previewdoc: do not use @@downloadurl, to avoid content-disposition being set

2011-10-11 10:36:06 -04:00 · 2011-10-11 10:36:06 -04:00 · 1139441ea0
parent 90bf14cb6a
commit 1139441ea0
2 changed files with 53 additions and 3 deletions
--- a/themis/fields/widgets.py
+++ b/themis/fields/widgets.py
@ -1,4 +1,8 @@
+from AccessControl import getSecurityManager
+from AccessControl import ClassSecurityInfo
+
 from Acquisition import ImplicitAcquisitionWrapper
+from Acquisition.interfaces import IAcquirer

 from zope.interface import implements, implementsOnly, implementer
 from zope.component import adapts, adapter
@ -10,6 +14,8 @@ from z3c.form.widget import Widget, FieldWidget
 from collective.z3cform.datetimewidget import DateWidget

 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
+from Products.Five.browser import BrowserView
+

 from z3c.form.converter import BaseDataConverter

@ -350,6 +356,9 @@ def PreviewDocFieldWidget(field, request):
 class PreviewDocWidget(Widget):
    implements(IPreviewDocWidget)

+    security = ClassSecurityInfo()
+    security.declareObjectPublic()
+
    def width(self):
        if hasattr(self.field, 'width'):
            return self.field.width
@ -369,9 +378,8 @@ class PreviewDocWidget(Widget):
    def href(self):
        if not hasattr(self.context, self.get_attribute_name()):
            return None
-        if getattr(self.context, self.get_attribute_name()):
-            return self.form.widgets[self.get_attribute_name()].download_url
-        return None
+        form_url = self.request.getURL()
+        return "%s/++widget++%s/@@file" % (form_url, self.name)

    def filename(self):
        if not hasattr(self.context, self.get_attribute_name()):
@ -382,3 +390,39 @@ class PreviewDocWidget(Widget):
            return 'unknown.pdf'
        return ''

+class PreviewDocFile(BrowserView):
+
+    def validate_access(self):
+        # copied from autocompletewidget
+
+        content = self.context.form.context
+
+        # If the object is not wrapped in an acquisition chain
+        # we cannot check any permission.
+        if not IAcquirer.providedBy(content):
+            return
+
+        url = self.request.getURL()
+        view_name = url[len(content.absolute_url()):].split('/')[1]
+
+        # May raise Unauthorized
+
+        # If the view is 'edit', then traversal prefers the view and
+        # restrictedTraverse prefers the edit() method present on most CMF
+        # content. Sigh...
+        if not view_name.startswith('@@') and not view_name.startswith('++'):
+            view_name = '@@' + view_name
+
+        view_instance = content.restrictedTraverse(view_name)
+        sm = getSecurityManager()
+        sm.validate(content, content, view_name, view_instance)
+
+
+    def __call__(self):
+        self.validate_access()
+        file = getattr(self.context.context, self.context.get_attribute_name())
+        if file.contentType:
+            self.request.response.setHeader('Content-type', file.contentType)
+        else:
+            self.request.response.setHeader('Content-type', 'application/octet-stream')
+        return file.data
--- a/themis/fields/widgets.zcml
+++ b/themis/fields/widgets.zcml
@ -105,4 +105,10 @@
       layer="z3c.form.interfaces.IFormLayer"
       template="previewdoc_display.pt"/>

+    <browser:page
+       name="file"
+       for=".widgets.IPreviewDocWidget"
+       permission="zope.Public"
+       class=".widgets.PreviewDocFile"/>
+
 </configure>