[Zope] Re: [Zope-dev] RE: [Zope] ZDESIGN IDEAS = How to improve 'manage'??
This thread should not be crossposted to both mailling lists. I posted a followup to zope-dev, please see there if you want to respond. In general, please do *not* cross-post - it's almost never justified, certainly isn't in this case. Ken Manheimer [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
My view is that as a sysadmin, I rather give ZOPE superuser/manager the ability install products through ZOPE, rather than giving them access to the OS. Another view I have is that I do not want my developers to think about which platform they are working on. ZOPE runs on a variety of OSes and each one of then have their own way of providing file/directory security (or no security win9x). Zope should rely on its own security for its products. ..IMHO Mohan -Original Message- From: Martijn Pieters [mailto:[EMAIL PROTECTED]]On Behalf Of Martijn Pieters Sent: Tuesday, January 09, 2001 9:42 AM To: Mohan Baro Cc: Jason Cunliffe; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ? On Mon, Jan 08, 2001 at 12:18:37PM -0500, Mohan Baro wrote: > Are you planning a manage_install for products? > The ability for superusers to install complelte products directly through > the management interface, no need for ftp. > similar to import/export feature I hope not! Anyone gaining management access to your Zope server will be able to install arbitrary products on your server and gain access to the file system. There is a strict dividing line between the file system and the ZMI, allowing installation through the web interface will cross that line with one giant step. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
* Joachim Werner sez: > Again you are right, but as Zope is really easy to install, I'd guess that it > is not only used (and installed) by "uberadmins" who know exactly what they > are doing ... Hmmm... coming to think about it. Zope comes with /Extensions as drwxrwxr-x and UID='nobody' in z2.py. Unless the admin modifies the standard setup, he's at least safe from people putting stuff into his /Extensions. You're right at a general level, tho. Hmm, wonder if I should write a Zope-chroot-howto :) Windoze-Zope-Users, on the other hand... well... jonas -- Jonas Luster -- http://smurftarget.net (while netwarriors.org is down) -- [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
> > - You can work with full SSL-encryption, maybe even client certificates. > >This is much more secure than TELNET or FTP. (Unfortunately, SSH/SCP, > >while being the "better TELNET/FTP" is not always an option, and it > >always opens up more than necessary) > > what exactly does SSH open uo 'more than necessary'. Sufficient clue on > admin's side provided? Of course, "suficient clue on admin's side provided", you are right. But I don't know too many cases of perfectly secure configurations ... > > - People won't hack together their own solutions for the problem (with > >LocalFS installed and me having the rights to add LocalFS instances, > > it would take me not very long to "infiltrate" any Zope server. Just add > > the "Extensions" folder via LocalFS and upload all you need as External > > Methods ...) > > That requires a few things, if I am not mistaken... > > a) ZServer runs as anything but nobody/nogroup and is not >jail(8)ed/chrooted. If that is the case, well, I'd personally shoot >the admin responsible for that if something comes up. > > b) ${ZOPEROOT}/Extensions allows nobody to write into it - shoot admin. Again you are right, but as Zope is really easy to install, I'd guess that it is not only used (and installed) by "uberadmins" who know exactly what they are doing ... Joachim ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: [Zope-dev] Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
* Joachim Werner sez: Ok, let me try to understand this one. I am a bit dumb, sorry... > - You can work with full SSL-encryption, maybe even client certificates. >This is much more secure than TELNET or FTP. (Unfortunately, SSH/SCP, >while being the "better TELNET/FTP" is not always an option, and it >always opens up more than necessary) what exactly does SSH open uo 'more than necessary'. Sufficient clue on admin's side provided? > - People won't hack together their own solutions for the problem (with >LocalFS installed and me having the rights to add LocalFS instances, it >would take me not very long to "infiltrate" any Zope server. Just add the >"Extensions" folder via LocalFS and upload all you need as External >Methods ...) That requires a few things, if I am not mistaken... a) ZServer runs as anything but nobody/nogroup and is not jail(8)ed/chrooted. If that is the case, well, I'd personally shoot the admin responsible for that if something comes up. b) ${ZOPEROOT}/Extensions allows nobody to write into it - shoot admin. http://www.post1.com/home/ngps is a good way to start securing Zope, the problem of transmitting passwords in the clear is a big one, but has been solved at my domains by deploying SecurID-tokens, which might not be the ultiamte solution (lots of stuff I wanted to hide is still transmitted in the clear) but is a good start. jonas -- Jonas Luster -- http://smurftarget.net (while netwarriors.org is down) -- [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: [Zope-dev] Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
On Tuesday 09 January 2001 15:41, Martijn Pieters wrote: > On Mon, Jan 08, 2001 at 12:18:37PM -0500, Mohan Baro wrote: > > Are you planning a manage_install for products? > > The ability for superusers to install complelte products directly through > > the management interface, no need for ftp. > > similar to import/export feature > > I hope not! > > Anyone gaining management access to your Zope server will be > able to install arbitrary products on your server and gain access to the > file system. > > There is a strict dividing line between the file system and the ZMI, > allowing installation through the web interface will cross that line with > one giant step. I think this is a political one. For me, the things that are really valuable on a web site are the data and the user information, which both are available through the web interface. At least if Zope runs as a user and has its own home directory, the additional damage that can be caused by people with file system access is not very high. O.k., they can shut down my server. They can do that by using "manage_shutdown" from the web anyway. Same with deleting all data on the server. IMHO a well-designed "over-the-web" installation concept would make Zope MORE secure, not less e.g.: - You can work with full SSL-encryption, maybe even client certificates. This is much more secure than TELNET or FTP. (Unfortunately, SSH/SCP, while being the "better TELNET/FTP" is not always an option, and it always opens up more than necessary) - People won't hack together their own solutions for the problem (with LocalFS installed and me having the rights to add LocalFS instances, it would take me not very long to "infiltrate" any Zope server. Just add the "Extensions" folder via LocalFS and upload all you need as External Methods ...) Cheers, Joachim. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
On Mon, Jan 08, 2001 at 12:18:37PM -0500, Mohan Baro wrote: > Are you planning a manage_install for products? > The ability for superusers to install complelte products directly through > the management interface, no need for ftp. > similar to import/export feature I hope not! Anyone gaining management access to your Zope server will be able to install arbitrary products on your server and gain access to the file system. There is a strict dividing line between the file system and the ZMI, allowing installation through the web interface will cross that line with one giant step. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
On Mon, Jan 08, 2001 at 11:19:36AM -0500, Jason Cunliffe wrote: > The need to improve the manage interface has grown urgently clear to me > while using Zope myself, designing for all sorts of community and > collaborative Zope-based projects, demos for a number of innocent > bystanders, interested parties and potential clients. > Zope 'manage' is plain primitive at present. > > Considering the power of Zope, and the real workflow needs of people working > with it, imho this present lack of thoughtful user interface makes no sense. > By ignoring these basics, Zope is neglecting a #1 self-promotion > opportunity - how it runs out of the box, and how quickly one can use it as > site-planning/design tool.It is quite unproductive now compared to what it > could/should be. > > I am looking for real help here on how best to improve this... > > Here is a list of features I believe should be default manage screen > behavior now. > Please submit your comments and improvements to these improvements: > > KISS > For those who do not want any added features, there should be an option in > z2.py or as a manage_config DTML method in "/" or anywhere else in the tree > to enable or disable 'advanced manage' features. > > --- > 1. SORT TABLE > 'manage' needs to presented with basic column listings so one can display > sort by headings. > > I am not sure if this turns into a CatalogAware Inferno or whether all this > info is already hidden in the ZODB and could be extracted adn cached > sensibly and quickly. What do you think? > > For example some headings I see a real need for: > > NAME [default now], DATE[created, last modified] SIZE, TYPE[meta-type], > USER[default=owner], DEPTH, COUNT, CHANGES, PROPERTY, DISPLAY The created date is not available in the ZODB. Depth I rather not use; you don't want to wake up a huge subtree (like the Zope.org Members folder) when determining the depth of a tree. There has been some discussion about using the 'title' attribute of HTML tags to add additional mouse-over visible information to objects, I think a lot of the information fields you describe may have a place in that field (and not clutter up the view). > How easy hard is the above to do? > Has it already bee done? > What techniques/components exists already to make it happen? > What need to be developed? > How does this affect Zope core? > What woudl you like to see when you click on manage? > What would you lceints liek to see? If you check out Zope 2.3 from CVS now, you'll see that a great many changes have been made to the Zope Management Interface, included some of the changes you listed, like sorting. -- Martijn Pieters | Software Engineer mailto:[EMAIL PROTECTED] | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ - ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ZDESIGN IDEAS = How to improve 'manage' ?
Jason mentioned : > The need to improve the manage interface has grown urgently > clear to me while using Zope myself, designing for all sorts > of community and collaborative Zope-based projects, demos for > a number of innocent bystanders, interested parties and > potential clients. Zope 'manage' is plain primitive at present. (and lot's more) Though I haven't seen much in the way of details, the link below may overlap to some degree: http://dev.zope.org/Wikis/DevSite/Projects/ManagementInterfaceQuickFix/Front Page and from the looks of : http://dev.zope.org/Wikis/DevSite/Projects/ManagementInterfaceQuickFix/Curre ntStatus things seem to be moving ahead. There are so many projects it's not really possible to stay on top of it all, at least for me. Keep in mind that PTK is rapidly approaching v. 1.0, and for what you have described as your project range, that may have a huge impact. See: http://lists.zope.org/pipermail/zope-web/2001-January/000275.html especially: > However it sounds like what you really want is the PTK: > > http://www.zope.org/Products/PTK/ > > The CVS version of PTK is more friendly to WebDAV, especially when > combined with Zope 2.3's ability to run on a "source port" (that > is, a port where GET requests don't render the document). I > believe Martijn will be working on getting HiperDOM templates as a > content type for PTK. > > With this you can have resources that have to go through a simple > role-based approval system. > > I'm really looking forward to the next six or so weeks when the > dust settles on all this. Later, Jerry S. ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] ZDESIGN IDEAS = How to improve 'manage' ?
Are you planning a manage_install for products? The ability for superusers to install complelte products directly through the management interface, no need for ftp. similar to import/export feature -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Cunliffe Sent: Monday, January 08, 2001 11:20 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Zope] ZDESIGN IDEAS = How to improve 'manage' ? Hello I am cross poisting this becaese I beleie it merits responee fom both lists.. The need to improve the manage interface has grown urgently clear to me while using Zope myself, designing for all sorts of community and collaborative Zope-based projects, demos for a number of innocent bystanders, interested parties and potential clients. Zope 'manage' is plain primitive at present. Considering the power of Zope, and the real workflow needs of people working with it, imho this present lack of thoughtful user interface makes no sense. By ignoring these basics, Zope is neglecting a #1 self-promotion opportunity - how it runs out of the box, and how quickly one can use it as site-planning/design tool.It is quite unproductive now compared to what it could/should be. I am looking for real help here on how best to improve this... Here is a list of features I believe should be default manage screen behavior now. Please submit your comments and improvements to these improvements: KISS For those who do not want any added features, there should be an option in z2.py or as a manage_config DTML method in "/" or anywhere else in the tree to enable or disable 'advanced manage' features. --- 1. SORT TABLE 'manage' needs to presented with basic column listings so one can display sort by headings. I am not sure if this turns into a CatalogAware Inferno or whether all this info is already hidden in the ZODB and could be extracted adn cached sensibly and quickly. What do you think? For example some headings I see a real need for: NAME [default now], DATE[created, last modified] SIZE, TYPE[meta-type], USER[default=owner], DEPTH, COUNT, CHANGES, PROPERTY, DISPLAY NAME should be like now, but one needs to be able to group things more sensibly, so that upper and lower-case can be ignored. For example: MYFOLDER, myFolder_config, MyFOLDER_Display could all be grouped together where the probably belong. DATE Fact of the matter is that, during development and very often during normal life, we need to work on things according to the most recent ordering. This is also an invaluable way for people on a development team to see what has been 'happening'. Since Zope is a tool for 'customers who have customers who have customers...' it means that even after the original site DTML/Python developers may have gone home, a Zopesite is under development as long as it is being used and growing. All of those users, especially deserve better means to see and understand how the site is working and to allow them to work better together. SIZE How big is this thing? When I look at a graphic is it a thumbnail icon or a hires scan? What about PDF What about folders - how to calculate the size of folder? TYPE Display objects sorted by TYPE. USER Default sorts by Owner, but could also be designed to sort by last user who accessed the object. DEPTH How many levels below this thing? This would only work for Zope folders. An essential indicator of hidden complexity/importance etc. COUNT How many things are contained here? Targeted mainly for Zope Folders to allow one get a good quick overview of site structure without needing to click though a lot of trees of nested manage screens. CONT could be nicely integrated with DEPTH feature above to make for a more compact interface. If the object is not Folder-like, then COUNT could perhaps be used to display references or some such. In other words, how many times is this object referred to explicitly? I realize that dynamic Zopesite references * acquisition could make this a painful/impossible question. But counting static references could be very useful. How should COUNT work with say 'standard_html_header? hmmm not sure.. My idea is that at a minimum it could estimate how many references existed below this part of the ZODB tree. CHANGES The idea here is to give a useful indication of objects which have changed. But when and how? I really don;t have an answer to this... - perhaps a limited search using UNDO mechanism - perhaps a simple user ID and date which showed the last person to change it. PROPERTY This one should be easy.. sort adn display all objects in 'manage' based on common property names and values. For example, have a property called 'status' - values might be 'OK', 'buggy', 'draft', 'approved' etc. Too many properties and to many values would
[Zope] ZDESIGN IDEAS = How to improve 'manage' ?
Hello I am cross poisting this becaese I beleie it merits responee fom both lists.. The need to improve the manage interface has grown urgently clear to me while using Zope myself, designing for all sorts of community and collaborative Zope-based projects, demos for a number of innocent bystanders, interested parties and potential clients. Zope 'manage' is plain primitive at present. Considering the power of Zope, and the real workflow needs of people working with it, imho this present lack of thoughtful user interface makes no sense. By ignoring these basics, Zope is neglecting a #1 self-promotion opportunity - how it runs out of the box, and how quickly one can use it as site-planning/design tool.It is quite unproductive now compared to what it could/should be. I am looking for real help here on how best to improve this... Here is a list of features I believe should be default manage screen behavior now. Please submit your comments and improvements to these improvements: KISS For those who do not want any added features, there should be an option in z2.py or as a manage_config DTML method in "/" or anywhere else in the tree to enable or disable 'advanced manage' features. --- 1. SORT TABLE 'manage' needs to presented with basic column listings so one can display sort by headings. I am not sure if this turns into a CatalogAware Inferno or whether all this info is already hidden in the ZODB and could be extracted adn cached sensibly and quickly. What do you think? For example some headings I see a real need for: NAME [default now], DATE[created, last modified] SIZE, TYPE[meta-type], USER[default=owner], DEPTH, COUNT, CHANGES, PROPERTY, DISPLAY NAME should be like now, but one needs to be able to group things more sensibly, so that upper and lower-case can be ignored. For example: MYFOLDER, myFolder_config, MyFOLDER_Display could all be grouped together where the probably belong. DATE Fact of the matter is that, during development and very often during normal life, we need to work on things according to the most recent ordering. This is also an invaluable way for people on a development team to see what has been 'happening'. Since Zope is a tool for 'customers who have customers who have customers...' it means that even after the original site DTML/Python developers may have gone home, a Zopesite is under development as long as it is being used and growing. All of those users, especially deserve better means to see and understand how the site is working and to allow them to work better together. SIZE How big is this thing? When I look at a graphic is it a thumbnail icon or a hires scan? What about PDF What about folders - how to calculate the size of folder? TYPE Display objects sorted by TYPE. USER Default sorts by Owner, but could also be designed to sort by last user who accessed the object. DEPTH How many levels below this thing? This would only work for Zope folders. An essential indicator of hidden complexity/importance etc. COUNT How many things are contained here? Targeted mainly for Zope Folders to allow one get a good quick overview of site structure without needing to click though a lot of trees of nested manage screens. CONT could be nicely integrated with DEPTH feature above to make for a more compact interface. If the object is not Folder-like, then COUNT could perhaps be used to display references or some such. In other words, how many times is this object referred to explicitly? I realize that dynamic Zopesite references * acquisition could make this a painful/impossible question. But counting static references could be very useful. How should COUNT work with say 'standard_html_header? hmmm not sure.. My idea is that at a minimum it could estimate how many references existed below this part of the ZODB tree. CHANGES The idea here is to give a useful indication of objects which have changed. But when and how? I really don;t have an answer to this... - perhaps a limited search using UNDO mechanism - perhaps a simple user ID and date which showed the last person to change it. PROPERTY This one should be easy.. sort adn display all objects in 'manage' based on common property names and values. For example, have a property called 'status' - values might be 'OK', 'buggy', 'draft', 'approved' etc. Too many properties and to many values would detract from usefulness probably, some some pragmatic workflow-oriented values could be very valuable for ordering and developing Zope projects. DISPLAY The idea her is to offer a simple visual toggle HIDE/SHOW like Photoshop, Fireworks, Illustrator and myriad other graphics apps do. Suppose you have a big list of objects in a folder which you do not want to look at al the time. They take up too much screen space, can be confusing and may not be relevant for certain users and roles. Simple selection would be a checkbox, but advanced DISPLAY could be based on the other criteria lis