previewdoc: do not use @@downloadurl, to avoid content-disposition being set
This commit is contained in:
parent
90bf14cb6a
commit
1139441ea0
|
@ -1,4 +1,8 @@
|
|||
from AccessControl import getSecurityManager
|
||||
from AccessControl import ClassSecurityInfo
|
||||
|
||||
from Acquisition import ImplicitAcquisitionWrapper
|
||||
from Acquisition.interfaces import IAcquirer
|
||||
|
||||
from zope.interface import implements, implementsOnly, implementer
|
||||
from zope.component import adapts, adapter
|
||||
|
@ -10,6 +14,8 @@ from z3c.form.widget import Widget, FieldWidget
|
|||
from collective.z3cform.datetimewidget import DateWidget
|
||||
|
||||
from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
|
||||
from Products.Five.browser import BrowserView
|
||||
|
||||
|
||||
from z3c.form.converter import BaseDataConverter
|
||||
|
||||
|
@ -350,6 +356,9 @@ def PreviewDocFieldWidget(field, request):
|
|||
class PreviewDocWidget(Widget):
|
||||
implements(IPreviewDocWidget)
|
||||
|
||||
security = ClassSecurityInfo()
|
||||
security.declareObjectPublic()
|
||||
|
||||
def width(self):
|
||||
if hasattr(self.field, 'width'):
|
||||
return self.field.width
|
||||
|
@ -369,9 +378,8 @@ class PreviewDocWidget(Widget):
|
|||
def href(self):
|
||||
if not hasattr(self.context, self.get_attribute_name()):
|
||||
return None
|
||||
if getattr(self.context, self.get_attribute_name()):
|
||||
return self.form.widgets[self.get_attribute_name()].download_url
|
||||
return None
|
||||
form_url = self.request.getURL()
|
||||
return "%s/++widget++%s/@@file" % (form_url, self.name)
|
||||
|
||||
def filename(self):
|
||||
if not hasattr(self.context, self.get_attribute_name()):
|
||||
|
@ -382,3 +390,39 @@ class PreviewDocWidget(Widget):
|
|||
return 'unknown.pdf'
|
||||
return ''
|
||||
|
||||
class PreviewDocFile(BrowserView):
|
||||
|
||||
def validate_access(self):
|
||||
# copied from autocompletewidget
|
||||
|
||||
content = self.context.form.context
|
||||
|
||||
# If the object is not wrapped in an acquisition chain
|
||||
# we cannot check any permission.
|
||||
if not IAcquirer.providedBy(content):
|
||||
return
|
||||
|
||||
url = self.request.getURL()
|
||||
view_name = url[len(content.absolute_url()):].split('/')[1]
|
||||
|
||||
# May raise Unauthorized
|
||||
|
||||
# If the view is 'edit', then traversal prefers the view and
|
||||
# restrictedTraverse prefers the edit() method present on most CMF
|
||||
# content. Sigh...
|
||||
if not view_name.startswith('@@') and not view_name.startswith('++'):
|
||||
view_name = '@@' + view_name
|
||||
|
||||
view_instance = content.restrictedTraverse(view_name)
|
||||
sm = getSecurityManager()
|
||||
sm.validate(content, content, view_name, view_instance)
|
||||
|
||||
|
||||
def __call__(self):
|
||||
self.validate_access()
|
||||
file = getattr(self.context.context, self.context.get_attribute_name())
|
||||
if file.contentType:
|
||||
self.request.response.setHeader('Content-type', file.contentType)
|
||||
else:
|
||||
self.request.response.setHeader('Content-type', 'application/octet-stream')
|
||||
return file.data
|
||||
|
|
|
@ -105,4 +105,10 @@
|
|||
layer="z3c.form.interfaces.IFormLayer"
|
||||
template="previewdoc_display.pt"/>
|
||||
|
||||
<browser:page
|
||||
name="file"
|
||||
for=".widgets.IPreviewDocWidget"
|
||||
permission="zope.Public"
|
||||
class=".widgets.PreviewDocFile"/>
|
||||
|
||||
</configure>
|
||||
|
|
Reference in New Issue