Re: [Zope3-Users] Re: Default value for an interface attribute

2007-03-12 Thread Maciej Wisniowski 

 How about checking whether the value of 'default' is a
 callable and if so call it to obtain the default value.
   
 Yup... but evaluation of this is done internally by Zope schema
 package in Field class I think. Seems for me that there is no way
 to define 'default' as callable.
 

 Right. This is an unsupported use case. I bet if someone writes up a
 proposal and brings it up to discussion on zope3-dev@zope.org we'll find
 a common solution to this.

 Please also notice that we're moving to using launchpad more heavily. So
 if you write a proposal in the wiki, please also submit it as a feature
 request (blue print) in launchpad for the Zope 3 product.
I was playing a bit more with this issue and I realized that formlib
fields have 'get_rendered' method which is called to get default
values for a field. It is described at 'Computing default values'
section in formlib/form.txt.

Example from form.txt:

 class MyAddForm(form.AddFormBase):
... actions = ()
...
... def now(self):
... return datetime.datetime(2002, 12, 2, 12, 30)
...
... form_fields = form.Fields(
... form.Fields(IOrder).omit('now'),
... form.Field(IOrder['now'], get_rendered=now),
... )
...
... def setUpWidgets(self, ignore_request=True):
... super(MyAddForm, self).setUpWidgets(ignore_request)

-- 
Maciej Wisniowski
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

[Zope3-Users] Crash

2007-03-12 Thread David Johnson 

Our Zope 3.2.1 server is crashing and we cannot determine why.

The last entry in the access.log is the following:
218.160.132.172 - - [10/Mar/2007:22:11:45 -0500] CONNECT  
sextw.com.tw:25 HTTP/1.0 404 0 - -


There is no other information to indicate why as far as we can tell.   
No exceptions, nothing.


--
David
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Re: [Zope3-Users] Crash

2007-03-12 Thread Maciej Wisniowski 


 The last entry in the access.log is the following:
 218.160.132.172 - - [10/Mar/2007:22:11:45 -0500] CONNECT
 sextw.com.tw:25 HTTP/1.0 404 0 - -

 There is no other information to indicate why as far as we can tell.
 No exceptions, nothing.
Anything in /var/log/messages? Segfault or something like that maybe?

We had similiar issues with Zope2 and there were segfault errors in
messages file
(due to 64 bit architecture and DCOracle2)

-- 
Maciej Wisniowski
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Re: [Zope3-Users] Cancelling AddForm

2007-03-12 Thread Marcin Kołoczek 

Thierry Florac wrote:

  Hi,

even a simple Cancel button which should just redirect the browser actually 
raises
an exception when required fields are missing).

Any help ?
Thanks,

  Thierry Florac
  
Have You read subject (this list): formlib vs. cancel button? Martin 
Aspeli has similar question, and AFAIK there was some clue/solution (at 
least for Cancel button).


Cheers!
/Ramok
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

RE: [Zope3-Users] Crash

2007-03-12 Thread Giovannetti, Mark 


 -Original Message-
 From: David Johnson
 
 Our Zope 3.2.1 server is crashing and we cannot determine why.
 
 The last entry in the access.log is the following:
 218.160.132.172 - - [10/Mar/2007:22:11:45 -0500] CONNECT  
 sextw.com.tw:25 HTTP/1.0 404 0 - -
 

Hi David,

This is an attack on your server to attempt to proxy a 
connection (CONNECT) to a third party SMTP (port 25) server 
(sextw.com.tw).  The CONNECT command (i.e. like POST, GET
and HEAD commands) is part of the HTTP RFC.  It is normally
not needed on the vast majority of http servers and is 
usually disabled.  I do not know how zope3 handles this
case other than by your observed crash.  Technically,
what you are experiencing is a Denial of Service (DoS).
This is only just slightly better than having the actual
CONNECT command succeed.  If it succeeds then you have 
just become a spam engine.

If you could get a packet capture of the incoming traffic
during one of these attacks you might be able to determine
how zope is answering.

I would recommend that you place zope behind an Apache
proxy server for its protection.  Personally, I would rather 
trust in Apache's robustness for dealing with internet threats
than (from my point of view) the relatively unhardened 
internal implementation (twisted or otherwise) that zope 3 
offers.  By unhardened, I mean that zope 3 has not undergone
(to my knowledge) the many years of discovering and fixing
of security issues that apache has.  I do not know the extent
to which zope 3 has undergone any security vulnerability analysis
and testing.

Both of the zope books explain how to place apache in front
of zope and it is quite straightforward.

Mark

-- 
613-947-1359
System Scientist / Scientifique, spécialiste des systèmes
Canada Centre for Remote Sensing / Centre canadien de télédéction
Natural Resources Canada, 588 Booth Street, Ottawa, Ontario, Canada, K1A 0Y7
Ressources naturelles Canada, 588 rue Booth, Ottawa, Ontario, Canada, K1A 0Y7
Government of Canada / Gouvernement du Canada
  
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Re: [Zope3-Users] Crash

2007-03-12 Thread Paul Winkler 
On Mon, Mar 12, 2007 at 11:55:53AM -0400, Giovannetti, Mark wrote:
  From: David Johnson
  
  Our Zope 3.2.1 server is crashing and we cannot determine why.
  
  The last entry in the access.log is the following:
  218.160.132.172 - - [10/Mar/2007:22:11:45 -0500] CONNECT  
  sextw.com.tw:25 HTTP/1.0 404 0 - -
  
 
 Hi David,
 
 This is an attack on your server to attempt to proxy a 
 connection (CONNECT) to a third party SMTP (port 25) server 
 (sextw.com.tw).
(snip)
 I would recommend that you place zope behind an Apache
 proxy server for its protection.

Pound might also be a reasonable choice here. (Haven't tried it
myself.)  But yes, you want *something* in front of Zope.

-- 

Paul Winkler
http://www.slinkp.com
___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users

Re: [Zope3-Users] Cancelling AddForm

2007-03-12 Thread Darryl Cousins 
On Mon, 2007-03-12 at 16:18 +0100, Thierry Florac wrote:
   Hi,
 
 I have several formlib.form.AddForm subclasses in which I've created a
 custom Action via @action(...).
 My problem is that I'd like to be able to launch some of these actions
 (but not all of them, it's action specific) without executing
 automatic formlib controls (actually, for example, even a simple
 Cancel button which should just redirect the browser actually raises
 an exception when required fields are missing).
 
 Any help ?
 Thanks,
 
   Thierry Florac

Hi Thierry,

I implement cancel buttons for formlib like this (probably came from
somewhere but I forget where)::

def always_good(form, action, data):
Helper for actions - will always validate - useful for cancel
actions
return []

class MyAddForm(form.AddForm):
@form.action(_(Cancel), validator=always_good)
def handle_cancel(self, action, data):
self.request.response.redirect(self.nextURL())

Hope that helps, regards,
Darryl

___
Zope3-users mailing list
Zope3-users@zope.org
http://mail.zope.org/mailman/listinfo/zope3-users