[Zope-dev] Access problems
Hi all! I have a serious and extremely urgent problem concerning my zope installation(2.2.1 on Unix): Whatever resource I'm trying to access, I get the following --- Attribute Error --- Traceback (innermost last): File /home/sites/site3/users/.../2-2-1/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /home/sites/site3/users/.../2-2-1/lib/python/ZPublisher/Publish.py, line 187, in publish File /home/sites/site3/users/.../2-2-1/lib/python/Zope/__init__.py, line 221, in zpublisher_exception_hook (Object: ApplicationDefaultPermissions) File /home/sites/site3/users/.../2-2-1/lib/python/ZPublisher/Publish.py, line 162, in publish File /home/sites/site3/users/.../2-2-1/lib/python/ZPublisher/BaseRequest.py, line 438, in traverse File /home/sites/site3/users/.../2-2-1/lib/python/ZPublisher/BaseRequest.py, line 514, in old_validation (Object: broken) AttributeError: (see above) Furthermore, I have to authenticate on _every_ occasion, even with objects I know are totally available to Anonymous. After (http) authentication I get the above mentioned attribute error. I'm clueless. What is this about? Thanking you so much in advance, Prost, Danny P.S.: Of course I can't recall doing anything rude to my installation, actually I can't recall doing _anything_. (What they all say) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] DynPersist.so from ZPatterns 0-4-2a3
Hi all! I'm desperately looking for the DynPersist shared library (new for ZPatterns 0-4-2a3) in compiled form. Can someone help me (send it to me)? I'm running a Zope instance at NIP (www.nipltd.net), that's 2.2.1 on Unix platform. tia, Prost, Danny ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Thanks a lot, but...
Thank you Itamar, _but_ I need the Unix .so, not the Windows .dll. Sorry if I didn't put that clear. Danny -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 3. Oktober 2000 15:20 An: [EMAIL PROTECTED] Betreff: Re: [Zope-dev] DynPersist.so from ZPatterns 0-4-2a3 Danny William Adair wrote: I'm desperately looking for the DynPersist shared library (new for ZPatterns 0-4-2a3) in compiled form. Can someone help me (send it to me)? I'm running a Zope instance at NIP (www.nipltd.net), that's 2.2.1 on Unix platform. Here ya go. Rename it to DynPersist.dll before use. -- Itamar S.T. [EMAIL PROTECTED] Fingerprint = D365 7BE8 B81E 2B18 6534 025E D0E7 92DB E441 411C ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Re: CoreSessionTracking proposal
i.e. it is secure if the key *is* the data, rather than a key to the data. Can you explain? I do not see what you're getting at. Consider how the tree-tag stores its 'session' data. Its impossible to hijack a tree-tag session because the 'session' state is stored by the client (in the URL) in full. There are other differences between this type of session and the CoreSessionTrackingProposal; but the advantages are not all one way. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: CoreSessionTracking proposal
Toby, Sorry, I'm still not sure I understand. :-( Are you suggesting that the session token should actually store session data? Or are you just pointing out the difference between the implementation an implementation that meets the requirements of sessions and an implementation adequate for things like the tree tag? Toby Dickenson wrote: i.e. it is secure if the key *is* the data, rather than a key to the data. Can you explain? I do not see what you're getting at. Consider how the tree-tag stores its 'session' data. Its impossible to hijack a tree-tag session because the 'session' state is stored by the client (in the URL) in full. There are other differences between this type of session and the CoreSessionTrackingProposal; but the advantages are not all one way. -- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Re: CoreSessionTracking proposal
Are you suggesting that the session token should actually store session data? As an alternative SessionManager, it appears to have some advatanges that others do not. It is the only option (AFAIK) that avoids the session hijacking problem without relying on security-through-obscurity (the problem you mentioned, but its not one that gets me excited). Its also the only sensible option that lets you bookmark your place in a session, and return to it much later (which interests me more). Or are you just pointing out the difference between the implementation an implementation that meets the requirements of sessions and an implementation adequate for things like the tree tag? Isnt the tree tag an example of one Session use case? It smells alot like a session to me. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] TreeTag as Sessions Example
Toby Dickenson wrote: Isnt the tree tag an example of one Session use case? It smells alot like a session to me. yeah, but have you ever tried to have two copies of a tree open on the same data? bleugh! ;-) Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: CoreSessionTracking proposal
Are you suggesting that the session token should actually store session data? As an alternative SessionManager, it appears to have some advatanges that others do not. Hmmm. Please smack me if I'm wrong, but I'm not clear on how it differs much from not keeping session-related data in the token. I guess you could argue that a session token that holds application data is "more random" due to the nature of its composition, and due to that it can't be "guessed" as easily (I doubt anyone would even try). One of the purposes of the random element of the session token in the current implementation is to address this "token guessing" risk. However, in either case (app data in token or app data key in token), if the token is stolen, it can still be used by the "robber" to see the data that relates to it (made available by the application which relies on the server's unpackaging of the token). This is a different risk, the "token theft" risk. Example: if you get a tree tag token from somebody, and plug it into a URL on your browser, it'll work happily. Without a client-checking scheme (such as encoding the IP address in the token), a token theft attack is very easy. As voiced by others in the thread, client-checking is not reliable, should not be a default, and maybe shouldn't be included as an option at all. But all of these ponderings are kind of moot, because session data can be arbitrarily large (session data on the order of a megabyte will probably not be uncommon), so the data can't realistically be embedded in the token anyway. Its also the only sensible option that lets you bookmark your place in a session, and return to it much later (which interests me more). I don't understand what you mean... a session token that doesn't include application data has the same property. That's essentially its reason for being around at all. (If you're concerned that the session token isn't URL-compatible, it is... the current implementation lets the session token be transferred via a query string, inlined URL elements, or as a cookie value). Parts of the token *never* expire, so you can happily bookmark something with a token value embedded (or receive and continue to resend a persistent cookie). Isnt the tree tag an example of one Session use case? It smells alot like a session to me. Probably, yes. Although it will probably not be reimplemented to use the session machinery in the near future (dont fix it if it aint broke! :-). ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] TreeTag ;-)
OK... let me rephrase that... Don't fix it if you don't care! (I have a rule in my mailbox that deletes all messages with 'tree tag' in the subject line. I am not kidding.) - Original Message - From: "Chris Withers" [EMAIL PROTECTED] To: "Chris McDonough" [EMAIL PROTECTED] Cc: "Toby Dickenson" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, October 03, 2000 10:53 AM Subject: [Zope-dev] TreeTag ;-) Chris McDonough wrote: Probably, yes. Although it will probably not be reimplemented to use the session machinery in the near future (dont fix it if it aint broke! :-). It's broke. trust me. Chris (bitter survivor of too many nasty tree tag experiences ;-) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope URL
I am hoping someone can help me. I am at the end of my line. I have tried everything and nothing else works. I am trying to install Zope on my web server on which I have a small intranet. I am using Windows NT 4.0 and IIS 4.0. Ideally I was trying to use Squishdot with Zope to create a small discussion forum that can be accessed via the INTRANET. My Web server name is SRNT and is installed on my F:\ partition drive I installed Zope in the root cgi-bin directory and called my website ZopeSite. I selected the "Run as a win32 service" F:\InetPub\wwwroot\cgi-bin\ZopeSite\ I went to my browser (MS Internet Explorer 5.0) and accessed the Zope Site using the URL: http://srnt:8080/manage I successfully accessed my Zope site manager and everything was working just fine. Now comes the problem: I do not want to connect to the Intranet using the server port (8080) in the URL to access the Zope pages . I installed both Squishdot and TinyTables products on Zope and started building a Squishdot site, which I named ChatClub. However, the URL to access the Squishdot site looks like: http://srnt:8080/Control_Panel/Products/Squishdot/ChatClub/index_html I WANT IT TO AT LEAST SAY: http://srnt/Control_Panel/Products/Squishdot/ChatClub/index_html OR http://srnt/ChatClub/index_html I don't want any reference to the server port 8080. I have read several help documents on IIS and PCGI AND THEY ALL SAY DIFFERENT THINGS. One document said to copy the Zope.pcgi to the IIS cgi-bin folder and another said to copy it to the IIS scripts folder. One document showed the Zope.pcgi file path configuration completely different from mine. The document showed : PCGI_MODULE_PATH=X:\WebSite\lib\python\Main.py And mine showed PCGI_MODULE_PATH=F:\InetPub\wwwroot\cgi-bin\ZopeSite\lib\python\Zope The document even had files I didn't have anywhere in my directory like pcgi.soc and some in completely different folders like: Help document: PCGI_MODULE_PATH=X:\WebSite\pcgi\pcgi.pid My file: PCGI_MODULE_PATH=F:\InetPub\wwwroot\cgi-bin\ZopeSite\var\pcgi.pid I know there must be a a simple way to accomplish this. I just need someone to tell me how to do it STEP BY STEP. I am a Programmer/Analyst, but I am only a novice when it comes to servers and all the details. PLEASE HELP Regards, Suzette E. Ramsden ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] CoreSessionTracking - Access Session Data permission
Hi Chris, in an earlier message, you defended the existence of a separate permission "Access Session Data" (in the CoreSessionTracking proposal) by the following case: There may be (authenticated) users with (TTF?) scripting rights that should be prevented to screen session data (by withdrawing the "Access Session Data" permission from them). This will only be effective, when not all users automatically have the "Anonymous" role. There was a discussion about the "Anonymous" role some months ago in the list: * The (outdated) Content Manager Guide mentions that any user has the role "Anonymous". * A role "Anonymous" with the meaning "not authenticated" will make management for sites with authenticated, non-manager users more difficult, as those users should have most rights of "Anonymous". Only in exceptional cases, e.g. for session data, they will have less priviledges. If the meaning of "Anonymous" changes in this direction, then this role should be explicitely assignable to users in the "Change User" view to avoid such difficulties. I would be much in favour of a solution that does not entail new permissions. This would be possible, if session id management and access to session data would be melted together. In the current proposal, both are separate modules linked by the application: the application obtains a session id from the id manager and then accesses the session data, usually with the id, but in principle with anything it likes, e.g. a stolen session id. It seems that the new permissions should help to control such abuses. If the session id becomes an implicit (not DTML-forgable) parameter for session data access, then the session data need not to be protected by new permissions. However, I agree with you, that even making session id management implicit, will not provide strict security. Why am I against new permissions? This has partly to do with the current Zope permission management. As soon as you have more than a few products installed and created a few additional roles, permission management becomes a nightmare: it is very difficult to keep the overview with the current unstructured, non-batched permission setting view. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] (no subject)
Dear list readers, using LocalFS 0.95 war fine until trying to upgrade to Zope 2.2.2. Both freshly installed, the following snippet raises the error: "Unauthorized", "You are not authorized to access read.": dtml-var standard_html_header dtml-var "frei['analog.html'].read()" dtml-var standard_html_footer It is used to display site statistics contained in analog.html, which resides in a local directory referenced by LocalFS under the name "frei" (cf. LocalFS-HowTo). There is no special security setting for the read-method, as for as the security tab is concerned. Also, as a user with all possible permissions, the error still occurs. The same file can seamlessly be read in a Zope 2.2.b1 installation on the same machine, under the same user. LocalFS's author Jonothan Farr (mailto:[EMAIL PROTECTED]) suggested to ask on zope-dev: Could you help, please? Thanks in advance, --- Ralf Herold, mailto:[EMAIL PROTECTED] ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope URL
I do not want to connect to the Intranet using the server port (8080) in the URL to access the Zope pages . The problem you have is related to the sockets. Zope has it's port set to 8080 as a default just to make it easier to coexist with IIS. The default for the http service is port 80. If you want to use http://smt/manage You will have to have your IIS changed to run on another port instead of the default, and then change Zope to run on port 80. But folks who don't know and just try to visit your site at http://smt will get the default page served by the Zope server not your IIS server. (Of course you could removed the less capable web server software...;-} ) You can not have both servers on the same port. So you probably will need to redo the install settings for both IIS and Zope. A Windows-only fix would be to change the registry setting used for the default http service to 8080. But this won't make the two services coexist on one port. Ports Port Number HTTP 80 FTP 21 GOPHER 70 SSL 443 If you want to use other port numbers, you can change them through the Registry. Start RegEdit and go to the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\ control\ServiceProvider\ServiceTypes . In the W3svc subkey you'll find a hexidecimal value named TcpPort. Change this to the port number you want to use. Fo r example, if you want to use port 81, set the value to 51 (51 hex is 81 decimal). Similarly, you can set the FTP port in the MSFTPSVC subkey. Ken Latta Invictus Systems Corporation [EMAIL PROTECTED]
[Zope-dev] ZPatterns design questions
First, some context... I'm working on a new data storage system for a related set of (primarily) Zope sites. The data will be kept in ZODB and mirrored out to a RDB (MySQL) to provide read-only access to some non-zope stuff. One other thing to note, all of this will be done via python code (no zclasses). Now say that I want to keep data about a company. I have a specialist, rack and dataskin already created. I currently can store data on the skin via AttributeProviders, but this was mainly done to get something working to mess around with. What I think I want is several SheetProviders. Two for each block of data (a block basically reflect the breakdown of tables in the MySQL DB). Why 2 for each block, one for the ZODB store and one for mirroring the data out to the RDB. So, the breakdown for the company would look like this: Company Rack - Company Information (name, url, etc). . SheetProvider (ZODB) - read/write . SheetProvider (SQL) - write only - Address Information (city, state, zip, etc) . SheetProvider (ZODB) - read/write . SheetProvider (SQL) - write only Does this sound reasonable? I thought about writing a mix-in class to add the SQL stuff to the SheetProvider, eliminating the need for 2 entries for each block of data. But I liked the idea of each being its own plugin, seemed cleaner. The specific question I have about this design is where does the _properties() attribute go? They need to be associated with their appropriate SheetProviders, so that seems the most likely place, but that would require a SheetProvider subclass for each data block which bothers me. It also just doesn't seem to fit in with the design pattern, but my understanding of it is still fairly limited. Next Topic... Adding to the above design, we add a second entity; People. I need to express relationships between the people and the companies. These relationships can be of various sorts; eg. technical contact, marketing contact, company admin, etc. My idea is to create another specialist/rack/dataskin to contain the information about these relationships and associated data (type of relationship, corresponding roles, references to the related entities, etc). I don't have any code for this aspect of the design yet, so I'm only fishing for general criticisms/thoughts at this point. Is there a better way to do this? BTW, there are going to be many more types of entities and relationships that these examples, so it needs to scale. It also needs to perform well, as the authentication mechanism will be fetching the roles off the relationships and, possibly, their related objects. Thanks in advance for any advice. -- John Eikenberry [[EMAIL PROTECTED] - http://zhar.net] __ "A society that will trade a little liberty for a little order will deserve neither and lose both." --B. Franklin ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] rpc-xml: Pachyderm memories needed !
Nigel Head writes: I'll swear that a couple of weeks back, just after I got the Flash 5 upgrade I had this running with whatever version of Zope was extant then! Unfortunately I've been following along with the CVS checkouts without archiving them so I can't prove it. CVS supports checkout by date. Thus, you can recreate the former state from the CVS repository, provided you know when you got the working version. Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZPatterns design questions
Phillip J. Eby wrote: If I can offer a suggestion... Please... It sounds to me like you don't need SheetProviders at all, if you effectively define the property sheets as part of your class, and make the attributes direct attributes on the DataSkin. You then need only set Ok, I'm feeling pretty stupid right now but I have to ask what you mean by "define the property sheets as part of your class"? Do you mean using something like this in the DataSkin subclass: def __init__(self,id): self.DataSkin.__init__(self,id) ps = self.propertysheets ps.manage_addPropertySheet('CompanyData','CompanyData') ps.get('CompanyData')._properties = ( {'id':'name', 'type':'string', 'mode':'w'}, ... ) up a single trigger that checks whether any of the attributes you want to mirror have changed, and then fires that off to the SQL db. It would By 'trigger' you are referring to a RuleAgent plugin? Hmm... I had briefly thought about this, but most of the discussions relating to interfacing to an external RDB seemed to indicate subclassing a SheetProvider was the best course of action. I'll have look into this (hadn't spent much time figuring out RuleAgents yet). actually be a bit easier to set up if you were using a ZClass, since you could create the property sheets there by just adding "DataSkin Property Sheet" objects to the ZClass. But the basic principle would still apply. We've come to the conclusion that ZClasses really are more a hinderance than a help, trading functionality for shorter learning curve. With straight python code you get much more control and the ability to use conventional editors and tools (cvs), without losing anything besides a bit of time figuring things out (which is better in the long run anyways). -- John Eikenberry [[EMAIL PROTECTED] - http://zhar.net] __ "A society that will trade a little liberty for a little order will deserve neither and lose both." --B. Franklin ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Need help tracking down the cause of a traceback
I occasionally get tracebacks like No input for required field !-- Traceback (innermost last): File /home/killer-whale/skip/src/Zope/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /home/killer-whale/skip/src/Zope/lib/python/ZPublisher/Publish.py, line 136, in publish File /home/dolphin/skip/src/Zope/lib/python/ZPublisher/HTTPRequest.py, line 445, in processInputs File /home/dolphin/skip/src/Zope/lib/python/ZPublisher/Converters.py, line 115, in field2required ValueError: (see above) -- mailed to me from my production web server (5-10 times per day). I have been so far unable to figure out what request is coming into Zope that is triggering it by examining the Zope and Apache server logs (I run Zope behind an Apache proxy). Every time I search the log files in the vicinity of the mail message's timestamp, I see nothing wrong. I would like to instrument the Zope code to generate a traceback that has a more useful message than "(see above)". The ValueError is being raised in field2required, but I see no parameters in the Apache log with a name of "...:required". That leads me to suspect that somehow the RESPONSE parameter isn't getting set (it's the only non-defaulted parameter in the suspect published methods that doesn't appear to have its value set directly by parameters in the URL). I am completely unfamiliar with the code involved in the above traceback, and only get such tracebacks on my production server, so I need to get it right the first time. (If I muff it, it will almost certainly not break until right after have watched it for 10 hours, then left for the day, allowing the server to choke for 12-15 hours before I come in the next day...) I'd like to enclose one of the calls in the above traceback in a try: ... except ValueError: ... statement whose except clause reraises the exception with the relevant data that will tell me just what method was invoked and what parameters, if any, it's receiving. I think the HTTPRequest class probably contains the useful bits, but I have no idea what those bits might be. (What is the saying about things that are sufficiently subtle appear to be magic to the observer?) Thanks, -- Skip Montanaro ([EMAIL PROTECTED]) http://www.mojam.com/ http://www.musi-cal.com/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )