[Zope] Re: [squishdot] Announce: Squishdot 0.7.0 now available!

2000-08-31 Thread odysseus 


On Tue, 29 Aug 2000, Chris Withers wrote:

 I'm not 100% happy about how the 2.2 support was achieved, so expect a
 0.7.1 release in the near future.

Is this the __allow_access_to_unprotected_subobjects__=1 within the
Posting class you're referring to? How big of an issue is it using this
within Squishdot, I mean, what kind of malicious things could be done to a
Squishdot site with it set?

Do you have any working ideas on how to deal with it without
_allow_access...=1 ?

-Lance





___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope-dev] Re: Better encapsulation is good...

2000-08-25 Thread odysseus 

On Fri, 25 Aug 2000, Chris McDonough wrote:
 
 Did you run the Article class through Globals.default__class_init__()?
 E.g. (at the module level), e.g.:
 
 Globals.default__class_init__(Article)
 

Yes, I tried this too, (saw it in the mailing list archive). 

I still don't understand why it's not working. I can give you the exact
line where in the validate() method in ZopeSecurityPolicy.py it's failing
(line 161), if it helps at all (again, I'm not well versed in the Zope
security internals):
   if p is None:
p=getattr(container,
  '__allow_access_to_unprotected_subobjects__', None)

getattr() returns None, then this happens:

   if not p:
if (containerbase is accessedbase):
raise 'Unauthorized', cleanupName(name, value)

Any suggestions would be helpful,

-Lance



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: Yup, the problem's still there...

2000-08-22 Thread odysseus 


Ah That would explain it!

How about this, instead of an attribute, I created a method:
 def icon(self):
   return 'misc_/Squishdot/squishfile_img'

This seemed to work. Attached is the patch. Comments?

-Lance

On Tue, 22 Aug 2000, Chris Withers wrote:

 Lance wrote:
  I think you have to not only
  inherit RoleManager, but OFS.SimpleItem.Item as well. At least, that's what
  the Security HOWTO seems to imply.
 
 No, it shouldn't :(
 
 SimpleItem.Item has __allow_access_to_unprotected_subobjects__=1 in it,
 so it just masks the problem rather than solving it properly...
 
 cheers,
 
 Chris
 


*** Squishfile.py   Tue Aug 22 09:50:10 2000
--- Squishfile.py.orig  Mon Aug 21 20:21:01 2000
***
*** 127,144 
  from Globals import Persistent  
  from Acquisition import Acquirer  
  from Globals import HTML  
! from ImageFile import ImageFile
! from AccessControl.Role import RoleManager
! 
  #from creosote import spew  

  sep=re.compile('|/|:')  # handle windows(\)/unix(/)/mac(:) path separators  

! class Squishfile(Acquirer,Persistent,RoleManager):  
  """ """  
! __ac_permissions__=(
! ('Use Squishfile Objects',['file_name','file_type','content_type', 
'file_kbytes', 'date_created','date_modified','icon','file_bytes'], ('Anonymous', 
'Manager')),
! )
  _types={'application/octet-stream': 'Binary File',  
  'application/x-gzip' :  'Compressed File',  
  'application/x-compress':   'Compressed File',  
--- 127,141 
  from Globals import Persistent  
  from Acquisition import Acquirer  
  from Globals import HTML  
! from ImageFile import ImageFile  
  #from creosote import spew  

  sep=re.compile('|/|:')  # handle windows(\)/unix(/)/mac(:) path separators  

! class Squishfile(Acquirer,Persistent):  
  """ """  
! icon='misc_/Squishdot/squishfile_img'  
!   
  _types={'application/octet-stream': 'Binary File',  
  'application/x-gzip' :  'Compressed File',  
  'application/x-compress':   'Compressed File',  
***
*** 173,180 
  #spew('sqf ctype: ' + self._ctype)  
  self._created =time.time()  
  self._modified=self._created  
- def icon(self):
-   return 'misc_/Squishdot/squishfile_img'

  def content_type(self):  
  """ content type """  
--- 170,175 
***
*** 213,221 
  return self._file  

  index_html=__repr__  
- 
- 
- 
- 
- 
- 
--- 208,210

[Zope] Re: [squishdot] Squishdot and ZCatalog, Zope 2.2

2000-08-21 Thread odysseus 

On Mon, 21 Aug 2000, Chris Withers wrote:

 [EMAIL PROTECTED] wrote:
  I checked out the latest CVS source, and noticed you called
  self.catalog_object() like this:
  
  
self.catalog_object(obj,'/'+join(self.getPhysicalPath(),'/')+'/'+obj.thread_path()+'/'+`id`)
  
  When I went to look at the catalog entries after adding a new site within
  a folder called myfolder, I noticed the new entries showed up as:
  
  /newsquish/id
  
  When I clicked on the link, I received an error saying it can't find the
  object. I don't think a leading '/' should be supplied to
  catalog_object(). I tried to update the catalog, which promptly removed
  all the postings from the catalog. When I re-cataloged the postings, the
  entries were now showing up as:
  
  //myfolder/newsquish//id
 
 Sounds like Zope 2.1.6 to me
 
 If you try it on Zope 2.2.0 it works fine, for me anyway :S

I'm running 2.2.0 (I swear!), with the latest Hotfix. I create a Squishdot
Site named groucho at the root. When I go to the Options tab and hit
re-catalog button, then go to the Cataloged Objects tab (which I had to
uncomment in the source to access), the catalog entries are listed as:

//groucho//966886273
//groucho// ...and so on.

I also create another squishdot site under the folder /myfolder , called
harpo . When I go to the Cataloged Objects tab, the articles are listed
as:

/harpo/966886570
/harpo/ ...and so on.

This isn't right. So I go to the Options tab, hit the re-catalog button,
then go back to the Cataloged Objects tab, and they're now listed as:

//newfolder/harpo//966886570
//newfolder/harpo// ...whatever.

This hasn't happened to you? Is there anyone out there who can test this
out as well, with the Squishdot from CVS?

 
  Also, the setItem() method in the Squishsite class (different from the
  setItem() method in the Posting class) is the only place where using the
  absolute_url() method doesn't work.
 
 It's cos the 2.2.0 implementation of absolute_url requiers a REQUEST,
 which it doesn't get in setItem(). This is fixed in 2.2.1 apparently...

Had I known that REQUEST requirement was a bug, I would've reported it
earlier. Which is the preferred method then, absolute_url() or
getPhysicalPath() ?

 
  I've noticed in all the other methods
  it's called from, it returns the proper result. The same actually goes for
  the getPhysicalPath() method, all the double slashes aside. Notice in the
  above examples, when the postings were initially loaded,
  getPhysicalPath() returns only newsquish, whereas everywhere else, it
  returns /myfolder/newsquish .
 
 haven't noticed this at all... what version of Zope are you using?

Zope 2.2.0, I swear!!

-Lance


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )