[web2py] Re: Cache + Bottlenose API - need help

[Leonel Câmara]

The thing is web2py caching logic is different from what bottlenose wants 
as it never really returns None, it also never really stores values 
directly it calls a function to get a value when it needs one so you need 
to make some kind of adapter for it, you were almost there.

I haven't tested it but this should work.

def reader(cache_url):
return cache.ram(cache_url, lambda: None, time_expire=None)   # Time 
expire can be any value you want here (e.g 3600 so bottlenose writes it 
again in an hour)


def writer(cache_url, response_text):
cache.ram(cache_url, lambda: response_text, time_expire=0)   # Time 
expire needs to be 0 here to make sure it always writes


amazon = bottlenose.Amazon(CacheWriter=writer,
   CacheReader=reader, )





-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: Unable to edit any apps even after logging in

[Willoughby]

"Edit" is under the "Manage" button - so you really just need a functional 
"Manage" button.  Do you have NoScript installed?  Perhaps try another 
browser or another machine.  



On Wednesday, October 7, 2015 at 10:00:27 PM UTC-4, Larry Graves wrote:
>
> Hi, 
>
> I'm working with web2py for a class project, and while I've gotten the 
> server to launch, I can't seem to access any administrative functions.  The 
> admin interface prompts me for a password, which I enter, and then it goes 
> back to the overview of all apps.
>
> However, instead of showing "Edit" and the other administrative options, 
> it provides a "Manage" button which does nothing when I click it.  
>
> I've tried disabling my firewall and all ad-blocking software, but without 
> any change.
>
> Does anyone have any ideas what I can try to resolve this?  I've followed 
> the instructions from the guide to get here.
>
> Thanks,
> Larry
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

[António Ramos]

Niphold,
i dont see where you are pointing on  https://www.qualys.com/
where is the web2py app that survived the security scan ?

thank you

2015-10-05 11:25 GMT+01:00 Niphlod :

> here in ***undisclosed company web2py survives a
> https://www.qualys.com/ security scan with no reports whatsoever.
>
>
> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote:
>>
>> Hi, just looking back over anything about penetration testing and web2py
>> - does anyone know of any recent (or any at all) testing of web2py? We're
>> getting close to our first customers on an app we've been developing the
>> last year so really need to try and pick it to pieces now while we have a
>> few months to work on anything we need to.
>>
>> Thanks
>> Ian
>>
>> On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote:
>>>
>>> Thank you Dave for the feedback. It would be nice to have the results of
>>> those  tests (Cenznic, Hailstorm, Quails) published somewhere. Once in a
>>> while people ask about this.
>>>
>>> Massimo
>>>
>>> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote:

 Well

 I can't say that I have tested the current trunk version, but last
 December I ran a pretty exhaustive penetration test against a site
 developed web2py.  The results were very good.  No findings above low.  The
 low findings were insignificant.  I ran Cenzic Hailstorm, Qualys and one
 other automated vulnerability test suite (I cant remember which at the
 moment) against it without issue.

 Here are some things that can cause issue though...

 * anywhere you use the XML() method in a view you should make sure you
 have validation turned on.  Even though the framework is resilient and does
 a good job of sanitizing data in & out, you can still end up in XSS or XSRF
 trouble with XML().

 * redirects can trip up or slow down a lot of vuln scanners.  Watch out
 if you perform your own testing that you're not getting false negatives.

 I know some people that would take on a more "formal" assessment if
 there is consensus

 Dave

 On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote:
>
> One of the awesome things about web2py is of course the built-in and
> well-documented resilience against a range of attack methods, but I was
> wondering if anyone has attempted a methodical (white-hat) attack to probe
> any potential weaknesses?
>
> Just out of interest :)
>
 --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [web2py] Re: Has anyone done a detailed security analysis or attempted a methodical attack on web2py?

[Niphlod]

not really. 
I built some apps on web2py that are live and in production, and since 
EVERY app in my environment NEEDS to pass a Qualys scan to be live and 
production ready, I know that MY apps survive a Qualys scan with flying 
colors.
Point being "ATM web2py does not expose any obvious/hidden threat that 
Qualys identifies".
I'll reinstate the obvious though: this "just" means that if you code 
responsibly, your app is safe. It's not too little of a "just". But it's a 
"just" nonetheless. 
Noone is saying that EVERY app you code will pass a white-hat attempt if 
it's hosted on web2py, and I don't think that any framework in any language 
will ever have the guts to assure it. 


On Thursday, October 8, 2015 at 8:38:05 PM UTC+2, Richard wrote:
>
> @Antonio
>
> I think Simone just point to the tool that can be use for such purpose... 
> You can use it over your App. From my understanding the App tested is the 
> Ian App...
>
> Richard
>
> On Thu, Oct 8, 2015 at 1:19 PM, António Ramos  > wrote:
>
>> Niphold,
>> i dont see where you are pointing on  https://www.qualys.com/
>> where is the web2py app that survived the security scan ?
>>
>> thank you
>>
>> 2015-10-05 11:25 GMT+01:00 Niphlod :
>>
>>> here in ***undisclosed company web2py survives a 
>>> https://www.qualys.com/ security scan with no reports whatsoever.
>>>
>>>
>>> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote:

 Hi, just looking back over anything about penetration testing and 
 web2py - does anyone know of any recent (or any at all) testing of web2py? 
 We're getting close to our first customers on an app we've been developing 
 the last year so really need to try and pick it to pieces now while we 
 have 
 a few months to work on anything we need to.

 Thanks
 Ian

 On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote:
>
> Thank you Dave for the feedback. It would be nice to have the results 
> of those  tests (Cenznic, Hailstorm, Quails) published somewhere. Once in 
> a 
> while people ask about this.
>
> Massimo
>
> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote:
>>
>> Well
>>
>> I can't say that I have tested the current trunk version, but last 
>> December I ran a pretty exhaustive penetration test against a site 
>> developed web2py.  The results were very good.  No findings above low.  
>> The 
>> low findings were insignificant.  I ran Cenzic Hailstorm, Qualys and one 
>> other automated vulnerability test suite (I cant remember which at the 
>> moment) against it without issue.  
>>
>> Here are some things that can cause issue though...
>>
>> * anywhere you use the XML() method in a view you should make sure 
>> you have validation turned on.  Even though the framework is resilient 
>> and 
>> does a good job of sanitizing data in & out, you can still end up in XSS 
>> or 
>> XSRF trouble with XML().
>>
>> * redirects can trip up or slow down a lot of vuln scanners.  Watch 
>> out if you perform your own testing that you're not getting false 
>> negatives.
>>
>> I know some people that would take on a more "formal" assessment if 
>> there is consensus
>>
>> Dave
>>
>> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote:
>>>
>>> One of the awesome things about web2py is of course the built-in and 
>>> well-documented resilience against a range of attack methods, but I was 
>>> wondering if anyone has attempted a methodical (white-hat) attack to 
>>> probe 
>>> any potential weaknesses?
>>>
>>> Just out of interest :)
>>>
>> -- 
>>> Resources:
>>> - http://web2py.com
>>> - http://web2py.com/book (Documentation)
>>> - http://github.com/web2py/web2py (Source code)
>>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "web2py-users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to web2py+un...@googlegroups.com .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>> -- 
>> Resources:
>> - http://web2py.com
>> - http://web2py.com/book (Documentation)
>> - http://github.com/web2py/web2py (Source code)
>> - https://code.google.com/p/web2py/issues/list (Report Issues)
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "web2py-users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to web2py+un...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list 

[web2py] Re: Oracle drivers.

[Niphlod]

the repo for pydal is the other one no worries though, I linked your 
one in https://github.com/web2py/pydal/issues/299

On Thursday, October 8, 2015 at 3:13:11 AM UTC+2, Michael M wrote:
>
> Submitted:
> https://github.com/web2py/web2py/issues/1082
>
> On Wednesday, October 7, 2015 at 5:29:43 PM UTC-7, Massimo Di Pierro wrote:
>>
>> This may be a bug. Can you please open a pydal ticket and we will check 
>> it asap?
>>
>> On Wednesday, 7 October 2015 14:50:13 UTC-5, Michael M wrote:
>>>
>>> Never checked there.  But it is.
>>>
>>> $ python web2py.py
>>> web2py Web Framework
>>> Created by Massimo Di Pierro, Copyright 2007-2015
>>> Version 2.12.3-stable+timestamp.2015.08.19.00.18.03
>>> Database drivers available: cx_Oracle, pymysql, imaplib, sqlite3, 
>>> pg8000, pyodbc
>>>
>>> Weird.  just rebooted the Virt. and still getting:
>>>
>>> Traceback (most recent call last):
>>>   File "/opt/www-data/web2py/gluon/restricted.py", line 227, in restricted
>>> exec ccode in environment
>>>   File "/opt/www-data/web2py/applications/test/models/db.py" 
>>> , line 20, in 
>>> 
>>> db = DAL(myconf.take('db.uri'), pool_size=myconf.take('db.pool_size', 
>>> cast=int), check_reserved=['all'])
>>>   File "/opt/www-data/web2py/gluon/packages/dal/pydal/base.py", line 174, 
>>> in __call__
>>> obj = super(MetaDAL, cls).__call__(*args, **kwargs)
>>>   File "/opt/www-data/web2py/gluon/packages/dal/pydal/base.py", line 459, 
>>> in __init__
>>> raise RuntimeError("Failure to connect, tried %d times:\n%s" % 
>>> (attempts, tb))
>>> RuntimeError: Failure to connect, tried 5 times:
>>> Traceback (most recent call last):
>>>   File "/opt/www-data/web2py/gluon/packages/dal/pydal/base.py", line 437, 
>>> in __init__
>>> self._adapter = ADAPTERS[self._dbname](**kwargs)
>>>   File "/opt/www-data/web2py/gluon/packages/dal/pydal/adapters/base.py", 
>>> line 57, in __call__
>>> obj = super(AdapterMeta, cls).__call__(*args, **kwargs)
>>>   File "/opt/www-data/web2py/gluon/packages/dal/pydal/adapters/oracle.py", 
>>> line 105, in __init__
>>> if do_connect: self.find_driver(adapter_args,uri)
>>>   File "/opt/www-data/web2py/gluon/packages/dal/pydal/adapters/base.py", 
>>> line 188, in find_driver
>>> raise RuntimeError("no driver available %s" % str(self.drivers))
>>> RuntimeError: no driver available ('cx_Oracle',)
>>>
>>>
>>> On Wednesday, October 7, 2015 at 12:45:19 PM UTC-7, Willoughby wrote:

 When you start web2py from a command line it should list 'Database 
 drivers available' - is it on that list?

 On Wednesday, October 7, 2015 at 3:12:01 PM UTC-4, Michael M wrote:
>
> Just to cover more basis I installed the following:
>
> sudo rpm -Uvh
>
> oracle-instantclient11.2-basic-11.2.0.4.0-1.x86_64.rpm
> oracle-instantclient11.2-devel-11.2.0.4.0-1.x86_64.rpm
> oracle-instantclient11.2-jdbc-11.2.0.4.0-1.x86_64.rpm
> oracle-instantclient11.2-odbc-11.2.0.4.0-1.x86_64.rpm
> oracle-instantclient11.2-sqlplus-11.2.0.4.0-1.x86_64.rpm
> oracle-instantclient11.2-tools-11.2.0.4.0-1.x86_64.rpm
>
> then 
>
> cx_Oracle-5.1.2-11g-py27-1.x86_64.rpm
>
> Still no dice in Web2py
>
>
> On Tuesday, October 6, 2015 at 5:09:18 PM UTC-7, Michael M wrote:
>>
>> I was testing in non-prod (RHEL) to see if it was built in.  it 
>> wasnt.  on my Fedora 22 at my desk I installed cx_Oracle because it 
>> works 
>> when i am in CLI python and I can call it no errors.  I have yet to 
>> dabble 
>> in virtualenv.
>>
>> I have systemctl restart httpd after every change.  even reboots to 
>> make sure.
>>
>> On Tuesday, October 6, 2015 at 5:02:12 PM UTC-7, Leonel Câmara wrote:
>>>
>>> Is it possible web2py is running in a virtualenv where you have not 
>>> installed cx_Oracle?
>>>
>>> Also don't forget to restart Apache.
>>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: Oracle drivers.

[Michael M]

Thank-you Niphlod!

On Thursday, October 8, 2015 at 12:08:40 PM UTC-7, Niphlod wrote:
>
> the repo for pydal is the other one no worries though, I linked your 
> one in https://github.com/web2py/pydal/issues/299
>
> On Thursday, October 8, 2015 at 3:13:11 AM UTC+2, Michael M wrote:
>>
>> Submitted:
>> https://github.com/web2py/web2py/issues/1082
>>
>> On Wednesday, October 7, 2015 at 5:29:43 PM UTC-7, Massimo Di Pierro 
>> wrote:
>>>
>>> This may be a bug. Can you please open a pydal ticket and we will check 
>>> it asap?
>>>
>>> On Wednesday, 7 October 2015 14:50:13 UTC-5, Michael M wrote:

 Never checked there.  But it is.

 $ python web2py.py
 web2py Web Framework
 Created by Massimo Di Pierro, Copyright 2007-2015
 Version 2.12.3-stable+timestamp.2015.08.19.00.18.03
 Database drivers available: cx_Oracle, pymysql, imaplib, sqlite3, 
 pg8000, pyodbc

 Weird.  just rebooted the Virt. and still getting:

 Traceback (most recent call last):
   File "/opt/www-data/web2py/gluon/restricted.py", line 227, in restricted
 exec ccode in environment
   File "/opt/www-data/web2py/applications/test/models/db.py" 
 , line 20, in 
 
 db = DAL(myconf.take('db.uri'), pool_size=myconf.take('db.pool_size', 
 cast=int), check_reserved=['all'])
   File "/opt/www-data/web2py/gluon/packages/dal/pydal/base.py", line 174, 
 in __call__
 obj = super(MetaDAL, cls).__call__(*args, **kwargs)
   File "/opt/www-data/web2py/gluon/packages/dal/pydal/base.py", line 459, 
 in __init__
 raise RuntimeError("Failure to connect, tried %d times:\n%s" % 
 (attempts, tb))
 RuntimeError: Failure to connect, tried 5 times:
 Traceback (most recent call last):
   File "/opt/www-data/web2py/gluon/packages/dal/pydal/base.py", line 437, 
 in __init__
 self._adapter = ADAPTERS[self._dbname](**kwargs)
   File "/opt/www-data/web2py/gluon/packages/dal/pydal/adapters/base.py", 
 line 57, in __call__
 obj = super(AdapterMeta, cls).__call__(*args, **kwargs)
   File "/opt/www-data/web2py/gluon/packages/dal/pydal/adapters/oracle.py", 
 line 105, in __init__
 if do_connect: self.find_driver(adapter_args,uri)
   File "/opt/www-data/web2py/gluon/packages/dal/pydal/adapters/base.py", 
 line 188, in find_driver
 raise RuntimeError("no driver available %s" % str(self.drivers))
 RuntimeError: no driver available ('cx_Oracle',)


 On Wednesday, October 7, 2015 at 12:45:19 PM UTC-7, Willoughby wrote:
>
> When you start web2py from a command line it should list 'Database 
> drivers available' - is it on that list?
>
> On Wednesday, October 7, 2015 at 3:12:01 PM UTC-4, Michael M wrote:
>>
>> Just to cover more basis I installed the following:
>>
>> sudo rpm -Uvh
>>
>> oracle-instantclient11.2-basic-11.2.0.4.0-1.x86_64.rpm
>> oracle-instantclient11.2-devel-11.2.0.4.0-1.x86_64.rpm
>> oracle-instantclient11.2-jdbc-11.2.0.4.0-1.x86_64.rpm
>> oracle-instantclient11.2-odbc-11.2.0.4.0-1.x86_64.rpm
>> oracle-instantclient11.2-sqlplus-11.2.0.4.0-1.x86_64.rpm
>> oracle-instantclient11.2-tools-11.2.0.4.0-1.x86_64.rpm
>>
>> then 
>>
>> cx_Oracle-5.1.2-11g-py27-1.x86_64.rpm
>>
>> Still no dice in Web2py
>>
>>
>> On Tuesday, October 6, 2015 at 5:09:18 PM UTC-7, Michael M wrote:
>>>
>>> I was testing in non-prod (RHEL) to see if it was built in.  it 
>>> wasnt.  on my Fedora 22 at my desk I installed cx_Oracle because it 
>>> works 
>>> when i am in CLI python and I can call it no errors.  I have yet to 
>>> dabble 
>>> in virtualenv.
>>>
>>> I have systemctl restart httpd after every change.  even reboots to 
>>> make sure.
>>>
>>> On Tuesday, October 6, 2015 at 5:02:12 PM UTC-7, Leonel Câmara wrote:

 Is it possible web2py is running in a virtualenv where you have not 
 installed cx_Oracle?

 Also don't forget to restart Apache.

>>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: Multiple select options not displayed

[Niphlod]

and what do you see instead ? :D

On Thursday, October 8, 2015 at 3:27:42 AM UTC+2, DJ wrote:
>
> Hi,
>
> I'm wondering if there's a problem with my multi-select syntax. I'm not 
> able to see the drop down options when I try this on the latest web2py 
> (2.12.13). See code example below:
>
> def multi():
>   """ multi Module """
>
>   weekdays = 
>  ["Monday","Tuesday","Wednesday","Thursday","Friday","Saturday","Sunday"]
>
>   form = SQLFORM.factory(Field("days", type='list:string', 
> label="Weekday", requires=IS_IN_SET(weekdays, multiple=True), 
> widget=SQLFORM.widgets.multiple.widget))
>
>   return dict(form=form)
>
>
> - Sebastian
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[web2py] Re: How to disable the calendar widget?

[Niphlod]

you need to override event_handlers(). Basically just copy the 
event_handlers function to your own with $.web2py.event_handlers, and 
rewrite the part that attaches the calendar to input.date, input.datetime 
and input.time .

There's an example 
on 
https://github.com/niphlod/cs_monitor_plugin/blob/master/static/plugin_cs_monitor/js/app.js
 
(using https://github.com/Eonasdan/bootstrap-datetimepicker/)

On Thursday, October 8, 2015 at 1:57:55 AM UTC+2, Edward Shave wrote:
>
> I want to use a different datetimepicker 
>  widget so I need to disable 
> the old one. 
>
> So far I've commented out the following two lines in web2py_ajax.html...
>
> response.files.insert(1,URL('static','css/calendar.css'))
> response.files.insert(2,URL('static','js/calendar.js'))
>
> That did the trick but it breaks some code in web2py.js which silently 
> fails due to Calendar not defined!
> Before I go messing with any more files maybe someone knows a nice clean 
> way to disable the calendar widget?
>
> By the way, with just a few lines of code the new one seems to be working 
> fine in a SQLForm.
>
> I new what needed to go in the code below but not really where to put it. 
> For example should the file links be in the header?
> And is the document.ready function needed?
> Anyway it works so hopefully it' will do until I get more experienced.
>
> db.define_table('cal_form',
> Field('date_in','date'))
>
> def datepicker():
>form=SQLFORM(db.cal_form)
>if form.process().accepted:
>response.flash = 'form accepted'
>elif form.errors:
>response.flash = 'form has errors'
>else:
>response.flash = 'please fill out the form'
>return dict(form=form)
>
> {{extend 'layout.html'}}
> {{block head}}
>  "/calendar/static/css/jquery.datetimepicker.css"/ >
>  script> 
> {{end}}
> 
Input form
> {{=form}}
>