[Zope] Re: [squishdot] Announce: Squishdot 0.7.0 now available!
On Tue, 29 Aug 2000, Chris Withers wrote: I'm not 100% happy about how the 2.2 support was achieved, so expect a 0.7.1 release in the near future. Is this the __allow_access_to_unprotected_subobjects__=1 within the Posting class you're referring to? How big of an issue is it using this within Squishdot, I mean, what kind of malicious things could be done to a Squishdot site with it set? Do you have any working ideas on how to deal with it without _allow_access...=1 ? -Lance ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope-dev] Re: Better encapsulation is good...
On Fri, 25 Aug 2000, Chris McDonough wrote: Did you run the Article class through Globals.default__class_init__()? E.g. (at the module level), e.g.: Globals.default__class_init__(Article) Yes, I tried this too, (saw it in the mailing list archive). I still don't understand why it's not working. I can give you the exact line where in the validate() method in ZopeSecurityPolicy.py it's failing (line 161), if it helps at all (again, I'm not well versed in the Zope security internals): if p is None: p=getattr(container, '__allow_access_to_unprotected_subobjects__', None) getattr() returns None, then this happens: if not p: if (containerbase is accessedbase): raise 'Unauthorized', cleanupName(name, value) Any suggestions would be helpful, -Lance ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Yup, the problem's still there...
Ah That would explain it! How about this, instead of an attribute, I created a method: def icon(self): return 'misc_/Squishdot/squishfile_img' This seemed to work. Attached is the patch. Comments? -Lance On Tue, 22 Aug 2000, Chris Withers wrote: Lance wrote: I think you have to not only inherit RoleManager, but OFS.SimpleItem.Item as well. At least, that's what the Security HOWTO seems to imply. No, it shouldn't :( SimpleItem.Item has __allow_access_to_unprotected_subobjects__=1 in it, so it just masks the problem rather than solving it properly... cheers, Chris *** Squishfile.py Tue Aug 22 09:50:10 2000 --- Squishfile.py.orig Mon Aug 21 20:21:01 2000 *** *** 127,144 from Globals import Persistent from Acquisition import Acquirer from Globals import HTML ! from ImageFile import ImageFile ! from AccessControl.Role import RoleManager ! #from creosote import spew sep=re.compile('|/|:') # handle windows(\)/unix(/)/mac(:) path separators ! class Squishfile(Acquirer,Persistent,RoleManager): """ """ ! __ac_permissions__=( ! ('Use Squishfile Objects',['file_name','file_type','content_type', 'file_kbytes', 'date_created','date_modified','icon','file_bytes'], ('Anonymous', 'Manager')), ! ) _types={'application/octet-stream': 'Binary File', 'application/x-gzip' : 'Compressed File', 'application/x-compress': 'Compressed File', --- 127,141 from Globals import Persistent from Acquisition import Acquirer from Globals import HTML ! from ImageFile import ImageFile #from creosote import spew sep=re.compile('|/|:') # handle windows(\)/unix(/)/mac(:) path separators ! class Squishfile(Acquirer,Persistent): """ """ ! icon='misc_/Squishdot/squishfile_img' ! _types={'application/octet-stream': 'Binary File', 'application/x-gzip' : 'Compressed File', 'application/x-compress': 'Compressed File', *** *** 173,180 #spew('sqf ctype: ' + self._ctype) self._created =time.time() self._modified=self._created - def icon(self): - return 'misc_/Squishdot/squishfile_img' def content_type(self): """ content type """ --- 170,175 *** *** 213,221 return self._file index_html=__repr__ - - - - - - --- 208,210
[Zope] Re: [squishdot] Squishdot and ZCatalog, Zope 2.2
On Mon, 21 Aug 2000, Chris Withers wrote: [EMAIL PROTECTED] wrote: I checked out the latest CVS source, and noticed you called self.catalog_object() like this: self.catalog_object(obj,'/'+join(self.getPhysicalPath(),'/')+'/'+obj.thread_path()+'/'+`id`) When I went to look at the catalog entries after adding a new site within a folder called myfolder, I noticed the new entries showed up as: /newsquish/id When I clicked on the link, I received an error saying it can't find the object. I don't think a leading '/' should be supplied to catalog_object(). I tried to update the catalog, which promptly removed all the postings from the catalog. When I re-cataloged the postings, the entries were now showing up as: //myfolder/newsquish//id Sounds like Zope 2.1.6 to me If you try it on Zope 2.2.0 it works fine, for me anyway :S I'm running 2.2.0 (I swear!), with the latest Hotfix. I create a Squishdot Site named groucho at the root. When I go to the Options tab and hit re-catalog button, then go to the Cataloged Objects tab (which I had to uncomment in the source to access), the catalog entries are listed as: //groucho//966886273 //groucho// ...and so on. I also create another squishdot site under the folder /myfolder , called harpo . When I go to the Cataloged Objects tab, the articles are listed as: /harpo/966886570 /harpo/ ...and so on. This isn't right. So I go to the Options tab, hit the re-catalog button, then go back to the Cataloged Objects tab, and they're now listed as: //newfolder/harpo//966886570 //newfolder/harpo// ...whatever. This hasn't happened to you? Is there anyone out there who can test this out as well, with the Squishdot from CVS? Also, the setItem() method in the Squishsite class (different from the setItem() method in the Posting class) is the only place where using the absolute_url() method doesn't work. It's cos the 2.2.0 implementation of absolute_url requiers a REQUEST, which it doesn't get in setItem(). This is fixed in 2.2.1 apparently... Had I known that REQUEST requirement was a bug, I would've reported it earlier. Which is the preferred method then, absolute_url() or getPhysicalPath() ? I've noticed in all the other methods it's called from, it returns the proper result. The same actually goes for the getPhysicalPath() method, all the double slashes aside. Notice in the above examples, when the postings were initially loaded, getPhysicalPath() returns only newsquish, whereas everywhere else, it returns /myfolder/newsquish . haven't noticed this at all... what version of Zope are you using? Zope 2.2.0, I swear!! -Lance ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )