`. `source`, if specified, is an object from which initial widget values are read. If source is not specified, the view context is used as the source. `degradeInput` is a flag that changes the behavior when a user does not have permission to edit a field in the names. By default, the function raises Unauthorized. If degradeInput is True, the field is changed to an IDisplayWidget. `degradeDisplay` is a flag that changes the behavior when a user does not have permission to access a field in the names. By default, the function raises Unauthorized. If degradeDisplay is True, the field is removed from the form. Returns a list of names, equal to or a subset of the names that were supposed to be drawn, with uninitialized undrawn fields missing. """ if context is None: context = view.context if source is None: source = view.context security_proxied = isProxy(source, Proxy) res_names = [] for name, field in _fieldlist(names, schema): try: value = field.get(source) except ForbiddenAttribute: raise except AttributeError: value = no_value except Unauthorized: if degradeDisplay: continue else: raise if field.readonly: viewType = IDisplayWidget else: if security_proxied: is_accessor = IMethod.providedBy(field) if is_accessor: set_name = field.writer.__name__ authorized = security.canAccess(source, set_name) else: set_name = name authorized = security.canWrite(source, name) if not authorized: if degradeInput: viewType = IDisplayWidget else: raise Unauthorized(set_name) else: viewType = IInputWidget else: # if object is not security proxied, might be a standard # adapter without a registered checker. If the feature of # paying attention to the users ability to actually set a # field is decided to be a must-have for the form machinery, # then we ought to change this case to have a deprecation # warning. viewType = IInputWidget setUpWidget(view, name, field, viewType, value, prefix, ignoreStickyValues, context) res_names.append(name) return res_names
except Unauthorized: if degradeDisplay: continue else: raise if field.readonly: viewType = IDisplayWidget else: if security_proxied: is_accessor = IMethod.providedBy(field) if is_accessor: set_name = field.writer.__name__ authorized = security.canAccess(source, set_name) else: set_name = name authorized = security.canWrite(source, name) if not authorized: if degradeInput: viewType = IDisplayWidget else: raise Unauthorized(set_name) else: viewType = IInputWidget else: # if object is not security proxied, might be a standard # adapter without a registered checker. If the feature of # paying attention to the users ability to actually set a # field is decided to be a must-have for the form machinery, # then we ought to change this case to have a deprecation # warning. viewType = IInputWidget
def can_write(self): """See pyams_utils.interfaces.form.IDataManager""" context = self.adapted_context if isinstance(context, Proxy): return canWrite(context, self.field.__name__) return True