PloneSite acquired for itself in aq_chain

[jaroel]

We had https://github.com/zopefoundation/Products.CMFCore/blob/master/src/Products/CMFCore/explicitacquisition.py enabled, which made requests for (at least) site root fail.

The CMFCore behaviour is correct, just don't know why we have PloneSite twice in the aq_chain.

/Users/roel/.buildout/eggs/cp311/Products.CMFCore-3.2-py3.11.egg/Products/CMFCore/explicitacquisition.py(30)content_allowed()
-> return context.aq_chain == context.aq_inner.aq_chain
(Pdb) context
<PloneSite at /plone used for /plone>
(Pdb) context.aq_chain
[<PloneSite at /plone used for /plone>, <PloneSite at /plone>, , <ZPublisher.BaseRequest.RequestContainer object at 0x120a1f710>]
(Pdb) context.aq_inner.aq_chain
[<PloneSite at /plone>, , <ZPublisher.BaseRequest.RequestContainer object at 0x120a1f710>]
(Pdb)

Reproduce: explicitly enable the check or disable skipping it and then run the test test_site_root_get_request.

[wesleybl]

@jaroel I took a look at this problem and it's not the fault of plone.rest but rather the way ZPublihser handles traversers of type ++api++.

In the URL:

http://localhost:8080/plone/++api++

When ZPublihser resolves the name ++api++ it considers that the parent container of ++api++ is the Plone Site. It then calls plone.rest's traverse method, which returns the object referent to ++api++ as being the Plone site as well:

plone.rest/src/plone/rest/traverse.py

Lines 66 to 80 in 79f1d19

	def traverse(self, name_ignored, subpath_ignored):
	name = "/++api++"
	url = self.request.ACTUAL_URL
	if url.count(name) > 1:
	# Redirect to proper url.
	while f"{name}{name}" in url:
	url = url.replace(f"{name}{name}", name)
	if url.count(name) > 1:
	# Something like: .../++api++/something/++api++
	# Return nothing, so a NotFound is raised.
	return
	# Raise a redirect exception to stop execution of the current request.
	raise Redirect(url)
	mark_as_api_request(self.request, "application/json")
	return self.context

When ZPublihser resolves names that start with "+" it sets the of of the object returned by the traverse method with the parent container of ++api++. Which in this case are the same object. So that's why the Plone site is acquired by itself.

I don't think this behavior needs to be changed. Perhaps what needs to be changed is the way Product.CMFCore discovers whether an object is acquired or not.

[jaroel]

While the aq_chain check might not catch all edge cases yet, the goal of the ++api++ namespace is to mark the request as an API request, like the doc string says:

plone.rest/src/plone/rest/traverse.py

Lines 56 to 60 in 79f1d19

	class MarkAsRESTTraverser:
	"""
	Traversal adapter for the ``++api++`` namespace.
	It marks the request as API request.
	"""

. It shouldn't affect the aq_chain imho, and the problem should be addressed here.

I think your comment is helpful, thanks!