Re: [Zope-dev] Stripogram or similar in core
So, in this validation framework, do you envision having a parameter-validating routine being invoked whenever a publicly-exposed method is called by DTML methods, or did you want to focus on mere HTML form validation/stripping? I'm asking because I've had situations when I've needed the ability to restrict access to methods based on the values of their parameters -- that's a little more fine-grained than the current security machinery allows. I've always thought that it might be nice to provide a hook for each method in a Zope class (similar to declarative security statements), and to use this hook to validate the parameters, according to the needs of the user. For string parameters, perhaps we can also have the ability to specify a filter -- something like a search and replace statement, with Sed-like syntax. Andy [EMAIL PROTECTED] wrote: That depends where you do the checking, yes html validation in just a form is not as secure as checking at the application level. What I am suggesting is adding the HTML validation framework into the core of Zope so people can add checking to any level of their application as they wish. Making a standard interface to this gives a the developer chance to put the checking in at the level they choose. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Custom Login
Hello, Recently, I had to replace ZPublisher's default authentication scheme, as part of a product I'm working on. I am aware of the existence of LoginManager, exUserFolder, etc., but in this case I needed to have a custom login screen at root level, i.e. completely get rid of the basic HTTP authentication and browser popup window. So I replaced some of the HTTPRequest and HTTPResponse methods in order to present the user an HTML form whenever an 'Unauthorized' exception is raised. While I'm sure such an issue has arisen hundreds of times, somehow I was unable to find a product or a How-To that specifically addresses it, which means either I don't know how to browse the Web, or nobody has bothered to document their knowledge in the area. So I went ahead and created a simple Zope product that, upon installing, makes the necessary changes in HTTPRequest and HTTPResponse (HotFix style), so that cookie-based, HTML form login replaces the default one. For the curious, the product can be found at http://www.prism.gatech.edu/~gte085h/zope/CustomLogin/ In regards to this product, I've been pondering some questions that I'd like to be answered by knowledgeable people, if possible: 1. Is there a product that makes the changes I described, and where can I find it? 2. Does anyone think it's a good idea to provide some kind of a standardized API for replacing ZPublisher's authentication? 3. If a user attempts to access a resource, and is denied access, my modified HTTPResponse simply redirects to the login form, without bothering to record the URL the user originally tried to access (which can be a bad or a good thing, I suppose). Is there any way for an HTTPResponse instance to find out the URL of its HTTPRequest? 4. Not entirely related to this topic, but I noticed that the ChannelPipe class, used for communication between ZServer and ZPublisher, serves only one object instance at a time. What would be some practical difficulties in changing this class to serve multiple HTTPResponse instances? Finally, after noticing the ongoing discussion about the error HTML contents produced by ZPublisher upon an exception, I'd like to point out that it's extremely trivial to replace HTTPResponse._error_html and provide either custom behavior (e.g. sending email to the administrator), or custom HTML code, whether loaded from a file or hardcoded. Is anyone interested in me writing a How-To on this topic? The product I described above, already does that, so it would be rather easy for me to put together some documentation, provided that nobody has bothered to write any. Let me know... Sincerely, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Why not use logrotate, similarly to how you handle the Apache logs? Or set a cron job to clear the logs, if you don't like logrotate... [EMAIL PROTECTED] writes: On a high-traffic site, wouldn't the log get really big, really quickly with tracebacks? It is also nice to have the tracebacks in the browser window for debugging... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ZServerSSL trouble
Greetings, I just installed ZServerSSL, but when I try to access the https server, I get the following: Traceback (innermost last): File "/home/ivan/src/Zope-2.1.6-src/z2s.py", line 681, in ? asyncore.loop() File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 115, in loop poll_fun (timeout) File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 62, in poll (r,w,e) = select.select (r,w,e, timeout) ValueError: filedescriptor out of range in select() I don't know enough about Zope innards, so I was wondering if someone can explain when such a situation can occur. I also noticed that the lists (or tuples) r and w get their values from an object called `socket_map', so I'd like to know what the purpose of this object is, and where it is initialized. Regards, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )