Re: [Zope-dev] Stripogram or similar in core
So, in this validation framework, do you envision having a parameter-validating routine being invoked whenever a publicly-exposed method is called by DTML methods, or did you want to focus on mere HTML form validation/stripping? I'm asking because I've had situations when I've needed the ability to restrict access to methods based on the values of their parameters -- that's a little more fine-grained than the current security machinery allows. I've always thought that it might be nice to provide a hook for each method in a Zope class (similar to declarative security statements), and to use this hook to validate the parameters, according to the needs of the user. For string parameters, perhaps we can also have the ability to specify a filter -- something like a search and replace statement, with Sed-like syntax. Andy [EMAIL PROTECTED] wrote: That depends where you do the checking, yes html validation in just a form is not as secure as checking at the application level. What I am suggesting is adding the HTML validation framework into the core of Zope so people can add checking to any level of their application as they wish. Making a standard interface to this gives a the developer chance to put the checking in at the level they choose. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Custom Login
Hello, Recently, I had to replace ZPublisher's default authentication scheme, as part of a product I'm working on. I am aware of the existence of LoginManager, exUserFolder, etc., but in this case I needed to have a custom login screen at root level, i.e. completely get rid of the basic HTTP authentication and browser popup window. So I replaced some of the HTTPRequest and HTTPResponse methods in order to present the user an HTML form whenever an 'Unauthorized' exception is raised. While I'm sure such an issue has arisen hundreds of times, somehow I was unable to find a product or a How-To that specifically addresses it, which means either I don't know how to browse the Web, or nobody has bothered to document their knowledge in the area. So I went ahead and created a simple Zope product that, upon installing, makes the necessary changes in HTTPRequest and HTTPResponse (HotFix style), so that cookie-based, HTML form login replaces the default one. For the curious, the product can be found at http://www.prism.gatech.edu/~gte085h/zope/CustomLogin/ In regards to this product, I've been pondering some questions that I'd like to be answered by knowledgeable people, if possible: 1. Is there a product that makes the changes I described, and where can I find it? 2. Does anyone think it's a good idea to provide some kind of a standardized API for replacing ZPublisher's authentication? 3. If a user attempts to access a resource, and is denied access, my modified HTTPResponse simply redirects to the login form, without bothering to record the URL the user originally tried to access (which can be a bad or a good thing, I suppose). Is there any way for an HTTPResponse instance to find out the URL of its HTTPRequest? 4. Not entirely related to this topic, but I noticed that the ChannelPipe class, used for communication between ZServer and ZPublisher, serves only one object instance at a time. What would be some practical difficulties in changing this class to serve multiple HTTPResponse instances? Finally, after noticing the ongoing discussion about the error HTML contents produced by ZPublisher upon an exception, I'd like to point out that it's extremely trivial to replace HTTPResponse._error_html and provide either custom behavior (e.g. sending email to the administrator), or custom HTML code, whether loaded from a file or hardcoded. Is anyone interested in me writing a How-To on this topic? The product I described above, already does that, so it would be rather easy for me to put together some documentation, provided that nobody has bothered to write any. Let me know... Sincerely, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Why not use logrotate, similarly to how you handle the Apache logs? Or set a cron job to clear the logs, if you don't like logrotate... [EMAIL PROTECTED] writes: On a high-traffic site, wouldn't the log get really big, really quickly with tracebacks? It is also nice to have the tracebacks in the browser window for debugging... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope] Why can't I subclass a ZSQLMethod?
What do you mean, you cannot get a view to it? I can change in the management area. I believe ZSQL methods are not supposed to provide the user interface; you use them the way you would use an external method. That means you have to create the form that sends the query parameters to the SQL method, and you have to write the DTML code that obtains the result set, and displays it accordingly. At least that's way I do it; there might be a better way, I don't know. Best, Ivan "Cary O'Brien" [EMAIL PROTECTED] writes: I tried that. You can't add a ZSQLMethod unless there is a connection for it to connect to. There isn't a connection in the products area. Actually If I put a dummy gadfly connection in the Product folder, I can indeed add a zsql method to my ZClass. However I can't get a view to it. I can configure it as a view, but it doesn't show up in the management tabs. I guess it may be possible to leave it invisible and use other methods to set the query, arguments, and database connection. More digging through the .py files! -- cary ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Why can't I subclass a ZSQLMethod?
Why don't you create a ZClass and make the ZSQLMethod to be one of its methods? Then the ZClass can provide the user interface to the SQL query and the result set. Regards, Ivan Raikov "Cary O'Brien" [EMAIL PROTECTED] writes: I want to wrap a presentation layer around ZSQLQueries, so that they will have methods to generate an input form [1] for the query, and generate tabular results if so desired. I tried to create a ZClass to do this, but I can't subclass from a ZSQLMethod. Any other ideas on how to do this (besides a class where you have to tell it the ZSQLMethod to use)? -- cary [1] Using sql.arguments_str to find out the arguments. Finding THAT was a struggle! ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Adding the objects resulting from a ZSQL query to a Zope folder
Hello, everybody, Is there any way to programmatically add the objects, returned from a ZSQL method to a Zope Folder? Thanks, Ivan Raikov ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Making ZCatalog catalog the results from a ZSQL query
Greetings, How can I make a ZCatalog object to catalog the result set produced from a ZSQL method? I'm subclassing ZCatalog and replacing the default manage_catalogFind with a DTML method which in turn invokes a ZSQL method, but I get an error, "You are not authorized to access SQLPatientSearch." (SQLPatientSearch is the ZSQL method). I think I've set all permissions right, so I don't know why I get this, but I was wondering if someone can come up with an easier way to do this. Thank you very much, Ivan Raikov ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope Database Connection
Hi all, I am trying to figure out a way to use a Zope Database Connection object from within a Python class, which is then going to be subclassed by a ZClass. In my Python class, I want to have an instance of the parent class of all Zope Database Connections, so that I can work with all types of connections (be it Gadfly, Solid, or whatever). However, I am not sure which class this is. I think it is Shared.DC.ZRDB.Connection.Connection. Is that correct? Also, in the creation form of my ZClass, I'd like to have a connection selection dialog, similar to the one in the creation form of ZSQL Method. How do I get a list of connection instances in the current folder? Thanks, Ivan Raikov ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Current date in DTML
Hey all, How can I get the current date time (preferably as a DateTime.DateTime object) in DTML? I cannot instantiate a DateTime object, because the DateTime module is not imported. Thanks, Ivan Raikov ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope and Python 1.6
Hi all, Does Zope run under Python 1.6? If not, is anybody working on a port? Thanks, Ivan Raikov ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope-dev] ZServerSSL trouble
Greetings, I just installed ZServerSSL, but when I try to access the https server, I get the following: Traceback (innermost last): File "/home/ivan/src/Zope-2.1.6-src/z2s.py", line 681, in ? asyncore.loop() File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 115, in loop poll_fun (timeout) File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 62, in poll (r,w,e) = select.select (r,w,e, timeout) ValueError: filedescriptor out of range in select() I don't know enough about Zope innards, so I was wondering if someone can explain when such a situation can occur. I also noticed that the lists (or tuples) r and w get their values from an object called `socket_map', so I'd like to know what the purpose of this object is, and where it is initialized. Regards, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope] ZServerSSL trouble
Hello all, I just installed ZServerSSL, and I'm having the following problem: I start Zope with the command, $ ./starts -w '' -f '' -W 8180 HTTPS=on and it appears to boot up without problems. However, when I try to access the default Zope page, Zope spits the following and dies: Traceback (innermost last): File "/home/ivan/src/Zope-2.1.6-src/z2s.py", line 681, in ? asyncore.loop() File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 107, in loop poll_fun (timeout) File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 55, in poll (r,w,e) = select.select (r,w,e, timeout) ValueError: filedescriptor out of range in select() This is my configuration: RedHat Linux 6.1 Python 1.5.2 (the RPM distribution in RH Linux 6.1) Zope 2.1.6 M2crypto 0.05-snap2 ZServerSSL 0.04 OpenSSL 0.9.5a Please help. Thanks, Ivan Raikov ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )