Ticket #13366 (confirmed Bug)

Opened 3 years ago

Last modified 2 years ago

no way to set fields on dexterity content via web service api

Reported by: djay Owned by:
Priority: minor Milestone: 4.x
Component: Dexterity Version: 4.2
Keywords: xmlrpc Cc:

Description

Archetypes exposes it's getters and settings on fields to XMLRPC. In addition they have an .update() method that allows many fields to be set at once. I'm looking to make transmogrify.ploneremote compatible with dexterity content types with just out of the box Plone + dexterity. So far the only way seems to be to enable the webdav port and upload as a mime encoded message. However this means we can't set only fields that have been changed and instead have to reupload the whole content which could be very large.

Change History

comment:1 Changed 3 years ago by kleist

  • Keywords dexterity, removed
  • Status changed from new to confirmed
  • Component changed from Unknown to Dexterity

comment:2 Changed 2 years ago by djay

This issue also affects use of dexterity via restrictedpython. RestrictedPython doesn't allow you to set arbitrary properties on objects. It's a bit disappointing that such important access methods of zope weren't considered in the design of the dexterity api.

comment:3 Changed 2 years ago by davisagli

I think just no one has given attention to making this work, as opposed to it being a flaw in the design. I haven't used RestrictedPython in years, and don't have time/interest in making it work myself.

Looks like the dexterity base classes would need to implement __guarded_setattr__ as checked for by the write guard in RestrictedPython.

comment:4 Changed 2 years ago by djay

ZPT uses TAL which uses restrictedpython. I'm pretty sure you along with most Plone integrators have used ZPT. You may not have tried update a DX object inside a ZPT template but I'd say it's a valid thing to want to do.

Moving forward, I see we can fix this in the following ways.

  1. Change DX to support a .update method similar to AT. e.g. .update({'field1:'blah'})
  2. implement the guareded_setattr method you mention to allow myobj.field1 = 'blah'
  3. Change DX to support a setField method e.g. myobj.setField('field1','blah')

Only 1 and 3 solve the xml-rpc issue. If we do a pull request, which of these would be approved?

comment:5 Changed 2 years ago by seanupton

I would be +1 to (and use) an update() method that would:

  1. support either a mapping as its first positional argument;
  2. or support keyword arguments in lieu of above;
  3. filter out and remove any key/value pairs that:
    • Have keys not in schema.
    • Field that user does not have permission to set.
    • Not sure we want to filter fields that are omitted from forms that might be part of an interface? Likely not, but it might be nice to declare some field name exempt from remote API on the interface spelling it out.
  4. Validate each field remaining, then...
  5. ...set validated, legal fields.

I don't care that much about backward compatibility with calling semantics for AT, I suppose others might.

Note: See TracTickets for help on using tickets.