Re: [Repoze-dev] Merging repoze.who and tgext.authorization?
! :) I think this *could* really be a TG- specific thing. Right. Or at least one that aims itself at frameworks that don't already have an authorization model. Exactly. Before I wrote this email, I think we didn't agree with two things: 1.- You preferred to have several group/permission metadata providers, instead of one MD provider that loads everything from many places. I think this is resolved with so-called source adapters being able to act as repoze.who MD providers - what do you think? Well, I dont quite understand how that's much different than before, but I also realize that you are sold on this idea and it really doesn't matter what I think about it, so I say go for it! ;-) Great! :) 2.- You didn't find a good idea to try to have these source adapters able to edit the sources under a common API as you thought it'd not be feasible. So, since the first issue is resolved (I think so) and if I made you change your mind regarding the second issue, would you agree with the creation of the repoze.what project as the successor of tgext.authorization? I think it'd be great to name it something repozey, and I'd love to see code contributed into the repoze repo. I don't think it's something I'd *personally* use or contribute to, because the systems I develop in already have authorization models that work slightly differently. However, other folks might jump all over it if it existed, especially folks that are using a framework that doesn't already provide an authentication model. I'm really glad to know that! ;-) So I'll start the migration now! Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue44] Remove mentions on TurboGears
New submission from Gustavo Narea [EMAIL PROTECTED]: repoze.what (former tgext.authorization) is being turned into a TurboGears independent framework. One of the things to change is remove every mention of TurboGears in the docstings -- assignedto: Gustavo messages: 116 nosy: Gustavo priority: urgent status: in-progress title: Remove mentions on TurboGears topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue44 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue44] Remove mentions on TurboGears
Gustavo Narea [EMAIL PROTECTED] added the comment: Finished in r2503 __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue44 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue47] Create the repoze.what network plugin
New submission from Gustavo Narea [EMAIL PROTECTED]: That plugin should provide predicate checkers (e.g., grant access if the user’s IP address belongs to a given IP range, deny access if the user’s host name is “example.org”, grant access based on the user’s ISP). -- messages: 121 nosy: Gustavo priority: feature status: deferred title: Create the repoze.what network plugin topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue47 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue50] Create the repoze.what CAPTCHA plugin
New submission from Gustavo Narea [EMAIL PROTECTED]: It will provide a highly extensible CAPTCHA driven authorization mechanism to restrict access to a given resource with predicate checkers. This is possibly the hardest to create plugin. -- messages: 124 nosy: Gustavo priority: wish status: deferred title: Create the repoze.what CAPTCHA plugin topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue50 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue51] Create the repoze.what Htgroups plugin
New submission from Gustavo Narea [EMAIL PROTECTED]: It should provide the Htgroups group source adapter. -- messages: 126 nosy: Gustavo priority: wish status: deferred title: Create the repoze.what Htgroups plugin topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue51 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue46] Create the repoze.what OAuth plugin
New submission from Gustavo Narea [EMAIL PROTECTED]: This plugin should provide at least repoze.what predicates checkers. It may also provide OAuth- relevant for authorization tasks. -- messages: 120 nosy: Gustavo priority: feature status: deferred title: Create the repoze.what OAuth plugin topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue46 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue49] Create the repoze.what LDAP plugin
New submission from Gustavo Narea [EMAIL PROTECTED]: It will provide predicate checkers (e.g., allow access if the user can be reached at a cellular phone, allow access if the user belongs to the “ABC” organization). -- messages: 123 nosy: Gustavo priority: wish status: deferred title: Create the repoze.what LDAP plugin topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue49 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue48] Create the repoze.what X.509 plugin
New submission from Gustavo Narea [EMAIL PROTECTED]: That plugin should provide predicate checkers (allow access if the Certificate Authority is XYZ, allow access if the user is called “John Smith” or “Foo Bar”). -- messages: 122 nosy: Gustavo priority: feature status: deferred title: Create the repoze.what X.509 plugin topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue48 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue53] Create the repoze.what XML plugin
New submission from Gustavo Narea [EMAIL PROTECTED]: It will provide adapters to store groups and permissions in XML files. -- messages: 129 nosy: Gustavo priority: wish status: deferred title: Create the repoze.what XML plugin topic: repoze.what __ Repoze Bugs [EMAIL PROTECTED] http://bugs.repoze.org/issue53 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.what 1.0beta1 Release
Hello, everybody. I am pleased to announce the first beta release of repoze.what, the authorization framework for WSGI applications. For more information, you may visit the repoze.what website: http://static.repoze.org/whatdocs/ Changes: * Removed dependencies on TurboGears and Pylons. * Introduced a framework-independent function (repoze.what.authorize.check_authorization) to check authorization based on a predicate and the WSGI environment, along with the repoze.what.authorize.NotAuthorizedError exception. * Now repoze.what is 100% documented. * Moved the predicates from repoze.what.authorize to repoze.what.predicates. Nevertheless, they are imported in the former to avoid breaking TurboGears 2 applications created when tg.ext.repoze.who or tgext.authorization existed. * Added the Not predicate. * Now you can override the error message of the built-in predicates or set your own message at instantiation time by passing the ``msg`` keywork argument to the predicate. Example:: from repoze.what.predicates import is_user my_predicate = is_user('carla', msg=Only Carla may come here) As a result, if your custom predicate defines the constructor method (``__init__``), then you're highly encouraged to call its parent with the ``msg`` keyword argument. Example:: from repoze.what.predicates import Predicate class MyCoolPredicate(Predicate): def __init__(self, **kwargs): super(MyCoolPredicate, self).__init__(**kwargs) * Moved the SQL plugin (repoze.what.plugins.sql) into a separate package. Also moved repoze.what.plugins.quickstart into that package because it's specific to the SQL plugin. * Log messages are no longer sent to standard output if the ``WHO_LOG`` environment variable is defined, but with ``AUTH_LOG``. * Now repoze.what uses logging internally to ease debugging. Backwards-incompatible changes -- * If you have custom predicates, you should update the ``eval_with_object`` method, which has been renamed to ``_eval_with_environ`` and only receives one argument (the WSGI environment). This is, if your method's signature looks like this:: eval_with_object(obj, errors) Now it should look like this:: _eval_with_environ(environ) Note that ``errors`` are no longer passed. On the other hand, the ``error_message`` attribute of predicates has been renamed to ``message`` because they are not only used to display errors (see repoze.what.predicates). * The repoze.what.authorize.require decorator has been removed because it's specific to TurboGears. TurboGears 2 applications will find it at tg.require. Because this is the first beta release, there should not be more backwards incompatible changes in the coming 1.X releases. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ signature.asc Description: This is a digitally signed message part. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what 1.0beta1 Release
Hello, David. On Saturday November 29, 2008 19:49:09 David Pratt wrote: Awesome docs, Gustavo. Thanks! :) I really like the @require decorator for tg. Wonder how easy it would be to create a security policy in bfg that would perform the same way. I have no idea, to be honest -- I have not used repoze.bfg yet. Perhaps somebody else on this list will point you in the right direction. Cheers! - Gustavo. Regards, David On Nov 26, 2008, at 2:54 PM, Gustavo Narea wrote: Hello, everybody. I am pleased to announce the first beta release of repoze.what, the authorization framework for WSGI applications. For more information, you may visit the repoze.what website: http://static.repoze.org/whatdocs/ Changes: * Removed dependencies on TurboGears and Pylons. * Introduced a framework-independent function (repoze.what.authorize.check_authorization) to check authorization based on a predicate and the WSGI environment, along with the repoze.what.authorize.NotAuthorizedError exception. * Now repoze.what is 100% documented. * Moved the predicates from repoze.what.authorize to repoze.what.predicates. Nevertheless, they are imported in the former to avoid breaking TurboGears 2 applications created when tg.ext.repoze.who or tgext.authorization existed. * Added the Not predicate. * Now you can override the error message of the built-in predicates or set your own message at instantiation time by passing the ``msg`` keywork argument to the predicate. Example:: from repoze.what.predicates import is_user my_predicate = is_user('carla', msg=Only Carla may come here) As a result, if your custom predicate defines the constructor method (``__init__``), then you're highly encouraged to call its parent with the ``msg`` keyword argument. Example:: from repoze.what.predicates import Predicate class MyCoolPredicate(Predicate): def __init__(self, **kwargs): super(MyCoolPredicate, self).__init__(**kwargs) * Moved the SQL plugin (repoze.what.plugins.sql) into a separate package. Also moved repoze.what.plugins.quickstart into that package because it's specific to the SQL plugin. * Log messages are no longer sent to standard output if the ``WHO_LOG`` environment variable is defined, but with ``AUTH_LOG``. * Now repoze.what uses logging internally to ease debugging. Backwards-incompatible changes -- * If you have custom predicates, you should update the ``eval_with_object`` method, which has been renamed to ``_eval_with_environ`` and only receives one argument (the WSGI environment). This is, if your method's signature looks like this:: eval_with_object(obj, errors) Now it should look like this:: _eval_with_environ(environ) Note that ``errors`` are no longer passed. On the other hand, the ``error_message`` attribute of predicates has been renamed to ``message`` because they are not only used to display errors (see repoze.what.predicates). * The repoze.what.authorize.require decorator has been removed because it's specific to TurboGears. TurboGears 2 applications will find it at tg.require. Because this is the first beta release, there should not be more backwards incompatible changes in the coming 1.X releases. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what.plugins.inifile
Hello, compatriota. :) On Tuesday December 2, 2008 15:53:42 [EMAIL PROTECTED] wrote: I've been working in a repoze.what plugin that uses INI-like files as data sources. You can download v.0.1 from: http://reduc.uc.edu.ve/intranet/tmp/repoze.bfg/repoze.what.plugins.inifile/ view The file format is: [section] item item ... I've just checked the code and it looks nice. :) If someone could mentor me to make it production grade quality and release it officially, I'll apreciate it. Count on me. My comments according to what I found: 1.- For this plugin, I think you don't need the configure_INI_adapters() utility. 2.- Please provide us with the full source, so that we can check other things. Python eggs don't ship with setup.py, for example. 3.- Please write a text suite with testutil to make sure it works as you expect. It's very easy: I.- Create an ini file to test the Ini group source adapter. It may look like this: [admins] rms [developers] rms linus [trolls] sballmer [python] [php] II.- Create an ini file to test the Ini permission source adapter. It may look like this: [see-site] trolls [edit-site] admins developers [commit] developers III.- Have repoze.what's testutil to verify your plugin automatically [1]. You may dive into the test suite for the SQL plugin for an example. For example, the test case for the group adapter may look like this (not tested, but should work): from repoze.what.adapters.testutil import GroupsAdapterTester class TestGroupsAdapterTester(GroupsAdapterTester, unittest.TestCase): def setUp(self): super(TestGroupsAdapterTester, self).setUp() current_dir = os.path.abspath(os.path.dirname(__file__)) fake_groups = os.path.join(current_dir, 'groups.ini') self.adapter = INIGroupAdapter(fake_groups) 4.- In INIFileAdapter, the repoze.what's SourceError exception [2] is better suitable instead of NotImplementedError. This is what users would expect to be raised; NotImplementedError would catch them unaware. 5.- Finally, a minor cosmetic suggestion: Possibly ini is a better name for the plugin because it's shorter. I'm afraid this will be the only Ini-based plugin, and if not, you came up first :) . Anyway, it's a minor issue and it's up to you. Please don't hesitate to get back with more questions. I'll be glad to help =) Saludos! [1] http://static.repoze.org/whatdocs/Manual/ManagingSources.html#module- repoze.what.adapters.testutil [2] http://static.repoze.org/whatdocs/Manual/ManagingSources.html#repoze.what.adapters.SourceError PS: Are you planning on enabling write -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what.plugins.ini, version 0.2
Hola, José! I've attached a patch that fixes a bunch of things, which I'll explain below. Please note that it depends on the latest repoze.what revision in the repository because I've just added support for read-only adapters in the testutil (so now they are fully supported). Most of the tests that don't pass now seem are caused by a pyparsing exception: ParseException: Expected ] (at char 4), (line:1, col:5) So the other failures may be a consequence of this. I would've solved that, but I've never used pyparsing (yet). On Friday December 5, 2008 23:13:07 [EMAIL PROTECTED] wrote: 1) Mea culpa. Corrected the typo, added the namespaces, corrected setup.py to add VERSION.txt, and tests/*.ini files. 'python setup.py test' runs and generates no output. Thanks! It took me a while to spot the problem, but it turned out to be that the test files had execute permissions and thus they were ignored. 2) Added 'self.is_writable = False'. I'm working on the writable version. Cool :) It's easy if you don't mind to trow away all the comments in the source files on each change. I think that would not be a problem. 3) No more __init__ in INIAdapter subclasses. 4) Created public repository on: http://github.com/jdinuncio/repoze.what.plugins.ini/tree/master That's awesome. It's very handy to keep track of the development. Thanks! Thanks to you for taking the time to extend repoze.what! BTW: Is it OK to use repoze-dev for this thread? Sure. As Chris already pointed out, this is definitely the right place ;-) Saludos! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ diff --git a/repoze/what/plugins/ini/ini.py b/repoze/what/plugins/ini/ini.py index b8f77c7..27a4066 100755 --- a/repoze/what/plugins/ini/ini.py +++ b/repoze/what/plugins/ini/ini.py @@ -51,7 +51,7 @@ class INIAdapter(BaseSourceAdapter): return self.info.keys() def _get_section_items(self, section): -return set(sef.info[section]) +return set(self.info[section]) def _find_sections(self, hint): raise SourceError('This is implemented in the groups and ' @@ -61,25 +61,9 @@ class INIAdapter(BaseSourceAdapter): raise SourceError('For including items you must edit the ' 'INI file directly.') -def _exclude_items(self, section, items): -raise SourceError('For excluding items you must edit the ' - 'INI file directly.') - def _item_is_included(self, section, item): return item in self.info[section] -def _create_section(self, section): -raise SourceError('For create a new section you must edit the ' - 'INI file directly.') - -def _edit_section(self, section, new_section): -raise SourceError('For edit a section you must edit the ' - 'INI file directly.') - -def _delete_section(self, section): -raise SourceError('For delete a section you must edit the ' - 'INI file directly.') - def _section_exists(self, section): return section in self.info @@ -89,10 +73,10 @@ class INIGroupAdapter(INIAdapter): def _find_sections(self, hint): userid = hint['repoze.who.userid'] -answer = [] +answer = set() for section in self.info.keys(): if userid in self.info[section]: -answer.append(section) +answer.add(section) return answer @@ -100,10 +84,10 @@ class INIPermissionsAdapter(INIAdapter): INI Permissions Adapters. def _find_sections(self, hint): -answer = [] +answer = set() for section in self.info.keys(): if hint in self.info[section]: -answer.append(section) +answer.add(section) return answer diff --git a/setup.py b/setup.py index c847ed9..592d576 100644 --- a/setup.py +++ b/setup.py @@ -20,7 +20,10 @@ setup(name='repoze.what.plugins.ini', packages=find_packages(), include_package_data=True, zip_safe=False, + tests_require=['repoze.what', 'nose'], + test_suite=nose.collector, install_requires=['repoze.what', 'pyparsing'], namespace_packages=['repoze', 'repoze.what', 'repoze.what.plugins'], - entry_points='', + entry_points=\ + , ) diff --git a/tests/test_parser.py b/tests/test_parser.py old mode 100755 new mode 100644 diff --git a/tests/test_plugin_ini.py b/tests/test_plugin_ini.py old mode 100755 new mode 100644 index 0c7296f..2660639 --- a/tests/test_plugin_ini.py +++ b/tests/test_plugin_ini.py @@ -18,15 +18,16 @@ import os.path import unittest -from repoze.what.adapters.testutil import GroupsAdapterTester -from repoze.what.adapters.testutil import PermissionsAdapterTester +from repoze.what.adapters.testutil import ReadOnlyGroupsAdapterTester
Re: [Repoze-dev] repoze.what.plugins.ini passed the test suite.
Hi, José. On Monday December 8, 2008 21:21:04 [EMAIL PROTECTED] wrote: Hello, * I pushed the last changes on repoze.what.plugins.ini. It now passes the test suite. You can review it at: git://github.com/jdinuncio/repoze.what.plugins.ini.git Thanks to all. Congratulations! Indeed the test suite works :) Thanks for your hard work! Please let me know when you're going to release it so that I can update the docs and place a link to http://github.com/jdinuncio/repoze.what.plugins.ini/wikis (or another URL) as the plugin's site. Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.what RC1 - Ini plugin available
Hello, everybody. I'm pleased to announce that the first release candidate of repoze.what is out. Also, there was a minor last beta release a few days ago which was so small that it wasn't worth announcing. Changes since Beta 1: * Added support for read-only adapters. * Fixed Python 3 deprecation warnings. Hey, few changes between non-stable releases is a good thing :) There is one final backwards-incompatible change, though: The arguments of `repoze.what.middleware.setup_auth` have changed slightly, but it won't affect you at all if you are using the repoze.what quickstart (nearly all TG2 developers). On the other hand, there's also a new beta for the SQL plugin. Changes are: * Fixed the broken test suite for Elixir, thanks to Helio Pereira. * Updated repoze.what.plugins.quickstart.setup_sql_auth according to the backwards incompatible change on repoze.what.middleware.setup_auth introduced in repoze.what-1.0b2. * Now it's possible to customize the authentication/identification cookie through repoze.what.plugins.quickstart.setup_sql_auth. * Tons of minor bug fixes. Finally, I would like to highlight the second repoze.what plugin. It adds support for groups and permissions stored in Ini files and it has been written by José Dinuncio: http://pypi.python.org/pypi/repoze.what.plugins.ini Enjoy! PS: Stay tunned! I've already started working on repoze.what 1.5 and hopefully tomorrow I'll talk about the plans. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what patch for using it with pasteDeploy
Hello, José. This is awesome. Thank you *very* much! I'm currently working on a project where I wanted authentication and authorization to be configured from simple files (not from scripts), so it's great news I'll be able to take advantage of this feature :) However, I'm going to include it in the next release because v1.0 already has a release candidate, and I'd prefer to fix its bugs only (instead of adding features). Cheers! On Friday December 12, 2008 15:05:58 jdinu...@uc.edu.ve wrote: Hello I'm interested in using repoze.what with paster, so I made this patch that allows pasteDeploy to initializate repoze.what and its plugins via repoze.who. Example of Use: Suppose you have a repoze.bfg instance of name zbfg. You activate repoze.who as usual in zbfg.ini: [DEFAULT] debug = true [server:main] use = egg:Paste#http host = 0.0.0.0 port = 6543 [app:main] use = egg:zbfg#app reload_templates = true filter-with = who [filter:who] use = egg:repoze.who#config config_file = %(here)s/who.ini log_file = stdout log_level = debug Now, you can configure repoze.who and repoze.what in who.ini # the habitual repoze.who plugins [plugin:basicauth] use = repoze.who.plugins.basicauth:make_plugin realm = 'zbfg app' [plugin:htpasswd] use = repoze.who.plugins.htpasswd:make_plugin filename = %(here)s/passwd check_fn = repoze.who.plugins.htpasswd:crypt_check # Now, repoze.what [plugin:what] use = repoze.what.config:make_plugin config_file = what.ini curdir = %(here)s/ # the usual repoze.who config [general] request_classifier = repoze.who.classifiers:default_request_classifier challenge_decider = repoze.who.classifiers:default_challenge_decider remote_user_key = REMOTE_USER [identifiers] plugins = basicauth [authenticators] plugins = htpasswd [challengers] plugins = basicauth # and repoze.what [mdproviders] plugins = what repoze.what plugins can be configured in what.ini. One section per plugin, one entry per parameter, plus use=package.module:class to instantiate the plugin: [group:ini] use = repoze.what.plugins.ini:INIGroupAdapter filename = group.ini [permissions:ini] use = repoze.what.plugins.ini:INIPermissionsAdapter filename = permissions.ini Best regards -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue52] Create the repoze.what Ini plugin
Gustavo Narea m...@gustavonarea.net added the comment: fixed by José Dinuncio: http://github.com/jdinuncio/repoze.what.plugins.ini/wikis -- status: deferred - resolved __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue52 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] Plans for repoze.what v2
Hello, everybody. I've already started the development of the next major release of repoze.what (initially labeled as v1.5), v2.0, and I wanted to let you know about my plans and also get feedback from you. First of all, please keep in mind that repoze.what's goal is to support common authorization patterns out-of-the-box, but *never* have a default/preferred one. The enhancements I have in mind are: repoze.who independence === Many people have requested this, but repoze.what v1 is the successor of tgext.authorization (former tg.ext.repoze.who; an authorization and authentication framework), whose dependence on repoze.who was high and when development started such a featured was not requested... so it was late to introduce it in v1. Plus, initially I wanted to take advantage of repoze.who's plugins (specially, mdproviders and challengers) to inject some functionality in the future, but now I realize that it's best for repoze.what to have its own middleware. So, authorization patterns that rely on the user's identity (such as the groups/permissions-based one) will use REMOTE_USER or a custom key in the environ to get the authenticated user's Id. This is the only backwards incompatible change I have in mind, but it won't affect projects using the quickstart plugin because it will continue configuring both repoze.who and repoze.what (that's its goal). Roles support = The most frequently requested feature from non-TurboGears developers :) The roles-based authorization pattern will be supported and it will be optional, like the groups/permissions-based pattern as of v1.0-rc2. Roles will be supported through so-called source adapters (like groups and permissions), so developers will be able to store them in Ini or XML files, or even databases. The relevant predicates will be provided too (i.e., has_role, has_any_role and has_all_roles). Anti-spam pattern = A new authorization pattern will be supported: one base on whether the current current is a known spammer or the submitted contents are spam, according to anti-spam services like Akismet or Defensio (each anti-spam service will be supported by one plugin). Two predicates will be provided: * is_spammer: To check whether the current user is a known spammer. For example, if you run a mailing list software with a web interface, you may want to prevent potential spammers from getting the email addresses of the members. * is_spam: To check whether the submitted content is spam. By default, it will send the POST variables message, author_name, author_email, among others (when available), to the anti-spam service (like Akismet) to check whether it's spam, but all this can be customized. For example, if you have a blog and want to filter out potential spam comments. And to avoid loosing information, contents marked as spam by the anti-spam service will be added to the moderation queue (in a database, XML file, etc). Most of this work is already done and tested, but not yet usable. CAPTCHA pattern === CAPTCHA-based authorization will be supported and it will be inspired by repoze.who challengers (it's a very smart design which is extremely extensible), with a CAPTCHA challenge decider and a CAPTCHA challenger (in charge of providing the CAPTCHA image, audio, HTML, etc). A CAPTCHA challenge can be requested using the is_human predicate, which you can use, for example, in the action that processes the registration form. Then the CAPTCHA challenge decider will run the CAPTCHA challenger, unless the current user (most likely anonymous, but that's up to the developer) has already passed a CAPTCHA challenge in the last 60 minutes (for example). == Feedback? Cheers! PS: Of course, contributors are very welcome! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Plans for repoze.what v2
Hello, On Tuesday January 6, 2009 21:08:19 Jorge Vargas wrote: I'm not against this per-se I'm just saying that the main reason of creating repoze.what (some months ago) was to emphasize it's relation to repoze.who, now that relationship is gone, back then it was a good idea, but now this project has (from an outsiders perspective) no relationship with repoze.* packages. It's not a reinvention of a zope package nor it depends on other repoze components. So what is it? The way I see the Repoze project, it's _also_ about tools for arbitrary WSGI applications. The issue with repoze.what is that it was originally an authorization layer. This proposed change not only takes it outside the authorization realm, but makes it a direct competitor of repoze.who, instead of an extension as it was originally planned. There's no reason why repoze.what will compete with repoze.who. repoze.who only focuses on authentication and identification, while repoze.what deals and will deal with authorization only; there's not even a single task that can be done with both repoze.who and repoze.what. Right now you have to configure repoze.who through repoze.what because r.what has to inject its functionality through r.who plugins, which is ugly and imposes some limitations. And that's what would change, since r.what will be absolutely r.who-agnostic. So ones again I'm not saying no, I'm asking why? and if that is a valid reason will it still be worth naming this package repoze.what? I'll answer with a question :) : Why not? After all, the only thing that would change from the user's perspective is that you would have to add two middlewares if you're using both r.who and r.what, instead of a single middleware. But under the hood, it will make things much simpler and more clear. And you'll get a plus: The ability to use a different authentication/identification framework. Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Plans for repoze.what v2
(or if a submitted content is spam), according to an anti- spam service, then that's an authorization pattern. Likewise, I think that if a given routine is performed based on whether we are certain that the current user is human, then that's another authorization pattern. And because both authorization patterns are widely used, I think they should be supported out-of-the-box, *although* I wouldn't mind to implement such functionalities in two independent packages, as repoze.what plugins that provide the predicates mentioned above. Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Question regarding repoze.who +sql / repoze.who.plugins.sa
Hello, Mathieu et al. On Thursday January 8, 2009 00:12:28 you wrote: I would like to ask you a simple question, feel free to let me know if you don't have time. I decided to just stick with a basic db authentication, and I am using an external who.ini conf file. The problem is the it seems that repoze tries to open its own session with the database. I would prefer using the one that is already defined inside pylons to avoid redundancies and many db connections. Do you have a clue how it could be done? I guess I wouldn't be able to use the setup file but instead the middleware configuration (even that way, I am not sure how to do it). Hmmm, repoze.who.plugins.sa doesn't start a new session, instead it always uses the one you specified. In your case, if you have the following line in your who.ini file: dbsession = youapp.whatever:DBSession repoze.who.plugins.sa will use youapp.whatever.DBSession as the SQLAlchemy session, the way you will find here (see SQLAlchemyAuthenticatorPlugin): http://repoze.org/viewcvs/whoplugins/whoalchemy/trunk/repoze/who/plugins/sa.py?rev=3125view=markup Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Plans for repoze.what v2
Hello, (Phew, finally I had the time to continue this thread.) On Wednesday January 7, 2009 07:04:20 you wrote: You can achieve that with repoze.what predicates. You can write your own predicate to check for that condition: # process the post edition... Apologies, I had too much to say about this topic to confine it to this reply. http://www.plope.com/control_inversion Since we're talking about repoze.what staying middleware, I'm not sure how to get truly general and truly declarative context-sensitive security without creating something that resembles decsec in some way. This is the reason I personally quickly gave up on trying to create a general-purpose athorization framework for arbitrary WSGI apps: there are very few people who are willing to deal with the control inversion that any maximally general system would impose. :-( That's not to say that aiming lower isn't useful to a huge swath of people: it definitely is! But I'd like repoze.what to be something that *I* could eventually use in a way that feels familiar and right (call me selfish). OK, now I think I understand what you meant, specially after reading your comment to the article above whose title is swappability. Your suggestion sounds sensible to me and I'm willing to make the authorization pattern available through decsec in repoze.what, along with the groups/permissions-based pattern. The use cases where one of the two patterns would be useful depend on the developer's likes, but there are several use cases that come to my mind in which *both* patterns would be useful in the same application. One of them is a CMS whose actions use repoze.what predicates (using the groups/permission pattern), *but* its administration interface provides a friendly interface to customize authorization using the context-sensitive pattern (e.g., the CMS allows people with the edit-page permission to edit any page in the website, but the admin may enforce that the Jobs page could only be edited by people in the HR group). Those documents are rather interesting. ACLs are a good alternative to predicate-based assertions, *and* I think they are not mutually exclusive. The components used in the check aren't really all that important to me. I used ACLs in decsec (and in BFG) because the implementation was straightforward and pretty flexible. But the argument was mostly about being able to service applications that required *context-sensitivity* during security checks in repoze.what, not using ACLs to store the data that will be checked. OK, I'll take it into account. I think that if a given routine is performed based on whether the current user is a known spammer (or if a submitted content is spam), according to an anti- spam service, then that's an authorization pattern. Likewise, I think that if a given routine is performed based on whether we are certain that the current user is human, then that's another authorization pattern. OK, I still don't agree but I don't have enough skin in the game to make any compelling argument against this. And because both authorization patterns are widely used, I think they should be supported out-of-the-box, *although* I wouldn't mind to implement such functionalities in two independent packages, as repoze.what plugins that provide the predicates mentioned above. Making them plugins would fit my brain, sorta. OK, then they won't be in the core. Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what configuration issues
Hola, Jorge! On Thursday January 15, 2009 03:28:43 Jorge Vargas wrote: bugs in the docs - the sample code is wrong, as BaseAuthPlugin isn't an authenticator. Right, I've just fixed this in trunk. Thanks! - setting it as a form_identifies other than having a wrong name add nothing to the log output of repoze.what form_identifies is not used for that (and it's a boolean): http://www.turbogears.org/2.0/docs/main/Auth/Customization.html#customizing-authentication-settings http://code.gustavonarea.net/repoze.what.plugins.sql/Quickstart.html#repoze.what.plugins.quickstart.setup_sql_auth I currently added the following to my app_cfg.py file base_config.sa_auth.form_plugin = None http_auth = BasicAuthPlugin('my cool site') base_config.sa_auth.form_identifies = [('http_auth', http_auth)] Try this: http_auth = BasicAuthPlugin('my cool site') base_config.sa_auth.form_plugin = [('http_auth', http_auth)] In this case, the form_plugin (a challenger) is also an identifier, so it's not necessary to set form_identifies=True because that's the default value. HTH. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what configuration issues
On Thursday January 15, 2009 15:52:26 Gustavo Narea wrote: base_config.sa_auth.form_plugin = [('http_auth', http_auth)] BTW, it should be: base_config.sa_auth.form_plugin = http_auth Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Question regarding repoze.who +sql / repoze.who.plugins.sa
Hello, Mathieu. On Wednesday January 14, 2009 00:03:52 you wrote: I had to change the username field in the database to: user_name even if the parameter user_name_translation was set to something else but this is minor. Can you please paste the translation line? The key is user_name, not user_name_translation, by the way. Now, the issue I have is that when I am logging in or out, the url is not redirected to the referer but to the actual login form. When I am looking at the log, the plugin forms was asked twice to be identified. I can understand that the referer is set the the form after the second passage but is it normal? I didn't understand this very well. The normal behavior is: - when you visit a restricted area in your website, you'll get the login form and after you login, you'll get redirected to the restricted page above. - if you visit the login page voluntarily, then you'll get redirected to the home page after login. - if you visit the logout page, you'll get redirected to the previous page. Is this the behavior you've noticed? Do you think maybe my who.ini was not properly set up? Here is the last part: [identifiers] plugins = redirform auth_tkt [authenticators] plugins = sa_auth [challengers] plugins = redirform That seems right, but it may also be useful to know how you're defining redirform. Cheers! - Gustavo. Thank you, Mathieu 2009/1/13 Gustavo Narea m...@gustavonarea.net Hello, Mathieu et al. On Thursday January 8, 2009 00:12:28 you wrote: I would like to ask you a simple question, feel free to let me know if you don't have time. I decided to just stick with a basic db authentication, and I am using an external who.ini conf file. The problem is the it seems that repoze tries to open its own session with the database. I would prefer using the one that is already defined inside pylons to avoid redundancies and many db connections. Do you have a clue how it could be done? I guess I wouldn't be able to use the setup file but instead the middleware configuration (even that way, I am not sure how to do it). Hmmm, repoze.who.plugins.sa doesn't start a new session, instead it always uses the one you specified. In your case, if you have the following line in your who.ini file: dbsession = youapp.whatever:DBSession repoze.who.plugins.sa will use youapp.whatever.DBSession as the SQLAlchemy session, the way you will find here (see SQLAlchemyAuthenticatorPlugin): http://repoze.org/viewcvs/whoplugins/whoalchemy/trunk/repoze/who/plugins/ sa.py?rev=3125view=markup Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Question regarding repoze.who +sql / repoze.who.plugins.sa
Hello, Mathieu. On Thursday January 15, 2009 21:18:00 Mathieu Drapeau wrote: I do not get redirected to the restricted page (ex. test.html), I do get redirected to the same form again (ex. loginform.html) after entering a valid user/pass. I do look if I am authenticated after I filled the form and I do. Based on the logs, the authentication process seems to be called twice and it is why the came_from is changed from test.html to loginform.html. OK, I see, but we can't help if you don't show us the way you're configuring the plugin, as I asked in the previous email ;-) By the way, so time ago somebody using TG2 was getting that behavior because the login form was not using login for the user name field and password for the password field. Can you please make sure that's not the problem? If not, then also post the code for your login form. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Question regarding repoze.who +sql / repoze.who.plugins.sa
Hello, Mathieu. Did you already set the came_from parameter passed to the login handler as I mentioned on IRC? I am sure that's the problem. If it doesn't solve the problem, then please post the code of the form *and* the code of the action that handles the display of the form. Cheers. On Friday January 16, 2009 19:04:22 Mathieu Drapeau wrote: Hi Gustavo, The input fields are like that: input type=text name=login/input input type=password name=password/input And here is my config file: http://pastebin.com/f55810cb3 -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] Handling authorization denials with repoze.who and repoze.what
Hello, everybody. There's a common task in systems using authentication and authorization, and that's handling an authorization denial. However, I'm not sure if repoze.what v2 should play a role in such a handling (v1 does not). The way things work right now by default, when the WSGI application denies authorization, repoze.who handles it by running a challenger (regardless of whether the user has been authenticated or not). So, I think it *might* be a good idea if repoze.what will handle such denials, if and only if the user had been authenticated -- possibly implementing repoze.who-like challengers. If the user is anonymous, then it'll get handled by repoze.who (if you're using it; it won't be mandatory as of r.what v2). This way we avoid displaying the login form to an already logged in user; another solution is to write a repoze.who challenge decider. But anyway, I think repoze.what v2 should support repoze.who-like challengers, as sometimes authorization depends on an action from the user (on demand). For example, if you have a WHOIS website you'll want people trying to access a domain's data to demonstrate they're human by using a CAPTCHA (a repoze.what plugin might provide CAPTCHA support using a repoze.what challenger which displays a form with all the code for the user to answer the question and also validate it). I see challenger plugins in repoze.what as the most extensible way to deal with such situations. So, should repoze.what v2 play a role handling authorization denials? If so, how? Thanks in advance! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Handling authorization denials with repoze.who and repoze.what
On Monday January 19, 2009 14:04:02 Gustavo Narea wrote: So, should repoze.what v2 play a role handling authorization denials? If so, how? Hmmm, another solution is to support error handlers (instead of challengers), as TG2 is going to do (http://trac.turbogears.org/ticket/2112). It may go into repoze.what itself, rather than being implemented on a per framework basis. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.what 1.0 Final and 1.0.1 released
Hello, everybody! Two days ago I released repoze.what 1.0 Final, but before I could announce yesterday on the mailing lists, Alberto found an important bug that affects production websites. So here I'm announcing both releases: repoze.what 1.0.1 (2009-01-21) == This release fixes an important bug which *may* affect production Web sites depending on how you use the ``All`` predicate or any of its derivatives (``has_all_permissions`` and ``in_all_groups``). TurboGears 2 applications are all affected, at least by default. This was found by and solved with the help of Alberto Valverde http://albertovalverde.es/ (¡Gracias, Alberto!). The likelihood that this will affect your application is very high, so upgrading is highly recommended if it's on production. * Some :mod:`repoze.what` :mod:`predicates repoze.what.predicates` were not thread-safe when they were instantiated in a module and then shared among threads (as used in TurboGears 2). We fixed this by making :meth:`repoze.what.predicates.Predicate.eval_with_predicate` raise an exception if the predicate is not met, instead of returning a boolean and setting the ``error`` instance attribute of the predicate to the predicate failure message. So if you are using that method directly, instead of using :func:`repoze.what.authorize.check_authorization`, this is a backwards incompatible change for you and thus you should update your code. If you check predicates like this (which is discouraged; see :func:`repoze.what.authorize.check_authorization`):: from repoze.what.predicates import is_user, in_group, All p = All(is_user('someone'), in_group('some-group')) environ = gimme_the_environ() if p.eval_with_environ(environ): print('Authorization is denied: %s' % p.error) else: print('Authorization is granted') Then you should update your code like this:: # This way of checking predicates is DISCOURAGED. Use # repoze.what.authorize.check_authorization() instead. from repoze.what.predicates import is_user, in_group, All, PredicateError p = All(is_user('someone'), in_group('some-group')) environ = gimme_the_environ() try: p.eval_with_environ(environ) print('Authorization is granted') except PredicateError, error: print('Authorization is denied: %s' % error) .. note:: Because of this, TurboGears 2 users who want to use this release, should try the latest revision in the TG2 Subversion repository or wait for TurboGears-2.0b4. But again, there's no hurry if your application is not in production. * For forward compatibility with :mod:`repoze.what` v2, the user id used in the built-in predicates is that found in ``environ['repoze.what.credentials']['repoze.what.userid']`` and the adapters loaded are now available at ``environ['repoze.what.adapters']``. This is *not* a backwards incompatible change. repoze.what 1.0 (2009-01-19) This is the first stable release of :mod:`repoze.what` and it was announced on the `Repoze blog http://blog.repoze.org/repoze-what-1-dot-oh-20090119.html`_. * Fixed a problem with unicode support in :func:`repoze.what.authorize.check_authorization`, reported by Chen Houwu on TurboGears mailing list. * Added the current user's groups and permissions to the newly-created ``environ['repoze.what.credentials']`` dictionary for forward compatibility with :mod:`repoze.what` v2. Such values are still defined in the :mod:`repoze.who` ``identity`` dictionary, but its use is highly discouraged as of this release. See :mod:`repoze.what.middleware`. * Applied work-around to fix Python v2.4 and v2.5 support. I hope you will enjoy it! Cheers. [1] http://blog.repoze.org/repoze-what-1-dot-oh-20090119.html -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what custom predicate parameters
On Monday January 26, 2009 16:18:36 Florent Aide wrote: a here is the patch that would permit to write the kind of predicates I need... Gustavo, what do you think? Is that ok with you to apply this on the trunk. You broke compatibility anyway so why not break it a little more... :) Well, I've not broken compatibility since the first stable release and I hope that won't ever be necessary. I've just deprecated some things for forward compatibility. :) The problem is that people are not expected to evaluate predicates by themselves using Predicate.evaluate(); that's what check_authorization() is for: http://static.repoze.org/whatdocs/Manual/Predicates.html#repoze.what.predicates.Predicate.evaluate Therefore, unfortunately it'd be useless that .evaluate() was able to receive arbitrary arguments and keyword arguments because it will never receive them. It'll only receive what check_authorization() passes to it (unless you run .evaluate() by yourself, which is discouraged -- check_authorization() does some useful things for you unlike plain .evaluate()). As I mentioned in the previous email, I agree that context-sensitive authorization should require less code (i.e., not using paste.request.parse_formvars by yourself). But my concern is how to do it without breaking compatibility. I'm open to any solution that won't break compatibility. In repoze.what v2, the way I'll address this is by passing the POST and GET variables to .evaluate() too. At least that's the solution I have in mind right now. Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what custom predicate parameters
On Monday January 26, 2009 17:50:25 Florent Aide wrote: this won't work with urls of the form: /blog/post/post_id and thus we'll need to devise something more, like introspection of the decorated controller's method's args... That's a good point. Fortunately I read this email before sending the other email/poll to the Repoze and TG mailing lists. Let's continue this over there :) Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] update of repoze.what.plugins.sql to 1.0b1 breaks auth
Hello, Bruno. I had that problem around 1 hour ago and I'm fixing it right now. I didn't notice it before because of typo in the test suite, exactly where it should've been detected :-/ I'll make another release today. Thanks! Cheers Wednesday January 28, 2009 11:59:35 binet bruno wrote: Hi, Today I've updated repoze.what.plugins.sql from egg repoze.what.plugins.sql-1.0a5_r3122-py2.5.egg to egg repoze.what.plugins.sql-1.0b1-py2.5.egg, and it breaks my authentication system in pylons. Looking at source code, it comes from method _find_sections from SqlGroupsAdapter which expect to receive dict credentials as argument from repoze.what middleware, but receive instead the identity dict which doesn't contains key 'repoze.what.userid'. Looks like confusion between identity and credentials dicts... Is that a newly introduced bug? Here is the traceback from pylons : URL: http://127.0.0.1:5000/dummy_auth/credentials File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/WebErro r-0.9.1-py2.5.egg/weberror/evalexception.py', line 428 in respond app_iter = self.application(environ, detect_start_response) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/Beaker- 1.1.2-py2.5.egg/beaker/middleware.py', line 81 in __call__ return self.app(environ, start_response) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/Beaker- 1.1.2-py2.5.egg/beaker/middleware.py', line 159 in __call__ return self.wrap_app(environ, session_start_response) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/Routes- 1.10.1-py2.5.egg/routes/middleware.py', line 118 in __call__ response = self.app(environ, start_response) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/repoze. who-1.0.10-py2.5.egg/repoze/who/middleware.py', line 85 in __call__ self.add_metadata(environ, classification, identity) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/repoze. who-1.0.10-py2.5.egg/repoze/who/middleware.py', line 171 in add_metadata plugin.add_metadata(environ, identity) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/repoze. what-1.0.2-py2.5.egg/repoze/what/middleware.py', line 94 in add_metadata groups, permissions = self._find_groups(identity) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/repoze. what-1.0.2-py2.5.egg/repoze/what/middleware.py', line 74 in _find_groups groups |= set(grp_fetcher.find_sections(identity)) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/repoze. what-1.0.2-py2.5.egg/repoze/what/adapters/__init__.py', line 170 in find_sections return self._find_sections(hint) File '/home/bbinet/dev/mapcat/util/VP_mapcat/lib/python2.5/site-packages/repoze. what.plugins.sql-1.0b1-py2.5.egg/repoze/what/plugins/sql/adapters.py', line 302 in _find_sections id_ = credentials['repoze.what.userid'] KeyError: 'repoze.what.userid' Cheers, Bruno ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [r.what] Backwards incompatibility in exchange for better context sensitivity?
Hello, I'm sorry about the big delay, I had little time to work on this lately. On Monday January 26, 2009 20:03:20 Tres Seaver wrote: I would make 'check_authorization' call a new method 'evaluate_with_variables', which just passes through to 'evaluate' in the base class (Predicate): people could override it to do the extra checking. The cost is one extra function call for those not using the indirection, but preserves backward compatibility. Thanks for that, Tres! I solved this inspired by your suggestion: I added a method which returns the POST and GET variables, so that you can use it as in: from repoze.what.predicates import Predicate # Say you use SQLAlchemy: from yourcoolapplication.model import BlogPost, DBSession class post_is_managed_by_author(Predicate): message = 'Only %(author)s can manage post %(post_id)s' def evaluate(self, environ, credentials): # Extracting the post Id from the GET variables vars = self.get_variables(environ) post_id = vars.get.get('post_id') # Loading the post object post = DBSession.query(BlogPost).get(post_id) # Checking if it's the author if post.author_userid != credentials.get('repoze.what.userid'): self.unmet(post_id=post_id, author=post.author_userid) Then you can build the following compound predicates: from repoze.what.predicates import All, has_permission # Can the user edit the post? p1 = All(has_permission('edit-posts'), post_is_managed_by_author()) # Can the user delete the post? p2 = All(has_permission('delete-posts'), post_is_managed_by_author()) This way backwards compatibility is not broken. It will be available in repoze.what 1.0.4, which I hope to release tomorrow. What do you people think about it? Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.what v1.0.4 is out
Hello, everybody. I'm pleased to announce that repoze.what v1.0.4 is out! The changelog is available at: http://static.repoze.org/whatdocs/News.html#repoze-what-1-0-4-2009-02-06 The new feature that deserves to be highlighted is that request sensitive predicate checkers are now easier to write, as explained here: http://static.repoze.org/whatdocs/Manual/Predicates/Writing.html#creating-a-predicate-checker-more-sensitive-to-the-request A small note to TG2 users: Don't worry if you get some deprecation warnings, there's nothing to update in your code. They'll disappear when you upgrade to trunk or the sixth beta. Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [what] requirement for repoze.what.plugins.quickstart incompatible with svn dev
Bonjour, Florent ! On Tuesday February 10, 2009 11:07:37 Florent Aide wrote: the requirement is: repoze.what.plugins.sql = 1.0rc1 and should read: repoze.what.plugins.sql 1.0rc0 in order that we can use the svn trunk version in develop mode because trunk is in 1.0rc1 right now and once developped its labelled as 1.0rc1dev which is normal and permits to differentiate from the future released version. Version 1.0rc1 was released almost two weeks ago and it's been available in PYPI and the TG2 index: http://pypi.python.org/pypi/repoze.what.plugins.sql/1.0rc1 http://svn.turbogears.org/site_resources/tg2_index/current/ I just forgot to bump the version number in trunk ;-) BTW could I have access to the repoze.what.* svn repositories? I (with much help from ChrisM and much improvement from Gustavo) am the original author of some of this code and I'd like to help maintain it somewhat :) That'd be cool! In the documentation there's a section which is an introduction on how repoze.what works under the hood, so you may find it useful since it's changed a lot since tg.ext.repoze.who (it will also help you understand its plugins). And if you don't get answer to the question you have, please don't hesitate to contact me. Salut ! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [what] Latest what revision does not work with TG2
Hello, Florent! I think you downloaded repoze.what v2. The repository for v1 is at: http://svn.repoze.org/repoze.what/branches/1.X/ Trunk (v2) is experimental and very unstable right now. Cheers. On Tuesday February 10, 2009 09:21:42 Florent Aide wrote: Hi all, trying latest trunk of tg2, repoze.who, repoze.what and repoze.what.plugin.sql get the following traceback: File /home/faide/progs/ENVS/tg2/checkouts/turbogears-2.0/tg/configuration.py, line 607, in make_base_app app = self.add_auth_middleware(app) File /home/faide/progs/ENVS/tg2/checkouts/turbogears-2.0/tg/configuration.py, line 480, in add_auth_middleware from repoze.what.plugins.quickstart import setup_sql_auth File /home/faide/progs/ENVS/tg2/checkouts/repoze.what.plugins.sql/repoze/what/p lugins/quickstart.py, line 23, in module from repoze.what.middleware import setup_auth ImportError: cannot import name setup_auth Does someone know if this is logical. Looking at the source their is indeed no more setup_auth in middleware.py... Florent. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.who and script_name
On Monday February 9, 2009 18:24:55 Mark Ramm wrote: Yea, I think he's talking about SCRIPT_NAME. Not sure where the confusion comes from, but yea, I think his patch makes sense only if you replace SCRIPT_PATH with SCRIPT_NAME. Oh, right, I don't know how I made the same mistake twice! :-O I'm fixing this in repoze.what-quickstart and I'll make a release in a few minutes. Cheers. --Mark On Mon, Feb 9, 2009 at 5:18 AM, Chris McDonough chr...@plope.com wrote: FTR, I tried to apply the patch referenced in Lukasz' email to redirectingformplugin, but as I was doing that, I realized I don't know where SCRIPT_PATH is supposed to come from. It's not a CGI or WSGI envvar as far as I can tell and it's not in wsgiorg.routing_args either. Is it supposed to be SCRIPT_NAME? I also took a look at FriendlyRedirectingFormPlugin. FTR, I intend to add some facility to who in the near future that makes it possible to log a user out without necessarily displaying the challenge form (by maybe allowing the app to return a 403 Forbidden, which would forget credentials but just display the body of the page returned without actually invoking any challenger). For this reason, I think FriendlyRedirectingFormPlugin should probably remain part of r.what until we figure that out. Hopefully that's OK. - C Lukasz Szybalski wrote: On Fri, Feb 6, 2009 at 9:22 AM, Gustavo Narea m...@gustavonarea.net wrote: Hello, On Friday February 6, 2009 15:47:28 Chris McDonough wrote: Gustavo, don't you have a redirecting form plugin that already does this? Yes, I think it's the one he's using. It takes the SCRIPT_PATH into account when redirecting to the post- login/logout pages, thanks to the ._get_full_path() method: http://repoze.org/viewcvs/repoze.what/plugins/quickstart/trunk/repoze/w hat/plugins/quickstart.py?rev=3497view=markup However, the redirection to the login handler (performed by RedirectingFormPlugin), the SCRIPT_PATH is not taken into account because of the bug in RFP. Lukasz, if you're using repoze.who with the patch I uploaded, it should work because both the RedirectingFormPlugin and the FriendlyRedirectingForm plugins will be aware of the SCRIPT_PATH. The problem you describe is with the patch applied or without it? Apologies, Gustavo has mentioned this patch to me, and I've been trying to review this work, but I've been out of pocket on customer projects for the last two weeks. In the meantime this is a plugin to repoze.who, so even if Gustavo hasn't already forked off a patched version, you can plug in a patched version using the diff and use it. The patch break tests, so I'll need to investigate, but you can certainly use a patched plugin as necessary. The patch I sent to you makes RFP aware of the script path but breaks one of the tests that I added, since I didn't include the ._get_full_path() method. But the patch linked to by Lukasz includes it. Chris, I can merge the FriendlyRedirectingFormPlugin into RedirectingFormPlugin (keeping backwards compatibility) and send you a new patch (including the new tests; with all of them passing), if this can help getting the fix applied sooner. This would be great. The sooner we can get all parts in and pass all tests then hopefully new version could come out on Monday. Thanks a lot, Lucas Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.who and script_name
On Monday February 9, 2009 21:34:43 Chris McDonough wrote: The thing you sent over a patch and a bugreport for is a plugin for repoze.who's RedirectingFormPlugin. This plugin happens to ship with repoze.who itself (it's one of the default plugins), but TG2's what quickstart doesn't actually use this plugin directly anyway: it overrides it with the Friendly version, which is part of r.what; so fixing the Friendly one in r.what's quickstart should mean you're good to go without requiring any new repoze.who release. No exactly. The bug in RedirectingFormPlugin will still be present even if used through FriendlyRedirectingFormPlugin because the challenger of the former redirects to the login page ignoring the script name. Of course, we'll fix r.who in the meantime and eventually release a fixed version, but you shouldn't need to wait for us to do so. I would have just applied the SCRIPT_NAME patch that Gustavo wrote to RedirectingFormPlugin if it had been correct; but as it stands, it can't work, so I'll need to understand the issue and write a correct patch which I haven't had time to do yet. The problem of the patch was in the use of SCRIPT_PATH (instead of SCRIPT_NAME). Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.who and script_name
Hello, Chris. On Wednesday February 11, 2009 02:07:35 Chris McDonough wrote: I don't understand. Why would both a RedirectingFormPlugin and a FriendlyRedirectingFormPlugin be active in the same configuration? I see that you've added the SCRIPT_NAME patch to the challenge method of the friendly version, that's not enough? Oh wait. I see. You're calling the superclass' challenge and identify. Can you just not do that? At this point, FriendlyRedirectingPlugin should just be a plain old fork I think. There's no purpose in using RedirectingFormPlugin as a base class here anymore, as you've overridden every one of its API methods. People shouldn't be hamstrung by r.who.plugin implementations; it's fine to just 100% fork implementation here; cut-n-paste is de rigeur for plugins. It's actually preferable, I think, because then unexpected changes in the base class don't break the subclasses. Good idea. I'll fork it instead of extending it. Of course, we'll fix r.who in the meantime and eventually release a fixed version, but you shouldn't need to wait for us to do so. I would have just applied the SCRIPT_NAME patch that Gustavo wrote to RedirectingFormPlugin if it had been correct; but as it stands, it can't work, so I'll need to understand the issue and write a correct patch which I haven't had time to do yet. The problem of the patch was in the use of SCRIPT_PATH (instead of SCRIPT_NAME). Cool. You've tested it interactively, I presume, and it does the right thing? (Just looking for confirmation so I can apply the fix without needing to set up an interactive test environment). I didn't test it myself, but it should work because Lukasz did test it and it worked, and also because it's mentioned here: http://www.python.org/dev/peps/pep-0333/#environ-variables Cheers! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what-pylons bug
Hello, Bruno. That's right, today I released v1.0b2 to fix it. Please upgrade and let me know if now it works for you. Cheers! On Wednesday February 11, 2009 16:32:09 binet bruno wrote: Hi. I am currently testing the new repoze.what plugin for pylons ( http://wiki.pylonshq.com/display/pylonscookbook/Authorization+with+repoze.w hat ) But an error occured when repoze.what.plugins.pylonshq.ActionController is decorating my index action of my main controller : TypeError: index() got an unexpected keyword argument 'action' Here is the traceback : http://beta.pylonshq.com/tracebacks/5ea1b0dab9e46b046bb516cff61a5c50 After submitting my issue to pylons irc channel, Jon Rosebaugh told me it's a bug in repoze.what's plugin related to decorators and routing. Here is its investigation : Specifically, Pylons and Routes inspects the controller action to see what parameters it takes. The current plugin decorator destroys the action's signature and makes it look like it takes *args, **kwargs, when actually it does not. So, they should use the decorator module (http://pypi.python.org/pypi/decorator/) to preserve signature. Cheers, Bruno ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what-pylons bug
On Wednesday February 11, 2009 16:46:08 binet bruno wrote: I get the same error with v1.0b2... :( Now that I re-read your first message, I realize that indeed it's not the same issue I fixed today (it's just related). I look at protectors.py code, and you still don't use module decorator which preserve the signature. Why don't you use it, as it is done by other pylons built-in decorators? +1, I'll do it, hopefully today. Cheers. Cheers. 2009/2/11 Gustavo Narea m...@gustavonarea.net: Hello, Bruno. That's right, today I released v1.0b2 to fix it. Please upgrade and let me know if now it works for you. Cheers! On Wednesday February 11, 2009 16:32:09 binet bruno wrote: Hi. I am currently testing the new repoze.what plugin for pylons ( http://wiki.pylonshq.com/display/pylonscookbook/Authorization+with+repoz e.w hat ) But an error occured when repoze.what.plugins.pylonshq.ActionController is decorating my index action of my main controller : TypeError: index() got an unexpected keyword argument 'action' Here is the traceback : http://beta.pylonshq.com/tracebacks/5ea1b0dab9e46b046bb516cff61a5c50 After submitting my issue to pylons irc channel, Jon Rosebaugh told me it's a bug in repoze.what's plugin related to decorators and routing. Here is its investigation : Specifically, Pylons and Routes inspects the controller action to see what parameters it takes. The current plugin decorator destroys the action's signature and makes it look like it takes *args, **kwargs, when actually it does not. So, they should use the decorator module (http://pypi.python.org/pypi/decorator/) to preserve signature. Cheers, Bruno ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Pylons QuickStart problem
Hello, Iain. Can you please paste the contents of {app}.config.middleware, and the file where you define auth-related models? Just in case, I've attached the model package from a fake Pylons project I use to test this plugin. Cheers. On Saturday February 14, 2009 11:55:13 Iain Campbell wrote: Hi all, I've set up repoze.who repoze.what using the new quickstart. Everything's defined as per the tutorial, with the exception of the relevant table names which have been updated in the model. All column, property and class names are the same. When I submit the login form, I get: Module repoze.who.plugins.sa:52 in get_user query = self.dbsession.query(self.user_class) AttributeError: 'NoneType' object has no attribute 'query' dbsession isn't initialised for some reason but I can't work out why... Any help/pointers appreciated. If there's anything more I can post that may help, please shout. Thanks, Iain -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ # -*- coding: utf-8 -*- Sample SQLAlchemy-powered model definition for the repoze.what SQL plugin. This model definition has been taken from a quickstarted TurboGears 2 project, but it's absolutely independent of TurboGears. import os from hashlib import sha1 from datetime import datetime from sqlalchemy import Table, ForeignKey, Column from sqlalchemy.types import String, Unicode, UnicodeText, Integer, DateTime, \ Boolean, Float from sqlalchemy.orm import relation, backref, synonym from pylonsproject.model.meta import DeclarativeBase, metadata # This is the association table for the many-to-many relationship between # groups and permissions. group_permission_table = Table('group_permission', metadata, Column('group_id', Integer, ForeignKey('group.group_id', onupdate=CASCADE, ondelete=CASCADE)), Column('permission_id', Integer, ForeignKey('permission.permission_id', onupdate=CASCADE, ondelete=CASCADE)) ) # This is the association table for the many-to-many relationship between # groups and members - this is, the memberships. user_group_table = Table('user_group', metadata, Column('user_id', Integer, ForeignKey('user.user_id', onupdate=CASCADE, ondelete=CASCADE)), Column('group_id', Integer, ForeignKey('group.group_id', onupdate=CASCADE, ondelete=CASCADE)) ) # auth model class Group(DeclarativeBase): An ultra-simple group definition. __tablename__ = 'group' group_id = Column(Integer, autoincrement=True, primary_key=True) group_name = Column(Unicode(16), unique=True) users = relation('User', secondary=user_group_table, backref='groups') class User(DeclarativeBase): Reasonably basic User definition. Probably would want additional attributes. __tablename__ = 'user' user_id = Column(Integer, autoincrement=True, primary_key=True) user_name = Column(Unicode(16), unique=True) _password = Column('password', Unicode(80)) def _set_password(self, password): Hash password on the fly. hashed_password = password if isinstance(password, unicode): password_8bit = password.encode('UTF-8') else: password_8bit = password salt = sha1() salt.update(os.urandom(60)) hash = sha1() hash.update(password_8bit + salt.hexdigest()) hashed_password = salt.hexdigest() + hash.hexdigest() # make sure the hased password is an UTF-8 object at the end of the # process because SQLAlchemy _wants_ a unicode object for Unicode columns if not isinstance(hashed_password, unicode): hashed_password = hashed_password.decode('UTF-8') self._password = hashed_password def _get_password(self): returns password return self._password password = synonym('_password', descriptor=property(_get_password, _set_password)) def validate_password(self, password): Check the password against existing credentials. :param password: the password that was provided by the user to try and authenticate. This is the clear text version that we will need to match against the hashed one in the database. :type password: unicode object. :return: Whether the password is valid. :rtype: bool hashed_pass = sha1() hashed_pass.update(password + self.password[:40]) return self.password[40:] == hashed_pass.hexdigest() class Permission(DeclarativeBase): A relationship that determines what each Group can do __tablename__ = 'permission' permission_id = Column(Integer, autoincrement=True, primary_key=True) permission_name = Column(Unicode(16), unique=True) groups = relation(Group, secondary=group_permission_table
[Repoze-dev] [issue63] Mention all the known repoze.who plugin implementations
New submission from Gustavo Narea m...@gustavonarea.net: The documentation for repoze.who should include a page which lists all the known plugin implementations. Something similar to: http://static.repoze.org/whatdocs/Manual/Plugins/index.html -- assignedto: Gustavo messages: 145 nosy: Gustavo priority: feature status: unread title: Mention all the known repoze.who plugin implementations topic: repoze.who __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue63 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.who-friendlyform and repoze.what-quickstart
Hello, everybody. This is just to let you know that I just moved the FriendlyRedirectingFormPlugin from repoze.what-quickstart to the new repoze.who-friendlyform project. So now it's safe to import it (you don't have to copy its code anymore). Keep in mind that if you ignored the warning where I said that repoze.what.plugins.quickstart was a temporary location for FriendlyRedirectingForm plugin, your code is going to break. The relevant changelogs: http://code.gustavonarea.net/repoze.what-quickstart/News.html http://code.gustavonarea.net/repoze.who-friendlyform/News.html Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] bug: easy_install repoze.who-friendlyform
On Friday February 27, 2009 15:57:46 Tres Seaver wrote: There is the bug: the egg should not be called 'repoze.who-friendlyform', because that looks to setuptools the the 'friendlyform-1.0b2' version of the repoze.who package. The egg should be named 'repoze.who.friendlyform'. Are you sure that's the problem? I can install repoze.what-pylons, for example, with no problems: valencia ~: virtualenv --no-site-packages fakeenv New python executable in fakeenv/bin/python Installing setuptoolsdone. valencia ~: source fakeenv/bin/activate (fakeenv)valencia ~: easy_install repoze.what-pylons Searching for repoze.what-pylons Reading http://pypi.python.org/simple/repoze.what-pylons/ Reading http://code.gustavonarea.net/repoze.what-pylons/ Best match: repoze.what-pylons 1.0rc2 Downloading http://pypi.python.org/packages/2.6/r/repoze.what-pylons/repoze.what_pylons -1.0rc2-py2.6.egg#md5=fc7972047c61a4e128cc58bece304021 Processing repoze.what_pylons-1.0rc2-py2.6.egg creating /home/gustavo/fakeenv/lib/python2.6/site-packages/repoze.what_pylons-1.0rc2 -py2.6.egg Extracting repoze.what_pylons-1.0rc2-py2.6.egg to /home/gustavo/fakeenv/lib/python2.6/site-packages Adding repoze.what-pylons 1.0rc2 to easy-install.pth file Installed /home/gustavo/fakeenv/lib/python2.6/site-packages/repoze.what_pylons-1.0rc2 -py2.6.egg Processing dependencies for repoze.what-pylons [[[SNIP]]] Finished processing dependencies for repoze.what-pylons And it requires repoze.what, which pulls repoze.who. I don't know how to solve this yet, though. But I think the bug is somewhere else. If I get stuck trying to find the root problem, I'll end up renaming the distribution name. Just a wild guess: Can't this be specific to repoze.who? I'm getting the same bug with repoze.who-testutil, but not with repoze.what-pylons or repoze.what- quickstart. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] bug: easy_install repoze.who-friendlyform
On Friday February 27, 2009 16:56:09 Tres Seaver wrote: Note that the downloaded file has an underscore, rather than a hyphen. Yes, but the distribution name is repoze.what-pylons. Then setuptools or PYPI replaces the hyphen with an underscore automatically -- I don't have to do it myself. For some reason, this automatic renaming is not being applied to repoze.who- friendlyform and repoze.who-testutil. I don't know why. I am confident that setuptools interprets hyphens in package names as dividing the base name of the distribution from the version. But then why repoze.what-pylons and repoze.what-quickstart don't have this problem? Note that the former has been around for ~20 days and the later for one month, and I had never heard of that problem -- try to install them and you'll see that the problem is not present. Cheers. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] bug: easy_install repoze.who-friendlyform
On Friday February 27, 2009 16:56:09 Tres Seaver wrote: Are you sure that's the problem? I can install repoze.what-pylons, for example, with no problems: valencia ~: virtualenv --no-site-packages fakeenv New python executable in fakeenv/bin/python Installing setuptoolsdone. valencia ~: source fakeenv/bin/activate (fakeenv)valencia ~: easy_install repoze.what-pylons Searching for repoze.what-pylons Reading http://pypi.python.org/simple/repoze.what-pylons/ Reading http://code.gustavonarea.net/repoze.what-pylons/ Best match: repoze.what-pylons 1.0rc2 Downloading http://pypi.python.org/packages/2.6/r/repoze.what-pylons/repoze.what_pyl ons -1.0rc2-py2.6.egg#md5=fc7972047c61a4e128cc58bece304021 Processing Note that the downloaded file has an underscore, rather than a hyphen. I just confirmed that it's not the root problem. I managed to get the hyphen replaced with an underscore by using the ez_setup script by default, but still the problem is present: http://paste.chrisarndt.de/paste/2a38e6d22284448d98733b6fa1a675a9?wrap=no That output seems perfect, and equivalent to that of `easy_install repoze.what-pylons` (which does work)... Except for the error at the end. Now I find it more likely to be caused by repoze.who, somehow. -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.who Test Utilities v1.0b1
Hello, everybody. I wanted to let you know about repoze.who-testutil, a repoze.who plugin to help you test protected areas in repoze.who-powered websites: http://code.gustavonarea.net/repoze.who-testutil/ Don't be fooled by the Beta 1: It's absolutely usable, 100% tested and 100% documented (except for the part on how to use it with repoze.what, which is not supported yet). I think it'd be great if it was a built-in plugin in a future repoze.who release. Even better, a built-in module: repoze.who.testutil. I hope you'll enjoy it! -- Gustavo Narea http://gustavonarea.net/. Get rid of unethical constraints! Get freedomware: http://www.getgnulinux.org/ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Turbogears2 identity variable in templates
Hello! On Wednesday April 29, 2009 12:37:02 Jorge Vargas wrote: On Monday April 27, 2009 10:42:35 Jorge Vargas wrote: more interesting than that template_vars.tg.identity returns None when the user isn't logged on. which means you will have to precheck all your access tests in something along the lines of if tg.identity and tg.identity['user'] == something which is too weird. You could turn the repoze.who identity dict into a TG2 Bunch and customize that too. on top of that it seems to me that checks in the form of are simply not possible py:if='admin' in tg.identity.groups It's always been discouraged to deal with that repoze.what stuff directly, as it's going to change somewhere in v1.X and disappear in v2 -- it's something internal to repoze.what. I think you missed the point. by Identity I'm not talking about repoze.who.identity dict, I'm talking about the concept of allowing you to evaluate your object with pythonic calls. if user in group type of thing. Identity is an ambiguous term, specially in this context; I'd rather hear exactly authentication or authorization -- hence I replied to both meanings just in case, because I wasn't certainly sure what you meant. is there an obvious way of doing this with repoze.what that I'm missing? You have two options to do that, which are also simpler (from my point of view): http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#predicat e-evaluators is this syntax really better at the template level? p py:if=tg.predicates.is_user('jorge')Hi Jorge/p I find it a lot more verbose Yes, it is. , also isn't this evaluating the predicate twice? No, as far as I see. by the way from repoze.what.plugins.pylonshq import is_met is not the correct path. Are you using an old version of repoze.what-pylons? That function wasn't present in early betas. It works over here: from repoze.what.plugins import pylonshq dir(pylonshq) ['ActionProtector', 'ControllerProtector', '__all__', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '__path__', 'booleanize_predicates', 'debooleanize_predicates', 'is_met', 'not_met', 'protectors', 'utils'] from repoze.what.plugins.pylonshq import is_met is_met function is_met at 0xa55a3e4 http://code.gustavonarea.net/repoze.what-pylons/Manual/Misc.html#boolean- predicates could you please explain why this warning? I'm really shock here. are you telling us that the default way TG is using repoze.what will break your security? last time I read the ticket regarding this implementation it was never mention that this will be a security issue. I always warned it was a horrible idea, totally discouraged by me, which _could_ (not will) bring side-effects and/or make the application error- prone. That warning just lists the exact situations under which there may be security flaws because of that misfeature. Also keep in mind this is pure syntax sugar as the real security check was done in the controller. Last but not least is this a class that is worth including in r.what? or should we keep it TG only? IMO this api is nice enough to work on any python template/framework and I think it's totally worth pushing into what. Regarding the repoze.who identity dict, I think TG2 could turn that dict into a Bunch if you find it necessary. That's a good idea but you keep telling us that's internal for repoze.what and we can't rely on it so why/how can we work with it if it's going away? There will be a 100% backwards-compatible 1.5 release eventually, which will backport all possible enhancements from version 2.0. But repoze.what 2 won't have such a dictionary and thus it's likely* that v1.5 won't have it either (even if it keeps the dictionary, the arrangement may change). Hence I can't suggest you to use it directly. Predicate checkers are the safe bet. * repoze.what 2 is still taking shape, so at this point it's hard to tell if it'd be present in v1.5 or not. I just can assure it won't be present in v2 (in fact it's one of the main reasons why I'm rewriting it all). Regarding accessing the repoze.what credentials dict, it shouldn't be supported because it's not intended to be used directly. Instead, I'd recommend predicate evaluators -- and TG2 could have a short-cut to is_met() and not_met() in the template. What's so wrong with making the predicates behave like boolean objects? They make your code error-prone and may cause side-effects (e.g., security flaws) in some situations, as explained in detail in the repoze.what-pylons docs. Cheers! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue46] Create the repoze.what OAuth plugin
Gustavo Narea m...@gustavonarea.net added the comment: Hello, Mike. Thank you very much for your effort, and sorry about the delay to get back to you. Unfortunately, I don't have time to extract the relevant bits and create the OAuth plugin with them. Right now I'm spending my spare time on the development of repoze.what 2. :/ But if you or somebody else wants to go ahead and create a predicates plugin for OAuth, I think here you'll find all you'd need: http://static.repoze.org/whatdocs/Manual/Predicates/ Sorry I can't help much. __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue46 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Combining registration with login...
Hi, Douglas. Unfortunately it's not well supported. Here you'd find how to do it for the time being: http://bugs.repoze.org/issue58 Cheers. - Gustavo. Douglas said: Hey everybody, I'm using repoze.who for authentication, and I've got the major part of it setup. Login works, as does logout. I just finished writing user registration, and was wondering if there was a way that I could automatically log the user in on successful signup? I'm currently using the redirectingform plugin and the sql authenticator. Will I have to write my own custom plugin, or is there something I can do out of the box? Thanks, Douglas Mayle ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what should depend on webob not paste
Chris said: Maybe not. r.who also depends on Paste, and r.what depends on r.who, I believe. Exactly :) Cheers! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue87] auth_tkt: Cookies will always expire when the user agent is closed
New submission from Gustavo Narea m...@gustavonarea.net: The auth_tkt is not able to set for how long cookies should last, and as a consequence, developers who want users to be remembered even after closing their agents have to subclass this plugin to implement this feature. The attached patch implements this feature. I will apply it if it looks good to you, Chris. -- assignedto: Gustavo files: auth_tkt-max_age.diff messages: 232 nosy: Gustavo priority: feature status: unread title: auth_tkt: Cookies will always expire when the user agent is closed topic: repoze.who __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue87 __Index: repoze/who/plugins/tests/test_authtkt.py === --- repoze/who/plugins/tests/test_authtkt.py (revision 5118) +++ repoze/who/plugins/tests/test_authtkt.py (working copy) @@ -165,6 +165,26 @@ 'auth_tkt=%s; Path=/; Domain=.localhost' % new_val)) +def test_remember_creds_custom_max_age(self): +age = 240 # 4 minutes +plugin = self._makeOne('secret', max_age=age) +val = self._makeTicket(userid='userid') +environ = self._makeEnviron() +result = plugin.remember(environ, {'repoze.who.userid':'userid', + 'userdata':'userdata'}) +self.assertEqual(len(result), 3) +self.assertEqual(result[0], + ('Set-Cookie', + 'auth_tkt=%s; Path=/; Max-Age=%s' % (val, age))) +self.assertEqual(result[1], + ('Set-Cookie', + 'auth_tkt=%s; Path=/; Domain=localhost; Max-Age=%s' +% (val, age))) +self.assertEqual(result[2], + ('Set-Cookie', + 'auth_tkt=%s; Path=/; Domain=.localhost; Max-Age=%s' + % (val, age))) + def test_remember_creds_different_bad_old_cookie(self): plugin = self._makeOne('secret') old_val = 'BOGUS' Index: repoze/who/plugins/auth_tkt.py === --- repoze/who/plugins/auth_tkt.py (revision 5118) +++ repoze/who/plugins/auth_tkt.py (working copy) @@ -25,11 +25,12 @@ } def __init__(self, secret, cookie_name='auth_tkt', - secure=False, include_ip=False): + secure=False, include_ip=False, max_age=None): self.secret = secret self.cookie_name = cookie_name self.include_ip = include_ip self.secure = secure +self.max_age = max_age # IIdentifier def identify(self, environ): @@ -81,6 +82,9 @@ ('Set-Cookie', '%s=%s; Path=/; Domain=%s' % ( self.cookie_name, value, wild_domain)) ] +if self.max_age: +cookies = [(h, %s; Max-Age=%s % (c, self.max_age)) for (h, c) + in cookies] return cookies # IIdentifier Index: CHANGES.txt === --- CHANGES.txt (revision 5118) +++ CHANGES.txt (working copy) @@ -15,6 +15,10 @@ - One-hundred percent unit test coverage. +- Made the ``auth_tkt`` plugin able to set cookies with a custom ``Max-Age`` + attribute. + + 1.0.13 (2009/4/24) == Index: docs/narr.rst === --- docs/narr.rst (revision 5118) +++ docs/narr.rst (working copy) @@ -212,7 +212,7 @@ .. module:: repoze.who.plugins.auth_tkt -.. class:: AuthTktCookiePlugin(secret [, cookie_name='auth_tkt' [, secure=False [, include_ip=False]]]) +.. class:: AuthTktCookiePlugin(secret [, cookie_name='auth_tkt' [, secure=False [, include_ip=False [, max_age=None) An :class:`AuthTktCookiePlugin` is an ``IIdentifier`` plugin which remembers its identity state in a client-side cookie. This plugin @@ -225,6 +225,10 @@ cookie will be sent only across an HTTPS connection. If *include_ip* is True, the ``REMOTE_ADDR`` of the WSGI environment will be placed in the cookie. + + By default, these cookies will expire when the user agent (e.g., browser) + is closed. To override this behavior, use the *max_age* argument to + set for how long the cookies should last (in seconds). .. note:: Using the *include_ip* setting for public-facing applications may ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [r.what] What adapter would be faster for you? (Testers needed)
Hi, everyone. The next version of repoze.what will ship benchmarking tools for its source adapters, so you could find what would be the fastest adapter for your environment. Believe it or not, the fastest adapter could change from one computer to another. I've even found that on one computer, adapter A is ~20x faster than adapter B, but on another computer, the difference lowers to ~9x. So you could also use this to keep your adapters, but optimize them if possible. However, before releasing it, I'd love to get some feedback, and that's why I'm writing. Here you'll learn how it works: http://what.repoze.org/docs/1.x/Manual/ManagingSources.html#module- repoze.what.adapters.benchmark To install the latest revision: $ svn co http://svn.repoze.org/repoze.what/branches/1.X/ repoze.what $ cd repoze.what $ python setup.py develop I wrote a benchmarking script which you can try too; it's available in the /scripts/ folder and there's a README if you want to use it. I'll run it on several computers and publish the results after the release, so people could get an idea on what would be the faster adapter. Thanks in advance! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] understanding setup of repoze.what
Hi, Jens! The plugin is mentioned here http://what.repoze.org/docs/1.x/Manual/Plugins/#available-extras-plugins (repoze.what.plugins.quickstart), but you're certainly right about the missing link. I'm adding the link right now. Thanks! However, this plugin is for people who are using SQLAlchemy/Elixir to manage their users, groups and permissions, and it's most useful when repoze.who isn't already configured (because it sets up both repoze.who and repoze.what at once). I think this plugin may not be for you, because: * It configures repoze.who and repoze.what in a not-so-flexible way. Its goal is just to help newcomers to get started quickly. * It can't be configured via .ini files (yet). So, I'd recommend you configure repoze.what by yourself, without the quickstart. You may want to do it via repoze.what.plugins.config, a plugin to configure repoze.what from a .ini file: http://github.com/jdinuncio/repoze.what.plugins.config/ The ability to configure repoze.what from a .ini file will be built-in as of repoze.what-1.1.0, which I hope to release this month, possibly forked from and backwards-compatible with the plugin above. HTH, - Gustavo. Jens said: I have some problems with the setup of repoze.what in the docs [1] theres a 'quickstart' mentioned. Also theres written: Warning Do not try to configure repoze.who directly – if you want authorization to work, you have to configure it through repoze.what. [1] http://what.repoze.org/docs/1.x/Manual/GettingStarted.html Fine so far. Before looking at repoze.what at all i made repoze.who work. Its pretty simple (just a basic auth, but enough for my scenario). I have an ini-file which configures it all. Now if it comes to repoze.what it seems theres no ini-file-configuration possible. Except maybe with 'quickstart', but 'quickstart' isnt documented at all (at least its not linked at [1] and I do not find any documentation nor hwo to get it into repoze.what). Also at [2], the place where I'd expect more details on quickstart, theres only unsufficiant information available. [2] http://what.repoze.org/docs/1.x/Manual/Plugins/ Can someone enlighten me how to use it in the proposed paster build environment? thanks in advance and best regards -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] understanding setup of repoze.what
Hi again, Jens. Jens said: is there already any code i can checkout, use and test already in your VCS? Not yet, it's on my working copy. I started working on it and it's most likely that I'll check it in tomorrow. I'll let you know when it's in, so you can use it and give some feedback ;-) HTH, Yes, a lot! Thanks! Cool, you're welcome! Talk to you soon, -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] Repoze auth on Python Magazine
Hello, everyone! A few months ago I wrote an article on repoze.who and repoze.what, which has just been published on Python Magazine: http://pymag.phparch.com/c/issue/view/98 I believe it's a good resource for those who are new to both frameworks (even if they aren't familiar with WSGI or auth in general yet), as well as for current users to better understand how repoze.who/what work and so make the most out of them. Cheers! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [r.what] What adapter would be faster for you? (Testers needed)
Thanks for the commands summary, Jonás! By the way, I have to say that the results for Redis should be better: http://groups.google.com/group/redis-db/browse_thread/thread/de8839d8fa1eecc8 Cheers, - Gustavo. Kless said: Here you have the commands to get all installed and so run the tests: http://dpaste.com/hold/52771/ On 1 jun, 16:05, Gustavo Narea m...@gustavonarea.net wrote: Hi, everyone. The next version of repoze.what will ship benchmarking tools for its source adapters, so you could find what would be the fastest adapter for your environment. Believe it or not, the fastest adapter could change from one computer to another. I've even found that on one computer, adapter A is ~20x faster than adapter B, but on another computer, the difference lowers to ~9x. So you could also use this to keep your adapters, but optimize them if possible. However, before releasing it, I'd love to get some feedback, and that's why I'm writing. Here you'll learn how it works:http://what.repoze.org/docs/1.x/Manual/ManagingSources.html#module- repoze.what.adapters.benchmark To install the latest revision: $ svn cohttp://svn.repoze.org/repoze.what/branches/1.X/repoze.what $ cd repoze.what $ python setup.py develop I wrote a benchmarking script which you can try too; it's available in the /scripts/ folder and there's a README if you want to use it. I'll run it on several computers and publish the results after the release, so people could get an idea on what would be the faster adapter. Thanks in advance! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list repoze-...@lists.repoze.orghttp://lists.repoze.org/listinfo/repoze-dev ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [TurboGears] Re: repoze.what-pylons host no longer up
Hi, everyone. Jorge's right, my personal server, which hosts code.gustavonarea.net and what.repoze.org, is down. Unfortunately, it's not something I can fix. My ISP was hacked recently, but I've been told it should come back up in a few hours. Otherwise I'll start serving those sites from my home network later today, although its upstream rate sucks (but it's better than nothing). Cheers! - Gustavo. Jorge said: On Wed, Jun 10, 2009 at 11:08 PM, Jesse Howarthjahowa...@gmail.com wrote: The host for repoze.what-pylons has been down for 3 days now. PyPi has it listed at http://code.gustavonarea.net/repoze.what-pylons/ and when python setup.py develop is run for either 2.0 or 2.1 it stalls and eventually fails. This is correct, aparently there is something wrong with gustavo's server ;( -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [TurboGears] Re: repoze.what-pylons host no longer up
Hello, Wichert. Wichert said: is there a special reason the repoze.what docs can not be hosted on docs.repoze.org, next to all the other repoze documentation? repoze.what will have a new Web site (not only the static documentation we have now) by the release of v2, which might host a wiki, a BuildBot master, the docs of third party plugins and more stuff like this, so we created a subdomain for me to manage it all. We moved the repoze.what 1.X docs there so people can start using the new URL now. Actually I'm not sure about the services it will host at this point, so the ones above were just examples, but the goal is to have something that will scale up as repoze.what's userbase grows. Cheers. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [TurboGears] Re: repoze.what-pylons host no longer up
Thank you very much, Chris! - Gustavo. Chris said: FWIW, I took the redirect out for: http://static.repoze.org/whatdocs It now renders a copy of the what docs that are hosted on repoze.org. - C On 6/11/09 12:23 PM, Gustavo Narea wrote: Hi, everyone. Jorge's right, my personal server, which hosts code.gustavonarea.net and what.repoze.org, is down. Unfortunately, it's not something I can fix. My ISP was hacked recently, but I've been told it should come back up in a few hours. Otherwise I'll start serving those sites from my home network later today, although its upstream rate sucks (but it's better than nothing). Cheers! - Gustavo. Jorge said: On Wed, Jun 10, 2009 at 11:08 PM, Jesse Howarthjahowa...@gmail.com wrote: The host for repoze.what-pylons has been down for 3 days now. PyPi has it listed at http://code.gustavonarea.net/repoze.what-pylons/ and when python setup.py develop is run for either 2.0 or 2.1 it stalls and eventually fails. This is correct, aparently there is something wrong with gustavo's server ;( -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what-pylons host no longer up -- Update
Hi everyone. I didn't start serving these sites from my home network yesterday because my ISP provided me with a new server, which I've been setting up from scratch and thus I've had no time to set up these sites at home. I made a slow progress today since I've been busy with other stuff and also because now there's no panel to manage the VPS (IPs, reboots, rebuilds, etc. must be requested by email). So I hope to get what.repoze.org and code.gustavonarea.net up and running tomorrow. I apologize for the inconvenience caused among repoze.what users. For those who want to know what went wrong, if any: http://www.theregister.co.uk/2009/06/08/webhost_attack/ http://www.theregister.co.uk/2009/06/10/vaserv_follow_up/ - A proud backups-paranoid guy. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what-pylons host no longer up -- Fixed
OK, code.gustavonarea.net and what.repoze.org are up and running again on a new server. I'm sorry about the delay! Chris: Could you please restore the redirect to what.repoze.org? Thanks! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Identifier plugins...
Chris said: How did I miss this? This is a pretty good interim idea; thanks Gustavo. I'll try to merge it in with the current state of affairs. Cool ;-) Cheers, -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] how to extend basic User, Group, Permission model?
Cezary said: ps. i'm using repoze with pylons Hold on, you're talking about the Web authorization framework *repoze.what*, not the Web application framework *repoze.bfg*, right? Cheers. :) -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] LDAP plugin
Hello, André said: According to: http://code.gustavonarea.net/repoze.who.plugins.ldap/ Gustavo is the maintainer. It isn't yet in the repoze SVN, as far as I can tell. Right; that's supposed to be on my TODO list, but I created that plugin for a project I was working on and now it doesn't use LDAP, that's why it's kinda abandoned. I wrote a mail to him, but I got no answer so far. Yeah, I'm sorry about that. I have final exams at the university in a few weeks and later on I should be moving to another country, so these days nearly all my time is spent studying and processing paperwork :/ Could you provide more context on how you are trying to use repoze.who and its plugins? What framework are you using, etc.? Are you able to authenticate with a different set of plugins (e.g., an .htaccess file)? I'm using turbogears 2. The problem I ran into is that the login page of a initial tg2 project does somehow not count as identity for the ldap plugin. In the demo project there is a different login form, and I don't really understand the mechanism for those identities. I'd like to use the tg2 standard login form based on the tg2 templates with the repoze LDAP plugin. If you're keeping the default Repoze auth integration in TG2, it should work after you add your LDAP authenticator as explained in: http://code.gustavonarea.net/repoze.who.plugins.ldap/Using.html#setting-up- repoze-who-with-the-ldap-authenticator If not, make sure your identificator and your login form use the expected names for the userid and the password. The second problem is that our LDAP server needs authentication with a special account first in order to lookup the dn of the user based on the ldap attribute uid. This is not yet supported by the repoze plugin and I need some help to implement this. The behavior I'd like to have: - LDAP login with DN Lookup - LDAP filter to specify allowed groups - After login, the user is added to the local sa database if it not exists - Special attributes for the LDAP user are stored in the local sa database I'd be really useful for more people, so please don't hesitate to provide a patch if you want to ;-) Cheers! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] LDAP plugin
André said: update: I found the RedirectingFormPlugin and got it working :) So now I can implement the LDAP auth I need. Cool! ;-) What's left: - create users in the local sa database from the repoze LDAP plugin What would be the best way to do that ? Is this something I should ask on the tg mailinglist ? You could create them upon first login, for example. HTH, -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what and nested, hierarchical groups
Bonjour, Yannick. The predicate checkers are fine, the problem is that the so-called source adapters [1] don't support nested groups yet. I myself need this too, so it should be implemented at some point. Although unfortunately it won't happen in the next few weeks, because I won't have enough time. :/ Salut, - Gustavo. [1] http://what.repoze.org/docs/1.x/Manual/GettingStarted.html brehon said: I would like to use repoze.what (in a turbogears 2.0 context)in conjunction with nested groups. For instance, I would like to be able to have a group belonging to another group, and so on. Users could be a part of any group also of course. This is not trivial using the current system: if user is part of group G1 and G1 is part of group G0, removing G1 from G0 should remove U from G0,, if and only if U was not also a direct member of G0. The various repoze.what functions do not support nested groups as far as I can see, but I may be wrong. What would your insight be regarding this subject? -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue108] repoze.what decoratos should be usable in python2.5 too
Gustavo Narea m...@gustavonarea.net added the comment: Hello, ergo. That's in fact the package I use to create the decorators and repoze.what-pylons is supported (tested and known to work) in Python 2.4, 2.5 and 2.6 with no problems. Have a look at the following test suite, for example: = gust...@valencia:~/Software/Repoze/repoze.what-pylons$ workon r.what-pylons-24 (r.what-pylons-24)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ python -V Python 2.4.6 (r.what-pylons-24)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ nosetests 21 | tail -1 OK (r.what-pylons-24)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ deactivate gust...@valencia:~/Software/Repoze/repoze.what-pylons$ workon r.what-pylons-25 (r.what-pylons-25)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ python -V Python 2.5.4 (r.what-pylons-25)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ nosetests 21 | tail -1 OK (r.what-pylons-25)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ deactivate gust...@valencia:~/Software/Repoze/repoze.what-pylons$ workon r.what-pylons (r.what-pylons)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ python -V Python 2.6.4 (r.what-pylons)gust...@valencia:~/Software/Repoze/repoze.what-pylons$ nosetests 21 | tail -1 OK = Something else must have gone wrong, not those decorators. Unless, you're using decorator v2 -- We're using v3 (as specified in setup.py). Could you please use the mailing list so we can help you out? Don't forget to include traceback or any other info that could be useful. Thanks. -- assignedto: - Gustavo nosy: +Gustavo status: unread - resolved topic: +repoze.what __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue108 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue108] repoze.what decoratos should be usable in python2.5 too
Gustavo Narea m...@gustavonarea.net added the comment: Hi. Python supports class decorators from version 2.6: http://docs.python.org/whatsnew/2.6.html#pep-3129-class-decorators And I also mentioned that in the documentation http://code.gustavonarea.net/repoze.what- There's no way we can make that syntax work in Python = 2.5. You should either upgrade to Python 2.6 or keep the workaround you're using. Cheers! -- status: chatting - resolved __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue108 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue108] repoze.what decoratos should be usable in python2.5 too
Gustavo Narea m...@gustavonarea.net added the comment: Oops, the URL in the previous message got trimmed. Here it is: http://tinyurl.com/p2zan2 -- status: resolved - chatting __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue108 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what.plugins.quickstart
Hello, Darryl. Darryl said: I've added 'log_file' and 'log_level' to repoze.what.plugins.quickstart via configuration files - writing tests also. That's nice. Thank you very much! How do I apply for commit privileges to repoze repository? We need to review the changes before checking it in. Could you please send us a patch in the mean time? Please feel free to apply for an account if you intend to contribute regularly. In addition to the link Tres already posted, you may find this useful while contributing to repoze.what: http://what.repoze.org/docs/1.x/Participate.html Cheers! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.what.plugins.quickstart
Hello, Darryl. Thank you very much for the patches! I will have a look into it by this weekend, although I may have some time tomorrow night. Talk to you soon! - Gustavo. Darryl said: And here as is likely *should* be done, also 'logging-config.ini' for tests/fixtures as referenced in added tests. Sorry for the noise. Best, Darryl On Wed, Dec 2, 2009 at 2:55 PM, Darryl Cousins darryljcous...@gmail.com wrote: And also for docs/Config.rst Best regards, Darryl Cousins -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for a maintainer for the repoze.who LDAP plugin
Hi, André. [Sorry for replying off list yesterday] If your changes are compatible with the current plug-in (i.e., nothing would break if they upgrade), I doubt people would complaint. I think merging your changes counts as improving the software eventually so I'd love to let you maintain it if you accept. If they are backwards incompatible, but you're willing to release it and maintain it under a different name (to avoid any confusion), I would suggest deprecating my plug-in in favor of yours. Either way, I think your changes would be most welcome. Please let us know what you decide. Cheers, - Gustavo. You said: Hi Gustavo, What I tried to say is that I'm interested in integrating my changes into your plugin. IHMO there are several mandatory features for large applications. So I would not improve the plugin eventually, but rather merge all of my changes, then I am able to support and maintain it. Do you know how many productive environments are using it ? It might not be a good idea to just replace the existing version with the new one without letting the users test it. I'm sure that I'm not the only person suffering from the current limitations. So if there is a common interest in my changes, I'm interested in becoming maintainer. Cheers André PS: did you reply off list ? I think this should be an open topic... Hello, André. I'm basically looking for someone who wants and can fix bugs when they are reported, and eventually implement features -- Someone who is interested in the plugin because he uses it. Right now there's no bug known, just a few features requested. If you're willing to improve the plugin eventually, either by yourself or by reviewing and applying patches, that would be enough for me. It's very simple, but it's best for someone who does use the plugin. If you're interested in becoming the maintainer, please let me know. :) Cheers, - Gustavo. André said: Hi Gustavo, all, I adapted your plugin a little bit to support authenticated ldap, ldap ssl, uid configuration and I passed the DBSession to the plugin in order to support local users (i.e. admin) and the local groups and permissions on the ldap directory. We are using this in our organization and it works quite well. Normally I would have sent you a patch with my suggestions. I could maintain at least my branch and I will release a version soon after some cleanup. I heard that other people did some adaptions for their environment, so maybe we should ask about their needs. Regards andré ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.who.plugins.ldap under the Repoze License
Hi. This is just to let you know that repoze.who.plugins.ldap can now be used under the terms of the Repoze license: http://bazaar.launchpad.net/~gnarea/repoze.who.plugins.ldap/trunk/revision/66 For more information: http://lists.repoze.org/pipermail/repoze-dev/2010-January/002546.html Cheers. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] LDAP results
Hello, Mike. Mike said: 1) The plugins expect a long-lasting connection, and don't have any provision to reconnect if the server goes down. I know our LDAP server goes down occasionally, and I wonder if I'd have to restart the application in that case. My code makes a separate connection for every login, which is the other extreme. The ideal would be for the constructor to accept a callable that creates a connection, then reuse the existing connection if possible, or if certain exceptions occur, create a new connnection. But it looks like I'd have to rewrite the plugin for that. I'm afraid so :/ 2) The password is put into repoze.who.identify after a successful login. That seems insecure. The rest of the application doesn't need to know what the password is. I could make a metadata provider to delete it, but that seems like a kludge. That's in repoze.who itself, but I don't think that's a problem: It will be available in the POST arguments anyway. 3) The full DSN is appearing instead of the username in repoze.who.credentials, repoze.who.identity['repoze.who.userid'], and REMOTE_USER. I suppose that's correct from LDAP's perspective because a username could be ambiguous, but from my perspective the DSN is just an internal detail of LDAP, and what I need is the username to do authorization with or display. I agree it makes sense. Possibly the best solution would be to make that plugin optionally return the user Id. instead of the whole DN. 4) The attributes plugin is not returning the 'ou' and 'ou1' properties which I need for authorization. It's returning only a small subset of the LDAP properties. It seems to be returning the ones accessible to anonymous users. My code does that if I don't do .simple_bind_s as the user. But the plugin is doing the binding, so I don't know why the properties aren't showing up. Have you tried the `attributes' arguments? http://code.gustavonarea.net/repoze.who.plugins.ldap/Using.html#repoze.who.plugins.ldap.LDAPAttributesPlugin 5) The plugin doesn't differentiate between server down, no such user, and bad password, it just returns None for all of them. This makes it impossible to give the user a specific error message. I could make a plugin that puts the info repoze.who.identity, although I think that's supposed to be blank if the login is unsuccessful. But I don't want to tell the user they don't exist when the real problem is the authentication server being down, or people will think their account disappeared. Good point. That plugin could use a (boolean) environment variable (e.g., repoze.who.ldap.connection_error) which would be checked when the user could not be logged in. 6) Is it possible for a plugin to combine authentication and metadata in one step? Because if it's in a database, I can get both with a single query, or if it's in LDAP I can do one right after the other in the same connection. No, because they are two separate processes in repoze.who: http://gustavonarea.net/uploads/Figure2.png But in practice, that's perfectly possible if you put these attributes in repoze.who.identity. 7) It seems to be rechecking the metadata on every visit after they log in, though that could be because my test app is unsophisticated and is not saving the metadata in the session. Although if I did do that, I'm not sure how to tell Repoze.who that I already have the identity and don't need it to refetch the metadata. You could extend that plugin and override the add_metadata() method, so when you already have the data in the session, you put it in the `identity' variable passed as argument; if not, you would run the parent class' add_metadata(). HTH. PS: Please note this plugin is in bug-fix mode, not under active development, for the time being: http://lists.repoze.org/pipermail/repoze-dev/2010-January/002546.html -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Check concurrent log in user
Hello, Arkom. Arkom said: How to protect user login at same time on repoze (turbogears2) repoze.who takes care of that, so it's not authenticated twice: http://gustavonarea.net/uploads/Figure2.png HTH, -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] Repoze on identi.ca?
Hi everyone. Sometimes I want to announce stuff related to the Repoze projects I maintain, without using the power and noise of this mailing list, which I'd rather use for important announcements. So, I wanted to ask, would you like to keep and use this identi.ca group for small announcements http://identi.ca/group/repoze? I wouldn't mind removing it if you don't like the idea :) Cheers! -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hello, Tim. The groups/permissions functionality is just something basic and optional, to help people get started, although for some smaller projects it may be good enough. For finer-grained control, you may want to check this: http://what.repoze.org/docs/1.0/Manual/Predicates/Writing.html#creating-a-predicate-checker-more-sensitive-to-the-request I've never really wanted to offer a similar functionality out-of-the-box. I've given some thought to this, and never came up with non-intrusive way of addressing this kind of situations. But I'm always open to hear alternatives. I hope this is what you were looking for. - Gustavo. On 15/02/10 15:19, Tim Hoffman wrote: Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Looking for advice on how to use repoze.what to protect a specific resource/entity.
Hello, Tim. On 15/02/10 22:06, Tim Hoffman wrote: Hi Gustavo Yeah I have thought about writing custom Predicates. The main problem I saw with it was it appears I would have to pass in the object to be checked at predicate instantiation time, rather than at evaluation time. evaluate only takes environ and credentials. Which means I would have to somehow stuff the entity into the wsgi environ or I would be retrieving the object a second time inside the evaluate predicate, when I already have it. And that would seem expensive (I am running on App Engine). So using your example from the docs. It would look something like. from repoze.what.predicates import Predicate class is_author(Predicate): message = 'Only %(author)s can manage post %(post_id)s' def __init__(self,context,**kwargs): super(is_author,self).__init__(kwargs) self.context = context def evaluate(self, environ, credentials): if self.context.author != credentials.get('repoze.what.userid'): self.unmet(post_id=post_id, author=post.author_userid) I use the wsgiorg.routing_args variable (environ['wsgiorg.routing_args']) to store the objects for the resource in the URL, like this: class BasePostPredicate(Predicate): def _get_blog_post(self, environ): if post not in environ['wsgiorg.routing_args'][1]: post_id = environ['wsgiorg.routing_args'][1]['post_id'] environ['wsgiorg.routing_args'][1]['post'] = gimme_the_post(post_id) return environ['wsgiorg.routing_args'][1]['post'] class IsAuthor(BasePostPredicate): def evaluate(self, environ, credentials): post = self._get_blog_post(environ) if post.author != credentials.get('repoze.what.userid'): self.unmet('Only %(author)s can manage post %(post_id)s', author=post.author, post_id=post.id) class IsEditor(BasePostPredicate): def evaluate(self, environ, credentials): post = self._get_blog_post(environ) if credentials.get('repoze.what.userid') not in post.editors: self.unmet('Only editors can manage post %(post_id)s', post_id=post.id) BasePostPredicate looks ugly because of the environ dict. Starting with v1.1, we're going to use the pythonic WebOb request objects and thus it will look like this: class BasePostPredicate(Predicate): def _get_blog_post(self, request): if post not in request.urlvars: request.urlvars['post'] = gimme_the_post(request.urlvars['post_id']) return request.urlvars['post'] And then # Can the user edit the post? (must be site manager or owner) from repoze.what.predicates import Any, has_permission p = Any(has_permission('site_manager'),is_author(context)) Right. But with the predicate above, you wouldn't pass the context: p = Any(has_permission('site_manager'),IsAuthor()) HTH, - Gustavo. On Tue, Feb 16, 2010 at 5:41 AM, Gustavo Narea m...@gustavonarea.net mailto:m...@gustavonarea.net wrote: Hello, Tim. The groups/permissions functionality is just something basic and optional, to help people get started, although for some smaller projects it may be good enough. For finer-grained control, you may want to check this: http://what.repoze.org/docs/1.0/Manual/Predicates/Writing.html#creating-a-predicate-checker-more-sensitive-to-the-request I've never really wanted to offer a similar functionality out-of-the-box. I've given some thought to this, and never came up with non-intrusive way of addressing this kind of situations. But I'm always open to hear alternatives. I hope this is what you were looking for. - Gustavo. On 15/02/10 15:19, Tim Hoffman wrote: Hi I am trying to work out how I could protect a specific resource/entity using repoze.what. For instance I have a specific Record, owned by a specific User, and only a user with the Owner permission can Edit the record. I can't work out how you would assign Owner permission to the user only when accessing Record. i.e the user in question would not be owner of any other record. It seems the group source and permission source act on a global basis and aren't context aware. And predicates check_authorization() calls only take a environ and therefore you can only protect things like URL's not entities. Am I trying to do something not possible/intended for repoze.what. I suppose I am looking for functionality similiar to zope2 permissions/roles etc... T ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org mailto:Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Problem with repoze.what-pylons sample application
Hello, On 07/04/10 12:11, Phenex wrote: The appliction is running now, but i have the same problem i've had mith my own one - i simply connot login. The password validation itself works, i have no idea were the problem is. No exception, simply the message Wrong credentials Before running `paster serve', you need to do a couple of things: 1.- Install the application and its dependencies, which is what you already did (`python setup.py develop'). 2.- Create some minimum records in the database: paster setup-app development.ini Did you try #2? You can then try logging in with one of the initial credentials: http://bitbucket.org/Gustavo/whatpylonsproject/src/tip/pylonssecuredapp/websetup.py -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] FriendlyForm login count not incrementing on failed login
Hello, Ian. It sounds like you've not added the plugin to the authenticators in repoze.who. Make sure to add form to both the identifiers and challengers. HTH, - Gustavo. On 15/04/10 17:22, Ian Stevens wrote: I've built a LDAP authorizing login using repoze.who-1.0.10 and repoze.who.plugins.ldap-1.0 under Pylons-0.9.7. Now I want to use repoze.who_friendlyform-1.0.4 to report an incorrect login message to the user. Unfortunately, the login count doesn't seem to be incrementing. Before I go into detail, is there a simpler way to display a message to the user on a failed login? Am I dense or is this much more than an effort than it should be? Most searches I've tried pull up FriendlyForm. The problem is that repoze.who.plugins.friendlyform.FriendlyFormPlugin.challenge() does not get called on a login attempt, so the counter (in both environ and the query) doesn't increment. Valid users authenticate OK. I wrote my own authenticator which checks to see whether an authorized LDAP user exists in the app DB, and my own mdprovider which copies the related user object from the DB to the repoze identity. Everything else is in line with the tutorials. The code and config is below. The make_redirecting_plugin method which FriendlyForm lacks is ripped from repoze.who.plugins.form. Any ideas as to how to get this working would much appreciated. thanks, Ian. The form section of who.ini: [plugin:form] use = foo.lib.auth:make_redirecting_plugin login_form_url = /login login_handler_path = /dologin logout_handler_path = /logout rememberer_name = auth_tkt [plugin:auth_tkt] use = repoze.who.plugins.auth_tkt:make_plugin secret = sekrit Method referenced above: def make_redirecting_plugin(login_form_url=None, login_handler_path='/login_handler', logout_handler_path='/logout_handler', rememberer_name=None): Taken from repoze.who.plugins.form for FriendlyForm. if login_form_url is None: raise ValueError( 'must include login_form_url in configuration') if login_handler_path is None: raise ValueError( 'login_handler_path must not be None') if logout_handler_path is None: raise ValueError( 'logout_handler_path must not be None') if rememberer_name is None: raise ValueError( 'must include rememberer key (name of another IIdentifier plugin)') plugin = FriendlyFormPlugin(login_form_url, login_handler_path, None, logout_handler_path, None, rememberer_name) return plugin The code for generating the login form: def login(self): identity = request.environ.get('repoze.who.identity') if identity is not None: came_from = request.params.get('came_from', None) if came_from: redirect_to(str(came_from)) return render('/login.mako').encode('utf8') The above template checks the counter in environ and outputs a login error if it's greater than 0. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] FriendlyForm login count not incrementing on failed login
On 22/04/10 15:39, Ian Stevens wrote: Thanks Gustavo. Adding the came_from and __logins to the form and propagating them in the login() method worked. If I had given it more thought (and I see it now in your code), I might have done something like that but it wasn't evident to me from the documentation. I see almost the same HTML form on a few other webpages so the documentation must be somewhere. I just couldn't find it. You're absolutely right, Ian! I'll sort it out. Cheers. -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] FriendlyForm login count not incrementing on failed login
On 22/04/10 19:55, Gustavo Narea wrote: You're absolutely right, Ian! I'll sort it out. Done: http://code.gustavonarea.net/repoze.who-friendlyform/#friendlyformplugin-examples -- Gustavo Narea xri://=Gustavo. ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] [PATCH] Added the skip_authentication to repoze.what-quickstart config files
¡Hola, Néstor! Thank you very much for the patch! It looked good to me, so I applied it after writing a test to make sure skip_authentication = False also works: http://what.repoze.org/docs/plugins/quickstart/News.html Saludos, - Gustavo. Néstor said: Hey, I would like to pass the skip_authentication parameter using the config file with repoze.what-quickstart plugin. I've attached a patch with this feature, if anyone wants to review it and perhaps it could be included in the next release :) Any feedback? Néstor. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] what.repoze.org
Hello, Chris. Sorry about that. I had not checked my personal email today. I'll sort it out now. - Gustavo. You said: Hi Gustavo, Looks like http://what.repoze.org returns a 403 forbidden error? - C -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] Path: chose to use main authenticator or not in quickstart plugin
Hello, François. Thank you very much! I've just released repoze.what-quickstart 1.0.8 with this feature. Enjoy! - Gustavo. François said: Hi there, I'm was trying to use custom columns in my user table using TG2 (is_active column for a user) I decided to overload the SQLAlchemyAuthenticator to be able to check this additional column value. I passed my custom class instance to authenticators argument but the main (SQLAlchemyAuthenticator) is always used and there is no way to disable it. I added a keyword argument named 'use_main_authenticator' witch - if authenticators keyword is used - discard the main one and only used passed instance. Regards, F. Index: repoze/what/plugins/quickstart/__init__.py === --- repoze/what/plugins/quickstart/__init__.py (revision 9436) +++ repoze/what/plugins/quickstart/__init__.py (working copy) @@ -236,16 +236,23 @@ if permission_adapter: permission_adapters = {'sql_auth': permission_adapter} +use_main_authenticator = True # Setting the repoze.who authenticators: -sqlauth = SQLAlchemyAuthenticatorPlugin(user_class, dbsession) -sqlauth.translations.update(plugin_translations['authenticator']) if 'authenticators' not in who_args: who_args['authenticators'] = [] -who_args['authenticators'].append(('sqlauth', sqlauth)) +else: +if 'use_main_authenticator' in who_args and \ + who_args['use_main_authenticator'] == False: +use_main_authenticator = False +if use_main_authenticator != False: +sqlauth = SQLAlchemyAuthenticatorPlugin(user_class, dbsession) +sqlauth.translations.update(plugin_translations['authenticator']) +who_args['authenticators'].append(('sqlauth', sqlauth)) + cookie = AuthTktCookiePlugin(cookie_secret, cookie_name, - timeout=cookie_timeout, - reissue_time=cookie_reissue_time) + timeout=cookie_timeout, + reissue_time=cookie_reissue_time) # Setting the repoze.who identifiers if 'identifiers' not in who_args: -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] EuroPython sprints
Gustavo said: So, if anyone is interested, we can plan an sprint on the projects above. If not, it should still be fun to code surrounded by other WSGI developers, so I'd love to join other WSGI/Repoze sprints ;-) -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue111] repoze.who.plugins.ldap enhancements
Gustavo Narea m...@gustavonarea.net added the comment: Lorenzo Catucci and I have been working on these improvements on a separate branch still on Launchpag: https://code.launchpad.net/~gnarea/repoze.who.plugins.ldap/1.1proposal -- assignedto: - Gustavo nosy: +Gustavo status: chatting - resolved __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue111 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue149] Fix SAWarning messages when using repoze.who.plugins.sa plugins
Gustavo Narea m...@gustavonarea.net added the comment: The SQLAlchemy plugin is not tied to ASCII or Unicode, and you can use it without getting any warning as long as you pass the username/password properly encoded. I cannot apply that patch because some people use ASCII, and also the right place to fix this is the repoze.who identifier plugin that you are using, which is not giving repoze.who the username/password properly. Are you using a built-in repoze.who identifier plugin? Or is it maintained by a 3rd party? If it's a homegrown identifier, you may want to have a look at the code for repoze.who- friendlyform which gives repoze.who the credentials with the right charset: http://svn.repoze.org/whoplugins/whofriendlyforms/trunk/repoze/who/plugins/friendlyfor m.py Please use the mailing list if you need help to fix the identifier: http://lists.repoze.org/listinfo/repoze-dev Cheers. -- assignedto: - Gustavo nosy: +Gustavo priority: bug - wish status: unread - resolved topic: +repoze.who __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue149 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] repoze.who LDAP plugin 1.1 Alpha 1 is out
Hello, I'm pleased to announce that a new release of the repoze.who LDAP plugin is available: http://code.gustavonarea.net/repoze.who.plugins.ldap/ The following features have been implemented by Lorenzo Catucci of the University of Rome Tor Vergata: - Changed the license to the Repoze license. - Provided start_tls option both for the authenticator and the metadata provider. - Enable both pattern-replacement and subtree searches for the naming attribute in _get_dn(). - Enabled configuration of the naming attribute - Enabled the option to bind to the server with privileged credential before doing searches - Added a restrict pattern to pre-authentication DN searches - Let the user choose whether to return the full DN or the supplied login as the user identifier. This is a backwards compatible release and we're looking forward to getting feedback about the new features. Because I'm no longer maintaining this plugin actively [1], I depend on your feedback to know if/when we're ready for a final 1.1 release. If I get no or little feedback, I'll do a final release in a few months without changes to this alpha release. Enjoy! [1] http://www.mail-archive.com/repoze-dev@lists.repoze.org/msg01792.html -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] EuroPython sprints
Fergus said: Gustavo: If you submit a r.who / plugin sprint, I'll sign up! We have a few apps running behind r.who so I have a bit of a vested interest in seeing it stay up to date. Sounds like a plan. I'll try to do it today. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] cogbin is back - please add/update keyword turbogears2 in your setup.py and upload to pypi.
Wichert said: Are we already using the Topic :: Internet :: WWW/HTTP :: WSGI :: Middleware classifier? Everything in that category should work fine with turbogears and the classifier is nicely generic. +1. If someone creates a WSGI-related library whose target is TG, they should add the relevant keyword anyway. For example, the Pylons/TG2 plugin for repoze.what (repoze.what-pylons) has pylons and turbogears as keywords. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.who testing on Pylons
Hello, Setting REMOTE_USER is the preferred method. It should make everything work with no additional code. If it doesn't work, the only reason I can think of would be that skip_authentication is not set during the tests: http://code.gustavonarea.net/repoze.who-testutil/HowTo/Reconfiguring.html HTH. - Gustavo. Chris said: Greetings, I'm using the shabti paster templates for a repoze auth'n'auth set up on Pylons. The templates preconfigure the set up with repoze.who_testutil. I've been struggling trying to get these tests to run. The instructions for the testutil show that I just need to pass in the REMOTE_USER dictionary in the enviorn: response = self.app.get(url(controller='mycontroller', action='index', extra_environ={'REMOTE_USER':'tester'})) Someone else on the Pylons bored told me to just create a repoze.what.credentials dictionary with userid, groups, and premissions keys. I'm chocking here... On my controller I use the helper get_user to get a user instance which keeps showing as None in the error stack... -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] testing repoze.who/repoze.what with a quickstart configuration
Hello, Ryan. The quickstart plugin supports repoze.who-testutil, you just need to make sure it gets the skip_authentication argument. Ryan said: def add_auth(app): return setup_sql_auth(app, User, Group, Permission, Session, login_url = '/login', login_handler = '/authenticate', post_login_url = '/dashboard', logout_handler = '/logout', post_logout_url = '/login', cookie_secret = 'abc', translations = { 'user_name': 'nickname', 'group_name': 'name', 'permission_name': 'name'}) You should add skip_authentication=True if and only if you're testing. HTH. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
[Repoze-dev] [issue159] repoze.what.plugins.sql bug with group permissions
Gustavo Narea m...@gustavonarea.net added the comment: Looks good to me, but I have to write a couple of tests (one for the groups and another for the permissions) for it before releasing it. Unfortunately the tests are more complex than the actual change because of the new fixtures, so I'll leave it for tomorrow. Thanks for the patch! -- status: unread - in-progress __ Repoze Bugs b...@bugs.repoze.org http://bugs.repoze.org/issue159 __ ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] repoze.who testing on Pylons
Hello, Wojtek. I've had a quick look at the auth_repozepylons template in Shabti and I think I've found the problem. The test case TestController doesn't seem to be setting skip_authentication. Can you please modify it to make it look like this: class TestController(TestModel): # Protected areas should be tested with authentication disabled: application_under_test = 'main' def __init__(self, *args, **kwargs): conf_dir = config['here'] wsgiapp = loadapp('config:test.ini#%s' % self.application_under_test, relative_to=conf_dir) self.app = TestApp(wsgiapp) url._push_object(URLGenerator(config['routes.map'], environ)) TestCase.__init__(self, *args, **kwargs) Then go to tests/functional/test_auth_login.py and add the application_under_test attribute to TestLoginController, like this: class TestLoginController(TestController): application_under_test = 'main_without_authn' ... Does it work now? If so, can you please report the bug on https://bitbucket.org/gjhiggins/shabti/issues?status=new Cheers. - Gustavo. Wojtek said: Thanks for reply, Gustavo. I did check that, though I'm using the *shabti* templates and they are up to par. I guess my problem isn't with authentication so much as with identification, maybe?: In my controller I have *request.environ.get('repoze.who.identity')['user'] *and its just keeps coming up as 'None' on my tests (only)... sigh I've been at it for a couple of days now. I even went as far as doing another virtualenv and creating a new app and it persists. I really appreciate the help. On Sun, Aug 15, 2010 at 3:45 PM, Gustavo Narea m...@gustavonarea.net wrote: Hello, Setting REMOTE_USER is the preferred method. It should make everything work with no additional code. If it doesn't work, the only reason I can think of would be that skip_authentication is not set during the tests: http://code.gustavonarea.net/repoze.who-testutil/HowTo/Reconfiguring.html HTH. - Gustavo. Chris said: Greetings, I'm using the shabti paster templates for a repoze auth'n'auth set up on Pylons. The templates preconfigure the set up with repoze.who_testutil. I've been struggling trying to get these tests to run. The instructions for the testutil show that I just need to pass in the REMOTE_USER dictionary in the enviorn: response = self.app.get(url(controller='mycontroller', action='index', extra_environ={'REMOTE_USER':'tester'})) Someone else on the Pylons bored told me to just create a repoze.what.credentials dictionary with userid, groups, and premissions keys. I'm chocking here... On my controller I use the helper get_user to get a user instance which keeps showing as None in the error stack... -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev
Re: [Repoze-dev] enabling login with username or email + password
Hello, Another option is to create an authenticator like this: from repoze.who.plugins.sa import SQLAlchemyAuthenticatorPlugin from sqlalchemy.orm.exc import NoResultFound, MultipleResultsFound class UsernameOrEmailAuthenticator(SQLAlchemyAuthenticatorPlugin): def authenticate(self, environ, identity): # If an email address was provided instead of a user name, # replace it with the respective user name: if @ in identity['login']: try: username = get_username_for_email(identity['login']) except (NoResultFound, MultipleResultsFound): return None else: identity['login'] = username return super(UsernameOrEmailAuthenticator, self).\ authenticate(environ, identity) For ideas on how to define get_username_for_email(), you may check _BaseSQLAlchemyPlugin: http://svn.repoze.org/whoplugins/whoalchemy/trunk/repoze/who/plugins/sa.py And pass it to the quickstart: def add_auth(app, skip_authentication): sa_authn = UsernameOrEmailAuthenticator(User, Session) authenticators = [(username_or_email, sa_authn)] return setup_sql_auth(app, User, Group, Permission, Session, skip_authentication = skip_authentication, log_level = 'info', login_url = '/login', login_handler = '/authenticate', post_login_url = '/dashboard', logout_handler = '/logout', post_logout_url = '/login', cookie_secret = 'de9f2c7fd25e1b3afad3e85a0bd17d9b100db4b3', translations = { 'user_name': 'username', 'group_name': 'name', 'permission_name': 'name' }, use_default_authenticator=False, authenticators=authenticators, HTH. -- Gustavo Narea xri://=Gustavo. | Tech blog: =Gustavo/(+blog)/tech ~ About me: =Gustavo/about | ___ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev