[Zope-dev] Is there a Security problem with cookie authentication?
Someone out there might like to sanity check my thinking on a possible security hole that arises if some form of cookie authentication, the CookieCrumbler for instance, is used with Zope. The scenario of concern is when cookie authentication is being used and Zope is accessed by a browser via a caching HTTP proxy server such as Squid, hardly an uncommon situation these days. I believe that transparent proxy servers are quite extensively used at the internet access points of ISPs. As the Squid FAQ says: quote The presence of Cookies headers in requests does not affect whether or not an HTTP reply can be cached. Similarly, the presence of Set-Cookie headers in replies does not affect whether the reply can be cached. /quote It appears to me that if the Zope server fails to add a Cache-Control header with a value of private, no-cache or no-store to its responses, a caching proxy server is free to cache the response to an HTTP request. Hence the proxy server can again serve the response, purportedly protected by cookie based authentication, to any other requesting client WITHOUT consulting the Zope server. I could not identify any code in the CookieCrumbler to add a Cache-Control header with a value of private, no-cache or no-store to Zope responses. This problem should not occur when Zope uses the regular Basic Authentication scheme as per RFC2616: quote Note that section 14.8 normally prevents a shared cache from saving and returning a response to a previous request if that request included an Authorization header. /quote Unless someone can refute this scenario (please, please do) then it appears to me that Cache-Control headers need to be added to all responses conditional on authentication by Zope using cookie authentication. Maybe Zope should just add a Cache-Control header with a value of private, no-cache or no-store to all responses that its security sub-system determines are to other than the Anonymous user. It would do no harm if Basic Authentication were being used and would plug the security hole I have posited if cookie authentication were in use. I'd propose a patch myself but I am not that confident in hacking around Zope's security management code. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Ordered Folder (was: Speaking of 2.6...)
Toby Dickenson [EMAIL PROTECTED] wrote:
I agree with both of these two points that Jeffrey made. It is a sore
omission from the core, but I cant see any place to hook the user
interface that doesnt amount to bloat for many folders that dont
need.
Does it make sense to include an ObjectManager.manage_reorderItems
method in the core, but leave the user interface to expansion pack
products ?
I think the UI for reordering should be switchable, perhaps through a
new button, or a maybe a property ?
Also do we want all folders to be ordered by default ? I think yes, but
there may be backward compatibility problems.
FWIW here is the monkey patch I'm using to provide ordering
functionnality, without any UI.
Florent.
# derived from OrderFolder by Stephan Richter, iuveno AG.
from OFS.ObjectManager import ObjectManager
def get_object_position(self, id):
i = 0
for obj in self._objects:
if obj['id'] == id:
return i
i = i+1
# If the object was not found, throw an error.
raise 'ObjectNotFound', 'The object with the id %s does not exist.' % id
ObjectManager.get_object_position = get_object_position
def move_object_to_position(self, id, newpos):
oldpos = self.get_object_position(id)
if (newpos 0 or newpos == oldpos or newpos = len(self._objects)):
return 0
obj = self._objects[oldpos]
objects = list(self._objects)
del objects[oldpos]
objects.insert(newpos, obj)
self._objects = tuple(objects)
return 1
ObjectManager.move_object_to_position = move_object_to_position
def move_object_up(self, id):
newpos = self.get_object_position(id) - 1
return self.move_object_to_position(id, newpos)
ObjectManager.move_object_up = move_object_up
def move_object_down(self, id):
newpos = self.get_object_position(id) + 1
return self.move_object_to_position(id, newpos)
ObjectManager.move_object_down = move_object_down
def move_object_to_top(self, id):
newpos = 0
return self.move_object_to_position(id, newpos)
ObjectManager.move_object_to_top = move_object_to_top
def move_object_to_bottom(self, id):
newpos = len(self._objects) - 1
return self.move_object_to_position(id, newpos)
ObjectManager.move_object_to_bottom = move_object_to_bottom
def manage_renameObject(self, id, new_id, REQUEST=None):
Rename a particular sub-object
# Since OFS.CopySupport.CopyContainer::manage_renameObject uses
#_setObject manually, we have to take care of the order after it is done.
oldpos = self.get_object_position(id)
res = self._old_ordfold_manage_renameObject(id, new_id, REQUEST)
self.move_object_to_position(new_id, oldpos)
return res
ObjectManager._old_ordfold_manage_renameObject =
ObjectManager.inheritedAttribute('manage_renameObject')
ObjectManager.manage_renameObject = manage_renameObject
def _setObject(self, id, object, roles=None, user=None, set_owner=1,
position=None):
res = self._old_ordfold_setObject(id, object, roles, user, set_owner)
if position is not None:
self.move_object_to_position(id, position)
# otherwise it was inserted at the end
return res
ObjectManager._old_ordfold_setObject = ObjectManager._setObject
ObjectManager._setObject = _setObject
perms = (('Manage properties', ('get_object_position',
'move_object_to_position',
'move_object_up',
'move_object_down',
'move_object_to_top',
'move_object_to_bottom')), )
ObjectManager.__ac_permissions__ = ObjectManager.__ac_permissions__ + perms
--
Florent Guillaume, Nuxeo (Paris, France)
+33 1 40 33 79 87 http://nuxeo.com mailto:[EMAIL PROTECTED]
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] PHP vs Zope cost benefit
You might remember me, I've been a big Zope fan since ZTables, and have recently been asked Why Zope?. The project is commited to PostgreSQL and leaning toward PHP. Here's the project requirements for a softwre company: Hardware Compatability List Software Compatability List Store/ECommerce User tracking and services like Pay for downloads Upgrades if they have a serial number paid up Billing/Invoicing for corporate accounts Inventory tracking CRM/Sales functions They don't see that Zope's built in security machinery would beat something home brewed for what they expect to need it for. Plus the over head of running Zope instances is greater than PHP scripts. What are the arguments for Zope in this context? All my best, -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] PHP vs Zope cost benefit
Plus the over head of running Zope instances is greater than PHP scripts. Is this really ture for anything non-trivial? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
I am not a PHP guy by any means, but I imagine having to run an extra server (Apache, Postgres vs Apache, Zope, Postgres) means there is another server process to watch, manage, start/restart. You don't have to do those things with PHP scripts. Perhaps someone with experience with a larger PHP implementation under their belt could let us know. On Tuesday 23 April 2002 9:46 am, you wrote: Plus the over head of running Zope instances is greater than PHP scripts. Is this really ture for anything non-trivial? ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Ordered Folder (was: Speaking of 2.6...)
From: Florent Guillaume [EMAIL PROTECTED] Also do we want all folders to be ordered by default ? I wouldn't want this. I don't know how ordered folder works nowadays, but I want it sorted on name by default. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
I have only minor experience with PHP so this may be ignorant, but isn't programming a web application with PHP scripts more comparable to programming such an application with Python scripts? If PHP scripts are handling HTTP requests directly, that can also be done with pure Python scripts. But if I have to put together a comprehensive web application I'm going to be developing a lot of scripts, unless I use an integretaed, pre-made package of scripts. But then, that is really what Zope is, isn't it? Call me confused, Bill At 10:17 AM 4/23/02 -0700, you wrote: I am not a PHP guy by any means, but I imagine having to run an extra server (Apache, Postgres vs Apache, Zope, Postgres) means there is another server process to watch, manage, start/restart. You don't have to do those things with PHP scripts. Perhaps someone with experience with a larger PHP implementation under their belt could let us know. On Tuesday 23 April 2002 9:46 am, you wrote: Plus the over head of running Zope instances is greater than PHP scripts. Is this really ture for anything non-trivial? -- The commandments of the LORD are right, bringing joy to the heart. The commands of the LORD are clear, giving insight to life . . . For this is the love of God, that we keep His commandments. And His commandments are not burdensome. (Psalm 19:8, 1John 5:3)http://torahteacher.com/torahteacher.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.346 / Virus Database: 194 - Release Date: 4/10/02
Re: [Zope-dev] PHP vs Zope cost benefit
Jason Spisak wrote:
You might remember me, I've been a big Zope fan since ZTables,
and have recently been asked Why Zope?. The project is
commited to PostgreSQL and leaning toward PHP. Here's the
project requirements for a softwre company:
Hardware Compatability List
Software Compatability List
Store/ECommerce
User tracking and services like
Pay for downloads
Upgrades if they have a serial number paid up
Billing/Invoicing for corporate accounts
Inventory tracking
CRM/Sales functions
They don't see that Zope's built in security machinery would
beat something home brewed for what they expect to need it for.
Plus the over head of running Zope instances is greater than
PHP scripts.
What are the arguments for Zope in this context?
Transaction Safety?
When reading your requirements that was the first thing coming into my
mind. I don't know how php does this, so I went to google and found
http://www.phpbuilder.com/columns/linuxjournal29.php3
Below is one snippet, notice all the ugly //check for errors and
//abort transaction. If someone knows where I misinterpret something
or how php solves this, corrections welcome.
But wouldn't it be nice if we had an application server which would take
care of all this for us?
Oh, wait ... ;-)
cheers,
oliver
function cart_new() {
//make the database connection handle available
global $conn,$customer_id,$feedback;
//start a transaction
query(BEGIN WORK);
//query postgres for the next value in our sequence
$res=query(SELECT nextval('seq_customer_id'));
//check for errors
if (!$res || pg_numrows($res)1) {
$feedback .= pg_errormessage($conn);
$feedback .= ' Error - Database didn\'t return next value ';
query(ROLLBACK);
return false;
} else {
//set that value in a local var
$customer_id=pg_result($res,0,0);
//register the id with PHP4
session_register('customer_id');
//insert the new customer row
$res=query(INSERT INTO customers (customer_id) VALUES
('$customer_id'));
//check for errors
if (!$res || pg_cmdtuples($res)1) {
$feedback .= pg_errormessage($conn);
$feedback .= ' Error - couldn\'t insert new customer row ';
query(ROLLBACK);
return false;
} else {
//commit this transaction
query(COMMIT);
return true;
}
}
}
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
I think that's a big part of it. Using something that's already documented that has many features of a 'web app' built in already, vesus scripting those. But there are a lot of prepackaged scripts for Calendars, and database connections, shopping carts, etc... for PHP. So there's got to be more that just the prepackagedness of Zope to chose it over PHP. On Tuesday 23 April 2002 10:47 am, you wrote: I have only minor experience with PHP so this may be ignorant, but isn't programming a web application with PHP scripts more comparable to programming such an application with Python scripts? If PHP scripts are handling HTTP requests directly, that can also be done with pure Python scripts. But if I have to put together a comprehensive web application I'm going to be developing a lot of scripts, unless I use an integretaed, pre-made package of scripts. But then, that is really what Zope is, isn't it? Call me confused, Bill At 10:17 AM 4/23/02 -0700, you wrote: I am not a PHP guy by any means, but I imagine having to run an extra server (Apache, Postgres vs Apache, Zope, Postgres) means there is another server process to watch, manage, start/restart. You don't have to do those things with PHP scripts. Perhaps someone with experience with a larger PHP implementation under their belt could let us know. On Tuesday 23 April 2002 9:46 am, you wrote: Plus the over head of running Zope instances is greater than PHP scripts. Is this really ture for anything non-trivial? -- The commandments of the LORD are right, bringing joy to the heart. The commands of the LORD are clear, giving insight to life . . . For this is the love of God, that we keep His commandments. And His commandments are not burdensome. (Psalm 19:8, 1John 5:3)http://torahteacher.com/torahteacher.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.346 / Virus Database: 194 - Release Date: 4/10/02 -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
Excellent thinking. I'm guessing that the PyscopyDA handles
that type of thing and makes sure that it doesn't get nasty.
That's a big win for Zope when dealing with inventory and
things like that. Thanks Oliver.
On Tuesday 23 April 2002 10:33 am, you wrote:
Jason Spisak wrote:
You might remember me, I've been a big Zope fan since
ZTables, and have recently been asked Why Zope?. The
project is commited to PostgreSQL and leaning toward PHP.
Here's the project requirements for a softwre company:
Hardware Compatability List
Software Compatability List
Store/ECommerce
User tracking and services like
Pay for downloads
Upgrades if they have a serial number paid up
Billing/Invoicing for corporate accounts
Inventory tracking
CRM/Sales functions
They don't see that Zope's built in security machinery
would beat something home brewed for what they expect to
need it for. Plus the over head of running Zope instances
is greater than PHP scripts.
What are the arguments for Zope in this context?
Transaction Safety?
When reading your requirements that was the first thing
coming into my mind. I don't know how php does this, so I
went to google and found
http://www.phpbuilder.com/columns/linuxjournal29.php3
Below is one snippet, notice all the ugly //check for
errors and //abort transaction. If someone knows where I
misinterpret something or how php solves this, corrections
welcome.
But wouldn't it be nice if we had an application server which
would take care of all this for us?
Oh, wait ... ;-)
cheers,
oliver
function cart_new() {
//make the database connection handle available
global $conn,$customer_id,$feedback;
//start a transaction
query(BEGIN WORK);
//query postgres for the next value in our sequence
$res=query(SELECT nextval('seq_customer_id'));
//check for errors
if (!$res || pg_numrows($res)1) {
$feedback .= pg_errormessage($conn);
$feedback .= ' Error - Database didn\'t return next
value '; query(ROLLBACK);
return false;
} else {
//set that value in a local var
$customer_id=pg_result($res,0,0);
//register the id with PHP4
session_register('customer_id');
//insert the new customer row
$res=query(INSERT INTO customers (customer_id)
VALUES ('$customer_id'));
//check for errors
if (!$res || pg_cmdtuples($res)1) {
$feedback .= pg_errormessage($conn);
$feedback .= ' Error - couldn\'t insert new
customer row '; query(ROLLBACK);
return false;
} else {
//commit this transaction
query(COMMIT);
return true;
}
}
}
--
Jason Spisak
Marketing Director, Lycoris
[EMAIL PROTECTED],
http://www.lycoris.com
Desktop/LX: Familiar. Powerful. Open.
+1 425 869-2930 voice, +1 425 671-0504 fax
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
At 11:01 AM 4/23/02 -0700, you wrote: But there are a lot of prepackaged scripts for Calendars, and database connections, shopping carts, etc... for PHP. So there's got to be more that just the prepackagedness of Zope to chose it over PHP. Yes, that is important. Of course, there are a lot of Products (pre-packaged scripts) available for Zope that do these soft of things. Have you checked the Downloads page (http://www.zope.org/Products)? It is interesting that right now there is a sort-of batteries included topic going on in this list debating the merits of what goes into the core of a Zope release. But whatever ends up in the core, there are many, many good add-ons already out there. Bill -- The commandments of the LORD are right, bringing joy to the heart. The commands of the LORD are clear, giving insight to life . . . For this is the love of God, that we keep His commandments. And His commandments are not burdensome. (Psalm 19:8, 1John 5:3)http://torahteacher.com/torahteacher.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.346 / Virus Database: 194 - Release Date: 4/10/02
Re: [Zope-dev] PHP vs Zope cost benefit
Curiously, if there are prepackage scripts for both, and there's less to 'mange' with PHP, that's a PHP win. I personally have CalendarTag, ZDataQueryKit and lots of yummy others runing from the downloads page. But since I'm trying to convince PHP people that using Zope is better, they just point to their yummy scripts too. I think Oliver's point about transaction safety is a big win. I might convince them just on that. But I'm still looking for more ammunition. On Tuesday 23 April 2002 11:09 am, you wrote: At 11:01 AM 4/23/02 -0700, you wrote: But there are a lot of prepackaged scripts for Calendars, and database connections, shopping carts, etc... for PHP. So there's got to be more that just the prepackagedness of Zope to chose it over PHP. Yes, that is important. Of course, there are a lot of Products (pre-packaged scripts) available for Zope that do these soft of things. Have you checked the Downloads page (http://www.zope.org/Products)? It is interesting that right now there is a sort-of batteries included topic going on in this list debating the merits of what goes into the core of a Zope release. But whatever ends up in the core, there are many, many good add-ons already out there. Bill -- The commandments of the LORD are right, bringing joy to the heart. The commands of the LORD are clear, giving insight to life . . . For this is the love of God, that we keep His commandments. And His commandments are not burdensome. (Psalm 19:8, 1John 5:3)http://torahteacher.com/torahteacher.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.346 / Virus Database: 194 - Release Date: 4/10/02 -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
Dirk, Thanks for that. By 'separation' I'm assuming you mean ZPT, correct? I'm new to that, but the virtues seem to be simple edit and save for layout folks. With PHP, you can create forms to publish content. You don't have to give content mamagers PHP. Zope's a win for Designers, for sure. Right now the designers are the coders, so that's more like an 'eventual' win. The database logic can be separated with PHP by just creating some php 'backend stuff' and calling those database functions you've created from the 'presentation' scripts. Just like calling a ZSQL method from a DTML method. As long as you kept the exposed calls the same, you could change Databases. It probably wouldn't be as easy to step to Oracle if they wanted to. You are right about that! ;-) On Tuesday 23 April 2002 11:24 am, you wrote: Hi Jason, what about a mix content-management-system and application-server in one server: - Zope + EasyPublisher you have a special layout. realizing that in php means editing php with html. with zope you can make application logic here and layout (presentation logic) there. you have lots of unique structured content: you can seperate the database logic from html very simple you have no limitations on the underlaying database engine, just remove the db-connector and put a new one in. we currently plan out new intranet with zope. had php content-management as an alternative, but we can't give php to our users. question you should answer to your self: which users have to work with your system in your company ? which user change things in the system ? Jason Spisak schrieb: You might remember me, I've been a big Zope fan since ZTables, and have recently been asked Why Zope?. The project is commited to PostgreSQL and leaning toward PHP. Here's the project requirements for a softwre company: Hardware Compatability List Software Compatability List Store/ECommerce User tracking and services like Pay for downloads Upgrades if they have a serial number paid up Billing/Invoicing for corporate accounts Inventory tracking CRM/Sales functions They don't see that Zope's built in security machinery would beat something home brewed for what they expect to need it for. Plus the over head of running Zope instances is greater than PHP scripts. What are the arguments for Zope in this context? All my best, -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
From: Jason Spisak [EMAIL PROTECTED] I think Oliver's point about transaction safety is a big win. I might convince them just on that. But I'm still looking for more ammunition. Basic things from the top of my head: - Full OO = short development time = cheaper development. - Integrated security = less chances of unsecure scripts. - Transactational security. - Undoable transactions. - Integrated user management. - Transparent scalability. - Integrated rights/permission management. ( No, it's true that they probably do not need better permission management than they can build with PHP. But with Zope you don't have to build it at all. It's alredy there.) These are the things you get for free with Zope that you don't get with PHP. I have also probably missed out on several. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
Thanks Lennart, There is OO php now, which they seem to enjoy. ugh The audited security is something I believe is big win. The quickness and efficiency of Zope Corp's (still calling them DC in my head) Zope security patching is outstanding. The community really shines there. With undoable transactions, are transactions that have taken place in the Postgres Database really undo-able by undoing the Zope transaction that made them? For users, they'll be stored in Postgres, so is LoginManager (which uses the venerably weighty ZPatterns) the best way to go, or is exUserFolder sufficient for scaling to largers numbers of users? I'll ask the Jester about that directly is no on has a quick answer. The front end user/roles permissions thing is a bit hard to manage sometimes, honestly. But it's there at least, and not in PHP unless you spend time building it. Would you not get transparent scalability by adding Apache servers to the front end that just have the same PHP scripts? As far as scaling backend Postgres Database, that's the same if you use PHP or Zope. On Tuesday 23 April 2002 11:35 am, you wrote: From: Jason Spisak [EMAIL PROTECTED] I think Oliver's point about transaction safety is a big win. I might convince them just on that. But I'm still looking for more ammunition. Basic things from the top of my head: - Full OO = short development time = cheaper development. - Integrated security = less chances of unsecure scripts. - Transactational security. - Undoable transactions. - Integrated user management. - Transparent scalability. - Integrated rights/permission management. ( No, it's true that they probably do not need better permission management than they can build with PHP. But with Zope you don't have to build it at all. It's alredy there.) These are the things you get for free with Zope that you don't get with PHP. I have also probably missed out on several. -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
Dirk, One more quick question about application/business logic in one place and layout in another. Looking at ZPT, I still see expressions and condition statements in the Templates themselves. That's not really separation, it's just making it work with HTML editing tools. I'm curious is anyone can explain the true separation of business logic and presentation a bit better that exists with Zope now. I've built quite a few DTML heavy apps, and that separation wasn't there. On Tuesday 23 April 2002 11:24 am, you wrote: Hi Jason, what about a mix content-management-system and application-server in one server: - Zope + EasyPublisher you have a special layout. realizing that in php means editing php with html. with zope you can make application logic here and layout (presentation logic) there. you have lots of unique structured content: you can seperate the database logic from html very simple you have no limitations on the underlaying database engine, just remove the db-connector and put a new one in. we currently plan out new intranet with zope. had php content-management as an alternative, but we can't give php to our users. question you should answer to your self: which users have to work with your system in your company ? which user change things in the system ? Jason Spisak schrieb: You might remember me, I've been a big Zope fan since ZTables, and have recently been asked Why Zope?. The project is commited to PostgreSQL and leaning toward PHP. Here's the project requirements for a softwre company: Hardware Compatability List Software Compatability List Store/ECommerce User tracking and services like Pay for downloads Upgrades if they have a serial number paid up Billing/Invoicing for corporate accounts Inventory tracking CRM/Sales functions They don't see that Zope's built in security machinery would beat something home brewed for what they expect to need it for. Plus the over head of running Zope instances is greater than PHP scripts. What are the arguments for Zope in this context? All my best, -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Ordered Folder (was: Speaking of 2.6...)
OrderedFolder is not about having an ordered default view in the management interface. The point is that people want to build menus or web pages that consist of several objects in a folder, using objectValues()/objectIds(). Without OrderedFolder or a similar approach it is very hard to position objects in a menu or on a web site. OrderedFolder has the API to move stuff up or down, insert objects at a given position, etc. ... I consider that VERY useful ... Cheers Joachim - Original Message - From: Lennart Regebro [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 23, 2002 7:13 PM Subject: Re: [Zope-dev] Ordered Folder (was: Speaking of 2.6...) From: Florent Guillaume [EMAIL PROTECTED] Also do we want all folders to be ordered by default ? I wouldn't want this. I don't know how ordered folder works nowadays, but I want it sorted on name by default. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PHP vs Zope cost benefit
To everyone who replied to this thread, I give a hearty congratulatory Thank you. They have decided to allow me to mock up the app in Zope and prove it's worthiness. I'm already halfway done with the first 2 modules. ;-) To recap what turned the tides were these wins: 1. Zope's security model is far more scalable and flexible than anything home brewed in PHP. 2. The scurity model is also audited by any, many people and tested and in production all over the place. ;-) 3. The ease of management for non-technical users to create and edit content was a big win since that interface is already created and ready to use in many cases. 4. The built in separation of db connectivity/transparancy is much better than taking the time to design that properly from scratch, or using connectivity tools that then needed to be 'connected' to the app in a safe and transparant way. 5. The transactional nature of Zope (although they didn't believe me when it came to rolling back multiple dbs) impressed them and if it really can mange a rollback from from a DB and transaction safety for inventory,etc...(which I know it can) then its a huge win. Thanks again to all who responded and put on their thinking caps to help be start another project using my favorite web app of all time. Thanks, Zopistas! On Tuesday 23 April 2002 11:01 am, you wrote: I think that's a big part of it. Using something that's already documented that has many features of a 'web app' built in already, vesus scripting those. But there are a lot of prepackaged scripts for Calendars, and database connections, shopping carts, etc... for PHP. So there's got to be more that just the prepackagedness of Zope to chose it over PHP. On Tuesday 23 April 2002 10:47 am, you wrote: I have only minor experience with PHP so this may be ignorant, but isn't programming a web application with PHP scripts more comparable to programming such an application with Python scripts? If PHP scripts are handling HTTP requests directly, that can also be done with pure Python scripts. But if I have to put together a comprehensive web application I'm going to be developing a lot of scripts, unless I use an integretaed, pre-made package of scripts. But then, that is really what Zope is, isn't it? Call me confused, Bill At 10:17 AM 4/23/02 -0700, you wrote: I am not a PHP guy by any means, but I imagine having to run an extra server (Apache, Postgres vs Apache, Zope, Postgres) means there is another server process to watch, manage, start/restart. You don't have to do those things with PHP scripts. Perhaps someone with experience with a larger PHP implementation under their belt could let us know. On Tuesday 23 April 2002 9:46 am, you wrote: Plus the over head of running Zope instances is greater than PHP scripts. Is this really ture for anything non-trivial? -- The commandments of the LORD are right, bringing joy to the heart. The commands of the LORD are clear, giving insight to life . . . For this is the love of God, that we keep His commandments. And His commandments are not burdensome. (Psalm 19:8, 1John 5:3)http://torahteacher.com/torahteacher.com --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.346 / Virus Database: 194 - Release Date: 4/10/02 -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. +1 425 869-2930 voice, +1 425 671-0504 fax ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Tyring to FTP to Zope running behind firewall, get login box but no directory listing
It would appear that their FTP implementation is not working correctly, when connecting to a Zope FTP system behind a firewall. Zope is running on port 8880 and ftp service works fine from inside the firewall on port 8821. From outside the firewall, I get a login prompt, enter my password, but then the directory listing never materializes. Since I get the login prompt, it's not a firewall packet issue. Is this a known issue? If anyone knows of any quick fixes for this, I'm wide open for ideas. -- Jason Spisak Marketing Director, Lycoris [EMAIL PROTECTED], http://www.lycoris.com Desktop/LX: Familiar. Powerful. Open. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Tyring to FTP to Zope running behind firewall, getlogin box but no directory listing
On Tue, 2002-04-23 at 18:52, Jason Spisak wrote: It would appear that their FTP implementation is not working correctly, when connecting to a Zope FTP system behind a firewall. Zope is running on port 8880 and ftp service works fine from inside the firewall on port 8821. From outside the firewall, I get a login prompt, enter my password, but then the directory listing never materializes. Since I get the login prompt, it's not a firewall packet issue. Do not be so quick to conclude that. FTP *has* firewall problems. since I know nothing of the firewall, I can not help in too much detail. -- Bill Anderson Linux in Boise Club http://www.libc.org Amateurs built the Ark, professionals built the Titanic. Amateurs build Linux, professionals build Windows(tm). ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Tyring to FTP to Zope running behind firewall, get login box but no directory listing
Do not be so quick to conclude that. FTP *has* firewall problems. since I know nothing of the firewall, I can not help in too much detail. ftp connections, by default, go from the ftp server-client for the data connections. the data is carried by a seperate channel, on a randomly numbered port. I'd say it's almost _certainly_ a firewall issue. -- Anthony Baxter [EMAIL PROTECTED] It's never too late to have a happy childhood. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
