[Zope-Annce] Hotfix for cross-site scripting vulnerability

2007-03-20 Thread Martijn Pieters

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

A vulnerability has been discovered in Zope, where by certain types of
misuse of HTTP GET, an attacker could gain elevated privileges. All
Zope versions up to and including 2.10.2 are affected.

Overview

  This hotfix removes the exploit by mandating that security setting
  alterations can only be made through POST requests. This  
vulnerability

  has been fixed in the Zope 2.8, 2.9 and 2.10 branches and all future
  releases of Zope will include this fix.

  Do note that this patch only affects direct requests to the security
  methods; any 3rd-party code that calls these methods indirectly may
  still be affected.

Hotfix

  We have prepared a hot fix for this problem
  at:

  http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/,
   http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/.


  This hotfix should be installed as soon as possible.

  To install, simply extract the archive into your Products
  directory in your Zope installation.

  See: http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/README.txt,
http://www.zope.org/Products/Zope/Hotfix-2007-03-20/ 
Hotfix-20070320/README.txt,


  for installation instructions.

- --
Martijn Pieters

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF/54F3xaj2GOvgP0RAt2tAJ9YjecowrNAEx08+6GdxNP4sk4aagCfaODt
aeZE9vqYxwF3ICjrHVcAFNE=
=DnMj
-END PGP SIGNATURE-
___
Zope-Announce maillist  -  Zope-Announce@zope.org
http://mail.zope.org/mailman/listinfo/zope-announce

 Zope-Announce for Announcements only - no discussions

(Related lists - 
Users: http://mail.zope.org/mailman/listinfo/zope

Developers: http://mail.zope.org/mailman/listinfo/zope-dev )


[Zope-Checkins] SVN: Zope/trunk/ - Add a request method decorator to AccessControl, creating decorators that limit a method to one request method only.

2007-03-20 Thread Martijn Pieters
Log message for revision 73386:
  - Add a request method decorator to AccessControl, creating decorators that 
limit a method to one request method only.
  - Protect various security-setting-mutators with a POST-only decorator.

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/AccessControl/Owned.py
  U   Zope/trunk/lib/python/AccessControl/PermissionMapping.py
  U   Zope/trunk/lib/python/AccessControl/Role.py
  U   Zope/trunk/lib/python/AccessControl/User.py
  A   Zope/trunk/lib/python/AccessControl/requestmethod.py
  A   Zope/trunk/lib/python/AccessControl/requestmethod.txt
  A   Zope/trunk/lib/python/AccessControl/tests/test_requestmethod.py
  U   Zope/trunk/lib/python/OFS/DTMLMethod.py
  U   Zope/trunk/lib/python/Products/PythonScripts/PythonScript.py

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===
--- Zope/trunk/doc/CHANGES.txt  2007-03-20 08:07:42 UTC (rev 73385)
+++ Zope/trunk/doc/CHANGES.txt  2007-03-20 08:50:24 UTC (rev 73386)
@@ -51,6 +51,12 @@
 
 Features added
 
+  - A new module, AccessControl.requestmethod, provides a decorator
+factory that limits decorated methods to one request method only.
+For example, marking a method with @requestmethod('POST') limits
+that method to POST requests only when published. Several
+security-related methods have been limited to POST only.
+
   - PythonScripts: allow usage of Python's 'sets' module
 
   - added 'fast_listen' directive to http-server and webdav-source-server

Modified: Zope/trunk/lib/python/AccessControl/Owned.py
===
--- Zope/trunk/lib/python/AccessControl/Owned.py2007-03-20 08:07:42 UTC 
(rev 73385)
+++ Zope/trunk/lib/python/AccessControl/Owned.py2007-03-20 08:50:24 UTC 
(rev 73386)
@@ -22,6 +22,7 @@
 from AccessControl.Permissions import view_management_screens
 from AccessControl.Permissions import take_ownership
 from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import requestmethod
 from zope.interface import implements
 
 from interfaces import IOwned
@@ -177,6 +178,7 @@
 return security.checkPermission('Take ownership', self)
 
 security.declareProtected(take_ownership, 'manage_takeOwnership')
+@requestmethod('POST')
 def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0):
 Take ownership (responsibility) for an object.
 
@@ -197,6 +199,7 @@
 RESPONSE.redirect(REQUEST['HTTP_REFERER'])
 
 security.declareProtected(take_ownership, 'manage_changeOwnershipType')
+@requestmethod('POST')
 def manage_changeOwnershipType(self, explicit=1,
RESPONSE=None, REQUEST=None):
 Change the type (implicit or explicit) of ownership.

Modified: Zope/trunk/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/trunk/lib/python/AccessControl/PermissionMapping.py2007-03-20 
08:07:42 UTC (rev 73385)
+++ Zope/trunk/lib/python/AccessControl/PermissionMapping.py2007-03-20 
08:50:24 UTC (rev 73386)
@@ -28,11 +28,14 @@
 from interfaces import IPermissionMappingSupport
 from Owned import UnownableOwner
 from Permission import pname
+from requestmethod import requestmethod
 
 
 class RoleManager:
 
 implements(IPermissionMappingSupport)
+
+# XXX: No security declarations?
 
 def manage_getPermissionMapping(self):
 Return the permission mapping for the object
@@ -58,6 +61,7 @@
 a({'permission_name': ac_perms[0], 'class_permission': p})
 return r
 
+@requestmethod('POST')
 def manage_setPermissionMapping(self,
 permission_names=[],
 class_permissions=[], REQUEST=None):

Modified: Zope/trunk/lib/python/AccessControl/Role.py
===
--- Zope/trunk/lib/python/AccessControl/Role.py 2007-03-20 08:07:42 UTC (rev 
73385)
+++ Zope/trunk/lib/python/AccessControl/Role.py 2007-03-20 08:50:24 UTC (rev 
73386)
@@ -28,6 +28,7 @@
 
 from interfaces import IRoleManager
 from Permission import Permission
+from requestmethod import requestmethod
 
 
 DEFAULTMAXLISTUSERS=250
@@ -129,6 +130,7 @@
  help_product='OFSP')
 
 security.declareProtected(change_permissions, 'manage_role')
+@requestmethod('POST')
 def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
 Change the permissions given to the given role.
 
@@ -147,6 +149,7 @@
  help_product='OFSP')
 
 security.declareProtected(change_permissions, 'manage_acquiredPermissions')
+@requestmethod('POST')
 def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
 Change the permissions that acquire.
 
@@ -228,6 +231,7 @@
  

[Zope-Checkins] SVN: Zope/branches/2.10/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.

2007-03-20 Thread Martijn Pieters
Log message for revision 73388:
  - Backport a postonly decorator from Zope trunk's requestmethod decorator 
factory.
  - Protect various security-setting-mutators with this decorator.

Changed:
  U   Zope/branches/2.10/doc/CHANGES.txt
  U   Zope/branches/2.10/lib/python/AccessControl/Owned.py
  U   Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
  U   Zope/branches/2.10/lib/python/AccessControl/Role.py
  U   Zope/branches/2.10/lib/python/AccessControl/User.py
  A   Zope/branches/2.10/lib/python/AccessControl/requestmethod.py
  A   Zope/branches/2.10/lib/python/AccessControl/requestmethod.txt
  A   Zope/branches/2.10/lib/python/AccessControl/tests/test_requestmethod.py
  U   Zope/branches/2.10/lib/python/OFS/DTMLMethod.py
  U   Zope/branches/2.10/lib/python/Products/PythonScripts/PythonScript.py

-=-
Modified: Zope/branches/2.10/doc/CHANGES.txt
===
--- Zope/branches/2.10/doc/CHANGES.txt  2007-03-20 08:56:31 UTC (rev 73387)
+++ Zope/branches/2.10/doc/CHANGES.txt  2007-03-20 09:02:28 UTC (rev 73388)
@@ -8,6 +8,10 @@
 
 Bugs fixed
 
+  - Protected various security mutators with a new postonly decorator.
+The decorator limits method publishing to POST requests only, and
+is a backport from Zope 2.11's requestmethod decorator factory.
+
   - Collector #2289: restored compatibility with PTProfiler
 
   - No longer opens a zodb connection every time a ProductDispatcher

Modified: Zope/branches/2.10/lib/python/AccessControl/Owned.py
===
--- Zope/branches/2.10/lib/python/AccessControl/Owned.py2007-03-20 
08:56:31 UTC (rev 73387)
+++ Zope/branches/2.10/lib/python/AccessControl/Owned.py2007-03-20 
09:02:28 UTC (rev 73388)
@@ -22,6 +22,7 @@
 from AccessControl.Permissions import view_management_screens
 from AccessControl.Permissions import take_ownership
 from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import postonly
 from zope.interface import implements
 
 from interfaces import IOwned
@@ -177,6 +178,7 @@
 return security.checkPermission('Take ownership', self)
 
 security.declareProtected(take_ownership, 'manage_takeOwnership')
+@postonly
 def manage_takeOwnership(self, REQUEST, RESPONSE, recursive=0):
 Take ownership (responsibility) for an object.
 
@@ -197,6 +199,7 @@
 RESPONSE.redirect(REQUEST['HTTP_REFERER'])
 
 security.declareProtected(take_ownership, 'manage_changeOwnershipType')
+@postonly
 def manage_changeOwnershipType(self, explicit=1,
RESPONSE=None, REQUEST=None):
 Change the type (implicit or explicit) of ownership.

Modified: Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
2007-03-20 08:56:31 UTC (rev 73387)
+++ Zope/branches/2.10/lib/python/AccessControl/PermissionMapping.py
2007-03-20 09:02:28 UTC (rev 73388)
@@ -28,11 +28,14 @@
 from interfaces import IPermissionMappingSupport
 from Owned import UnownableOwner
 from Permission import pname
+from requestmethod import postonly
 
 
 class RoleManager:
 
 implements(IPermissionMappingSupport)
+
+# XXX: No security declarations?
 
 def manage_getPermissionMapping(self):
 Return the permission mapping for the object
@@ -58,6 +61,7 @@
 a({'permission_name': ac_perms[0], 'class_permission': p})
 return r
 
+@postonly
 def manage_setPermissionMapping(self,
 permission_names=[],
 class_permissions=[], REQUEST=None):

Modified: Zope/branches/2.10/lib/python/AccessControl/Role.py
===
--- Zope/branches/2.10/lib/python/AccessControl/Role.py 2007-03-20 08:56:31 UTC 
(rev 73387)
+++ Zope/branches/2.10/lib/python/AccessControl/Role.py 2007-03-20 09:02:28 UTC 
(rev 73388)
@@ -27,6 +27,7 @@
 
 from interfaces import IRoleManager
 from Permission import Permission
+from requestmethod import postonly
 
 
 DEFAULTMAXLISTUSERS=250
@@ -128,6 +129,7 @@
  help_product='OFSP')
 
 security.declareProtected(change_permissions, 'manage_role')
+@postonly
 def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
 Change the permissions given to the given role.
 
@@ -146,6 +148,7 @@
  help_product='OFSP')
 
 security.declareProtected(change_permissions, 'manage_acquiredPermissions')
+@postonly
 def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
 Change the permissions that acquire.
 
@@ -167,6 +170,7 @@
help_product='OFSP')
 
 

[Zope-Checkins] SVN: Zope/branches/2.9/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.

2007-03-20 Thread Martijn Pieters
Log message for revision 73389:
  - Backport a postonly decorator from Zope trunk's requestmethod decorator 
factory.
  - Protect various security-setting-mutators with this decorator.

Changed:
  U   Zope/branches/2.9/doc/CHANGES.txt
  U   Zope/branches/2.9/lib/python/AccessControl/Owned.py
  U   Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py
  U   Zope/branches/2.9/lib/python/AccessControl/Role.py
  U   Zope/branches/2.9/lib/python/AccessControl/User.py
  A   Zope/branches/2.9/lib/python/AccessControl/requestmethod.py
  A   Zope/branches/2.9/lib/python/AccessControl/requestmethod.txt
  A   Zope/branches/2.9/lib/python/AccessControl/tests/test_requestmethod.py
  U   Zope/branches/2.9/lib/python/OFS/DTMLMethod.py
  U   Zope/branches/2.9/lib/python/Products/PythonScripts/PythonScript.py

-=-
Modified: Zope/branches/2.9/doc/CHANGES.txt
===
--- Zope/branches/2.9/doc/CHANGES.txt   2007-03-20 09:02:28 UTC (rev 73388)
+++ Zope/branches/2.9/doc/CHANGES.txt   2007-03-20 09:03:57 UTC (rev 73389)
@@ -8,6 +8,10 @@
 
Bugs fixed
 
+  - Protected various security mutators with a new postonly decorator.
+The decorator limits method publishing to POST requests only, and
+is a backport from Zope 2.11's requestmethod decorator factory.
+
   - Collector #2288: @ and + should not be quoted when forming
 request URLs in BaseRequest and HTTPRequest
 

Modified: Zope/branches/2.9/lib/python/AccessControl/Owned.py
===
--- Zope/branches/2.9/lib/python/AccessControl/Owned.py 2007-03-20 09:02:28 UTC 
(rev 73388)
+++ Zope/branches/2.9/lib/python/AccessControl/Owned.py 2007-03-20 09:03:57 UTC 
(rev 73389)
@@ -18,6 +18,7 @@
 import Globals, urlparse, SpecialUsers, ExtensionClass
 from AccessControl import getSecurityManager, Unauthorized
 from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import postonly
 from zope.interface import implements
 
 from interfaces import IOwned

Modified: Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py 
2007-03-20 09:02:28 UTC (rev 73388)
+++ Zope/branches/2.9/lib/python/AccessControl/PermissionMapping.py 
2007-03-20 09:03:57 UTC (rev 73389)
@@ -28,11 +28,14 @@
 from interfaces import IPermissionMappingSupport
 from Owned import UnownableOwner
 from Permission import pname
+from requestmethod import postonly
 
 
 class RoleManager:
 
 implements(IPermissionMappingSupport)
+
+# XXX: No security declarations?
 
 def manage_getPermissionMapping(self):
 Return the permission mapping for the object
@@ -58,6 +61,7 @@
 a({'permission_name': ac_perms[0], 'class_permission': p})
 return r
 
+@postonly
 def manage_setPermissionMapping(self,
 permission_names=[],
 class_permissions=[], REQUEST=None):

Modified: Zope/branches/2.9/lib/python/AccessControl/Role.py
===
--- Zope/branches/2.9/lib/python/AccessControl/Role.py  2007-03-20 09:02:28 UTC 
(rev 73388)
+++ Zope/branches/2.9/lib/python/AccessControl/Role.py  2007-03-20 09:03:57 UTC 
(rev 73389)
@@ -24,6 +24,7 @@
 
 from interfaces import IRoleManager
 from Permission import Permission
+from requestmethod import postonly
 
 
 DEFAULTMAXLISTUSERS=250
@@ -135,6 +136,7 @@
  help_topic='Security_Manage-Role.stx',
  help_product='OFSP')
 
+@postonly
 def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
 Change the permissions given to the given role.
 
@@ -151,6 +153,7 @@
  help_topic='Security_Manage-Acquisition.stx',
  help_product='OFSP')
 
+@postonly
 def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
 Change the permissions that acquire.
 
@@ -170,6 +173,7 @@
help_topic='Security_Manage-Permission.stx',
help_product='OFSP')
 
+@postonly
 def manage_permission(self, permission_to_manage,
   roles=[], acquire=0, REQUEST=None):
 Change the settings for the given permission.
@@ -206,6 +210,7 @@
 else:
 return apply(self._normal_manage_access,(), kw)
 
+@postonly
 def manage_changePermissions(self, REQUEST):
 Change all permissions settings, called by management screen.
 
@@ -353,6 +358,7 @@
 dict=self.__ac_local_roles__ or {}
 return tuple(dict.get(userid, []))
 
+@postonly
 def manage_addLocalRoles(self, userid, roles, REQUEST=None):
 Set local 

[Zope-Checkins] SVN: Zope/branches/Zope-2_8-branch/ - Backport a postonly decorator from Zope trunk's requestmethod decorator factory.

2007-03-20 Thread Martijn Pieters
Log message for revision 73390:
  - Backport a postonly decorator from Zope trunk's requestmethod decorator 
factory.
  - Protect various security-setting-mutators with this decorator.

Changed:
  U   Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
  U   Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py
  U   
Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py
  U   Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py
  U   Zope/branches/Zope-2_8-branch/lib/python/AccessControl/User.py
  A   Zope/branches/Zope-2_8-branch/lib/python/AccessControl/requestmethod.py
  A   Zope/branches/Zope-2_8-branch/lib/python/AccessControl/requestmethod.txt
  A   
Zope/branches/Zope-2_8-branch/lib/python/AccessControl/tests/test_requestmethod.py
  U   Zope/branches/Zope-2_8-branch/lib/python/OFS/DTMLMethod.py
  U   
Zope/branches/Zope-2_8-branch/lib/python/Products/PythonScripts/PythonScript.py

-=-
Modified: Zope/branches/Zope-2_8-branch/doc/CHANGES.txt
===
--- Zope/branches/Zope-2_8-branch/doc/CHANGES.txt   2007-03-20 09:03:57 UTC 
(rev 73389)
+++ Zope/branches/Zope-2_8-branch/doc/CHANGES.txt   2007-03-20 09:05:56 UTC 
(rev 73390)
@@ -8,6 +8,10 @@
 
 Bugs fixed
 
+  - Protected various security mutators with a new postonly decorator.
+The decorator limits method publishing to POST requests only, and
+is a backport from Zope 2.11's requestmethod decorator factory.
+
   - Collector #2263: 'field2ulines' did not convert empty string
 correctly.
 

Modified: Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py
===
--- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py 
2007-03-20 09:03:57 UTC (rev 73389)
+++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Owned.py 
2007-03-20 09:05:56 UTC (rev 73390)
@@ -18,6 +18,7 @@
 import Globals, urlparse, SpecialUsers, ExtensionClass
 from AccessControl import getSecurityManager, Unauthorized
 from Acquisition import aq_get, aq_parent, aq_base
+from requestmethod import postonly
 
 
 UnownableOwner=[]

Modified: 
Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py
===
--- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py 
2007-03-20 09:03:57 UTC (rev 73389)
+++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/PermissionMapping.py 
2007-03-20 09:05:56 UTC (rev 73390)
@@ -26,10 +26,13 @@
 
 from Owned import UnownableOwner
 from Permission import pname
+from requestmethod import postonly
 
 
 class RoleManager:
 
+# XXX: No security declarations?
+
 def manage_getPermissionMapping(self):
 Return the permission mapping for the object
 
@@ -54,6 +57,7 @@
 a({'permission_name': ac_perms[0], 'class_permission': p})
 return r
 
+@postonly
 def manage_setPermissionMapping(self,
 permission_names=[],
 class_permissions=[], REQUEST=None):

Modified: Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py
===
--- Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py  
2007-03-20 09:03:57 UTC (rev 73389)
+++ Zope/branches/Zope-2_8-branch/lib/python/AccessControl/Role.py  
2007-03-20 09:05:56 UTC (rev 73390)
@@ -22,6 +22,7 @@
 from App.Common import aq_base
 
 from Permission import Permission
+from requestmethod import postonly
 
 
 DEFAULTMAXLISTUSERS=250
@@ -131,6 +132,7 @@
  help_topic='Security_Manage-Role.stx',
  help_product='OFSP')
 
+@postonly
 def manage_role(self, role_to_manage, permissions=[], REQUEST=None):
 Change the permissions given to the given role.
 
@@ -147,6 +149,7 @@
  help_topic='Security_Manage-Acquisition.stx',
  help_product='OFSP')
 
+@postonly
 def manage_acquiredPermissions(self, permissions=[], REQUEST=None):
 Change the permissions that acquire.
 
@@ -166,6 +169,7 @@
help_topic='Security_Manage-Permission.stx',
help_product='OFSP')
 
+@postonly
 def manage_permission(self, permission_to_manage,
   roles=[], acquire=0, REQUEST=None):
 Change the settings for the given permission.
@@ -202,6 +206,7 @@
 else:
 return apply(self._normal_manage_access,(), kw)
 
+@postonly
 def manage_changePermissions(self, REQUEST):
 Change all permissions settings, called by management screen.
 
@@ -349,6 +354,7 @@
 dict=self.__ac_local_roles__ or {}
 return 

[Zope-Checkins] SVN: Zope/hotfixes/ Import POST-only hotfix

2007-03-20 Thread Martijn Pieters
Log message for revision 73391:
  Import POST-only hotfix

Changed:
  A   Zope/hotfixes/README.txt
  A   Zope/hotfixes/__init__.py
  A   Zope/hotfixes/tests/
  A   Zope/hotfixes/tests/__init__.py
  A   Zope/hotfixes/tests/test_hotfix.py
  A   Zope/hotfixes/version.txt

-=-
Added: Zope/hotfixes/README.txt
===
--- Zope/hotfixes/README.txt2007-03-20 09:05:56 UTC (rev 73390)
+++ Zope/hotfixes/README.txt2007-03-20 09:09:02 UTC (rev 73391)
@@ -0,0 +1,62 @@
+Hotfix-20070320 README
+
+This hotfix corrects a cross-site scripting vulnerability in Zope2,
+where an attacker can use a hidden GET request to leverage a 
+authenticated user's credentials to alter security settings and/or
+user accounts.
+
+Note that this fix only protects against GET requests, any site that
+allows endusers to create auto-submitting forms (through javascript)
+will remain vulnerable.
+
+The hotfix may be removed after upgrading to a version of Zope2 more
+recent than this hotfix.
+
+  Affected Versions
+
+- Zope 2.8.0 - 2.8.8
+
+- Zope 2.9.0 - 2.9.6
+
+- Zope 2.10.0 - 2.10.2
+
+- Earlier versions of Zope 2 are affected as well, but no new
+  releases for older major Zope releases (Zope 2.7 and earlier) will
+  be made. This Hotfix may work for older versions, but this has not
+  been tested.
+
+  Installing the Hotfix
+
+This hotfix is installed as a standard Zope2 product.  The following
+examples assume that your Zope instance is located at
+'/var/zope/instance':  please adjust according to your actual
+instance path.  Also note that hotfix products are *not* intended
+for installation into the software home of your Zope.
+
+  1. Unpack the tarball / zipfile for the Hotfix into a temporary
+ location::
+
+  $ cd /tmp
+  $ tar xzf ~/Hotfix_20070320.tar.gz
+
+  2. Copy or move the product directory from the unpacked directory
+ to the 'Products' directory of your Zope instance::
+
+  $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/
+
+  3. Restart Zope::
+
+  $ /var/zope/instance/bin/zopectl restart
+
+  Uninstalling the Hotfix
+
+After upgrading Zope to one of the fixed versions, you should remove
+this hotfix product from your Zope instance.
+
+  1. Remove the product directory from your instance 'Products'::
+
+  $ rm -rf /var/zope/instance/Products/Hotfix_20070320/
+
+  2. Restart Zope::
+
+  $ /var/zope/instance/bin/zopectl restart

Added: Zope/hotfixes/__init__.py
===
--- Zope/hotfixes/__init__.py   2007-03-20 09:05:56 UTC (rev 73390)
+++ Zope/hotfixes/__init__.py   2007-03-20 09:09:02 UTC (rev 73391)
@@ -0,0 +1,122 @@
+#
+#
+# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED AS IS AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##
+
+Hotfix_20070319
+
+Protect security methods against GET requests.
+
+
+
+import inspect
+from zExceptions import Forbidden
+from ZPublisher.HTTPRequest import HTTPRequest
+
+def _buildFacade(spec, docstring):
+Build a facade function, matching the decorated method in signature.
+
+Note that defaults are replaced by None, and _curried will reconstruct
+these to preserve mutable defaults.
+
+
+args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
+callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
+return 'def _facade%s:\n%s\nreturn _curried%s' % (
+args, docstring, callargs)
+
+def postonly(callable):
+Only allow callable when request method is POST.
+spec = inspect.getargspec(callable)
+args, defaults = spec[0], spec[3]
+try:
+r_index = args.index('REQUEST')
+except ValueError:
+raise ValueError('No REQUEST parameter in callable signature')
+
+arglen = len(args)
+if defaults is not None:
+defaults = zip(args[arglen - len(defaults):], defaults)
+arglen -= len(defaults)
+
+def _curried(*args, **kw):
+request = None
+if len(args)  r_index:
+request = args[r_index]
+
+if isinstance(request, HTTPRequest):
+if request.get('REQUEST_METHOD', 'GET').upper() != 'POST':
+raise Forbidden('Request must be POST')
+
+# Reconstruct

[Zope-Checkins] SVN: Zope/hotfixes/ Undo botched import

2007-03-20 Thread Martijn Pieters
Log message for revision 73392:
  Undo botched import

Changed:
  D   Zope/hotfixes/README.txt
  D   Zope/hotfixes/__init__.py
  D   Zope/hotfixes/tests/
  D   Zope/hotfixes/version.txt

-=-
Deleted: Zope/hotfixes/README.txt
===
--- Zope/hotfixes/README.txt2007-03-20 09:09:02 UTC (rev 73391)
+++ Zope/hotfixes/README.txt2007-03-20 09:10:28 UTC (rev 73392)
@@ -1,62 +0,0 @@
-Hotfix-20070320 README
-
-This hotfix corrects a cross-site scripting vulnerability in Zope2,
-where an attacker can use a hidden GET request to leverage a 
-authenticated user's credentials to alter security settings and/or
-user accounts.
-
-Note that this fix only protects against GET requests, any site that
-allows endusers to create auto-submitting forms (through javascript)
-will remain vulnerable.
-
-The hotfix may be removed after upgrading to a version of Zope2 more
-recent than this hotfix.
-
-  Affected Versions
-
-- Zope 2.8.0 - 2.8.8
-
-- Zope 2.9.0 - 2.9.6
-
-- Zope 2.10.0 - 2.10.2
-
-- Earlier versions of Zope 2 are affected as well, but no new
-  releases for older major Zope releases (Zope 2.7 and earlier) will
-  be made. This Hotfix may work for older versions, but this has not
-  been tested.
-
-  Installing the Hotfix
-
-This hotfix is installed as a standard Zope2 product.  The following
-examples assume that your Zope instance is located at
-'/var/zope/instance':  please adjust according to your actual
-instance path.  Also note that hotfix products are *not* intended
-for installation into the software home of your Zope.
-
-  1. Unpack the tarball / zipfile for the Hotfix into a temporary
- location::
-
-  $ cd /tmp
-  $ tar xzf ~/Hotfix_20070320.tar.gz
-
-  2. Copy or move the product directory from the unpacked directory
- to the 'Products' directory of your Zope instance::
-
-  $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/
-
-  3. Restart Zope::
-
-  $ /var/zope/instance/bin/zopectl restart
-
-  Uninstalling the Hotfix
-
-After upgrading Zope to one of the fixed versions, you should remove
-this hotfix product from your Zope instance.
-
-  1. Remove the product directory from your instance 'Products'::
-
-  $ rm -rf /var/zope/instance/Products/Hotfix_20070320/
-
-  2. Restart Zope::
-
-  $ /var/zope/instance/bin/zopectl restart

Deleted: Zope/hotfixes/__init__.py
===
--- Zope/hotfixes/__init__.py   2007-03-20 09:09:02 UTC (rev 73391)
+++ Zope/hotfixes/__init__.py   2007-03-20 09:10:28 UTC (rev 73392)
@@ -1,122 +0,0 @@
-#
-#
-# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
-#
-# This software is subject to the provisions of the Zope Public License,
-# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
-# THIS SOFTWARE IS PROVIDED AS IS AND ANY AND ALL EXPRESS OR IMPLIED
-# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
-# FOR A PARTICULAR PURPOSE
-#
-##
-
-Hotfix_20070319
-
-Protect security methods against GET requests.
-
-
-
-import inspect
-from zExceptions import Forbidden
-from ZPublisher.HTTPRequest import HTTPRequest
-
-def _buildFacade(spec, docstring):
-Build a facade function, matching the decorated method in signature.
-
-Note that defaults are replaced by None, and _curried will reconstruct
-these to preserve mutable defaults.
-
-
-args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
-callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
-return 'def _facade%s:\n%s\nreturn _curried%s' % (
-args, docstring, callargs)
-
-def postonly(callable):
-Only allow callable when request method is POST.
-spec = inspect.getargspec(callable)
-args, defaults = spec[0], spec[3]
-try:
-r_index = args.index('REQUEST')
-except ValueError:
-raise ValueError('No REQUEST parameter in callable signature')
-
-arglen = len(args)
-if defaults is not None:
-defaults = zip(args[arglen - len(defaults):], defaults)
-arglen -= len(defaults)
-
-def _curried(*args, **kw):
-request = None
-if len(args)  r_index:
-request = args[r_index]
-
-if isinstance(request, HTTPRequest):
-if request.get('REQUEST_METHOD', 'GET').upper() != 'POST':
-raise Forbidden('Request must be POST')
-
-# Reconstruct keyword arguments
-if defaults is not None:
-args, kwparams

[Zope-Checkins] SVN: Zope/hotfixes/Hotfix_20070320/ Undo botched import

2007-03-20 Thread Martijn Pieters
Log message for revision 73393:
  Undo botched import

Changed:
  A   Zope/hotfixes/Hotfix_20070320/
  A   Zope/hotfixes/Hotfix_20070320/README.txt
  A   Zope/hotfixes/Hotfix_20070320/__init__.py
  A   Zope/hotfixes/Hotfix_20070320/tests/
  A   Zope/hotfixes/Hotfix_20070320/tests/__init__.py
  A   Zope/hotfixes/Hotfix_20070320/tests/test_hotfix.py
  A   Zope/hotfixes/Hotfix_20070320/version.txt

-=-
Added: Zope/hotfixes/Hotfix_20070320/README.txt
===
--- Zope/hotfixes/Hotfix_20070320/README.txt2007-03-20 09:10:28 UTC (rev 
73392)
+++ Zope/hotfixes/Hotfix_20070320/README.txt2007-03-20 09:11:46 UTC (rev 
73393)
@@ -0,0 +1,62 @@
+Hotfix-20070320 README
+
+This hotfix corrects a cross-site scripting vulnerability in Zope2,
+where an attacker can use a hidden GET request to leverage a 
+authenticated user's credentials to alter security settings and/or
+user accounts.
+
+Note that this fix only protects against GET requests, any site that
+allows endusers to create auto-submitting forms (through javascript)
+will remain vulnerable.
+
+The hotfix may be removed after upgrading to a version of Zope2 more
+recent than this hotfix.
+
+  Affected Versions
+
+- Zope 2.8.0 - 2.8.8
+
+- Zope 2.9.0 - 2.9.6
+
+- Zope 2.10.0 - 2.10.2
+
+- Earlier versions of Zope 2 are affected as well, but no new
+  releases for older major Zope releases (Zope 2.7 and earlier) will
+  be made. This Hotfix may work for older versions, but this has not
+  been tested.
+
+  Installing the Hotfix
+
+This hotfix is installed as a standard Zope2 product.  The following
+examples assume that your Zope instance is located at
+'/var/zope/instance':  please adjust according to your actual
+instance path.  Also note that hotfix products are *not* intended
+for installation into the software home of your Zope.
+
+  1. Unpack the tarball / zipfile for the Hotfix into a temporary
+ location::
+
+  $ cd /tmp
+  $ tar xzf ~/Hotfix_20070320.tar.gz
+
+  2. Copy or move the product directory from the unpacked directory
+ to the 'Products' directory of your Zope instance::
+
+  $ cp -a /tmp/Hotfix_20070320/ /var/zope/instance/Products/
+
+  3. Restart Zope::
+
+  $ /var/zope/instance/bin/zopectl restart
+
+  Uninstalling the Hotfix
+
+After upgrading Zope to one of the fixed versions, you should remove
+this hotfix product from your Zope instance.
+
+  1. Remove the product directory from your instance 'Products'::
+
+  $ rm -rf /var/zope/instance/Products/Hotfix_20070320/
+
+  2. Restart Zope::
+
+  $ /var/zope/instance/bin/zopectl restart

Added: Zope/hotfixes/Hotfix_20070320/__init__.py
===
--- Zope/hotfixes/Hotfix_20070320/__init__.py   2007-03-20 09:10:28 UTC (rev 
73392)
+++ Zope/hotfixes/Hotfix_20070320/__init__.py   2007-03-20 09:11:46 UTC (rev 
73393)
@@ -0,0 +1,122 @@
+#
+#
+# Copyright (c) 2007 Zope Corporation and Contributors. All Rights Reserved.
+#
+# This software is subject to the provisions of the Zope Public License,
+# Version 2.1 (ZPL).  A copy of the ZPL should accompany this distribution.
+# THIS SOFTWARE IS PROVIDED AS IS AND ANY AND ALL EXPRESS OR IMPLIED
+# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
+# FOR A PARTICULAR PURPOSE
+#
+##
+
+Hotfix_20070319
+
+Protect security methods against GET requests.
+
+
+
+import inspect
+from zExceptions import Forbidden
+from ZPublisher.HTTPRequest import HTTPRequest
+
+def _buildFacade(spec, docstring):
+Build a facade function, matching the decorated method in signature.
+
+Note that defaults are replaced by None, and _curried will reconstruct
+these to preserve mutable defaults.
+
+
+args = inspect.formatargspec(formatvalue=lambda v: '=None', *spec)
+callargs = inspect.formatargspec(formatvalue=lambda v: '', *spec)
+return 'def _facade%s:\n%s\nreturn _curried%s' % (
+args, docstring, callargs)
+
+def postonly(callable):
+Only allow callable when request method is POST.
+spec = inspect.getargspec(callable)
+args, defaults = spec[0], spec[3]
+try:
+r_index = args.index('REQUEST')
+except ValueError:
+raise ValueError('No REQUEST parameter in callable signature')
+
+arglen = len(args)
+if defaults is not None:
+defaults = zip(args[arglen - len(defaults):], defaults)
+arglen -= len(defaults)
+
+def _curried(*args, **kw):
+request = None
+if len(args)  r_index:
+request

[Zope-Checkins] SVN: Zope/trunk/lib/python/AccessControl/requestmethod.py Add backward compatible postonly decorator

2007-03-20 Thread Martijn Pieters
Log message for revision 73395:
  Add backward compatible postonly decorator

Changed:
  U   Zope/trunk/lib/python/AccessControl/requestmethod.py

-=-
Modified: Zope/trunk/lib/python/AccessControl/requestmethod.py
===
--- Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 
09:34:33 UTC (rev 73394)
+++ Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 
09:54:37 UTC (rev 73395)
@@ -72,4 +72,6 @@
 
 return _methodtest
 
-__all__ = ('requestmethod',)
+postonly = requestmethod('POST')
+
+__all__ = ('requestmethod', 'postonly')

___
Zope-Checkins maillist  -  Zope-Checkins@zope.org
http://mail.zope.org/mailman/listinfo/zope-checkins


[Zope-Checkins] SVN: Zope/trunk/lib/python/AccessControl/requestmethod.py Add comment about postonly status

2007-03-20 Thread Martijn Pieters
Log message for revision 73396:
  Add comment about postonly status

Changed:
  U   Zope/trunk/lib/python/AccessControl/requestmethod.py

-=-
Modified: Zope/trunk/lib/python/AccessControl/requestmethod.py
===
--- Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 
09:54:37 UTC (rev 73395)
+++ Zope/trunk/lib/python/AccessControl/requestmethod.py2007-03-20 
09:55:32 UTC (rev 73396)
@@ -72,6 +72,7 @@
 
 return _methodtest
 
+# For Zope versions 2.8 - 2.10
 postonly = requestmethod('POST')
 
 __all__ = ('requestmethod', 'postonly')

___
Zope-Checkins maillist  -  Zope-Checkins@zope.org
http://mail.zope.org/mailman/listinfo/zope-checkins


[Zope-dev] Zope Tests: 5 OK

2007-03-20 Thread Zope Tests Summarizer
Summary of messages to the zope-tests list.
Period Mon Mar 19 12:00:00 2007 UTC to Tue Mar 20 12:00:00 2007 UTC.
There were 5 messages: 5 from Zope Unit Tests.


Tests passed OK
---

Subject: OK : Zope-2.7 Python-2.3.6 : Linux
From: Zope Unit Tests
Date: Mon Mar 19 21:52:50 EDT 2007
URL: http://mail.zope.org/pipermail/zope-tests/2007-March/007468.html

Subject: OK : Zope-2.8 Python-2.3.6 : Linux
From: Zope Unit Tests
Date: Mon Mar 19 21:54:21 EDT 2007
URL: http://mail.zope.org/pipermail/zope-tests/2007-March/007469.html

Subject: OK : Zope-2.9 Python-2.4.4 : Linux
From: Zope Unit Tests
Date: Mon Mar 19 21:55:51 EDT 2007
URL: http://mail.zope.org/pipermail/zope-tests/2007-March/007470.html

Subject: OK : Zope-2.10 Python-2.4.4 : Linux
From: Zope Unit Tests
Date: Mon Mar 19 21:57:21 EDT 2007
URL: http://mail.zope.org/pipermail/zope-tests/2007-March/007471.html

Subject: OK : Zope-trunk Python-2.4.4 : Linux
From: Zope Unit Tests
Date: Mon Mar 19 21:58:51 EDT 2007
URL: http://mail.zope.org/pipermail/zope-tests/2007-March/007472.html

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-PAS] Properties Plugin

2007-03-20 Thread Christian Klinger

Hello,

i try to add Properties to all of my PAS-Users.
The Properties should be the adresse information
of my Users, which i get about an WebService.

Now i have developed a very simple example of a
IPropertiesPlugin:


security.declarePrivate('getPropertiesForUser')
def getPropertiesForUser(self, user, request=None):
 Fullfill PropertiesPlugin requirements 
### Cache Implementation
view_name = createViewName('retrievePropsData', user)
keywords = {'key' : user}
properties = self.ZCacheable_get( view_name = view_name,
   keywords = keywords,
   default = None )
if properties is None:
properties = {}
properties['addr'] = SampleData
tt=self.ZCacheable_set( properties ,
  view_name=view_name,
  keywords=keywords )
return properties

Now i have some questions about it:

Shoud I use (and why) the UserPropertySheet instead of a simple dict?
Is the cache implementation ok?
Does anyone have a simple example for this task?


thx Christian

___
Zope-PAS mailing list
Zope-PAS@zope.org
http://mail.zope.org/mailman/listinfo/zope-pas


[Zope] catalog aware not working.. help

2007-03-20 Thread Allen Huang
I made a pyhon product with catalogaware as one of my base class but my 
zcatalog named 'catalog' doesn't automatically catalog when I add a product 
item. what could be a problem?

Please help

this is part of my code that include catalogawareness:

class ShpTypePointClass(Item, Persistent, Implicit, CatalogAware):
#print ShpTypePointClass
id='ShpTypePoint'
meta_type='ShpTypePoint'
manage_options = (
{ 'label':'Properties','action':'manage_editShpTypePoint' },
) + Item.manage_options

#_properties=(
#{ 'id':'title', 'type':'string', 'mode':'w'},
#{ 'id':'x', 'type':'string', 'mode':'w'},
#{ 'id':'y', 'type':'string', 'mode':'w'}
#)

def __init__(self, id, x, y, dbfInfo):
#print 'initializing'
self.id = id
self.x = x
self.y = y
self.dbfInfo = dbfInfo
self.reindex_object()
def printPoint(self):
#print print Point
return br printPoint Method br ID: + self.id +  -- (  + self.x  
+ ,  + self.y +  )
def edit(self, x, y, REQUEST=None):
Edit the Point
#print edit
self.x = x
self.y = y
self.reindex_object()
if REQUEST is not None:
return self.manage_editShpTypePoint(self, REQUEST)
##Web Methods
index_html = HTMLFile('DTML/index_html', globals())
manage_editShpTypePoint = HTMLFile('DTML/manage_editShpTypePoint', 
globals())
InitializeClass(ShpTypePointClass)


 

Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


[Zope] Re: catalog aware not working.. help

2007-03-20 Thread Josef Meile

Hi Allen

I made a pyhon product with catalogaware as one of my base class but my 
zcatalog named 'catalog' doesn't automatically catalog when I add a 
product item. what could be a problem?

Perhaps setting the catalog in your object instance may help:

self.manage_editCataloger(catalogPath)

You may also try to change the way you are sub classing. In my case, I 
put CatalogAware as the first sub class (left-most).


Regards
Josef
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


[Zope] Addressbook Product

2007-03-20 Thread Frank Drews

Hi,

I have realy searched for a nice addressbook product for a couple two 
days now. I dont find anything suitable. I need it for a collaboration 
plattform running on zope, cmf. I like zope very much and am looking for 
a shared addressbook.

Anybody any experiences or suggestions?
What would be realy great, but no must-have feature for me would be an 
integration of the user-data and some permission features to set (who 
can view/write which addresses)..


Imho a shared addressbook (both for userdata and external contacts) is 
the most important missing feature to make zope a very powerfull 
groupware-portal (forums, mails, calender, documents, workflow, wiki, 
chat ... all already very nice).


Thank you very much Frank




[EMAIL PROTECTED] schrieb:

Send Zope mailing list submissions to
zope@zope.org

To subscribe or unsubscribe via the World Wide Web, visit
http://mail.zope.org/mailman/listinfo/zope
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]

You can reach the person managing the list at
[EMAIL PROTECTED]

When replying, please edit your Subject line so it is more specific
than Re: Contents of Zope digest...


Today's Topics:

   1. Re: Cannot Import Base has_attr...Again! (Jens Vagelpohl)
   2. Re: How do people work with html-designers? (Laurence Rowe)
   3. losing random session data (Norbert Marrale)
   4. Re: losing random session data (Andreas Jung)
   5. Re: losing random session data (Maciej Wisniowski)
   6. Re: losing random session data (Tres Seaver)
   7. What is the best way to debug a Zope 2.62 application.
  (Mark, Jonathan (Integic))
   8. Re: What is the best way to debug a Zope 2.62 application.
  (robert rottermann)
   9. Re: What is the best way to debug a Zope 2.62 application.
  ( Eric Br?hault )
  10. email validator script (javi lopez)
  11. Re: email validator script (Andreas Jung)
  12. file upload ([EMAIL PROTECTED])
  13. Re: file upload (Jonathan)
  14. Re: file upload ([EMAIL PROTECTED])
  15. Re: file upload (Jonathan)


--

Message: 1
Date: Sun, 18 Mar 2007 17:01:59 +0100
From: Jens Vagelpohl [EMAIL PROTECTED]
Subject: Re: [Zope] Cannot Import Base has_attr...Again!
To: zope user list zope@zope.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 18 Mar 2007, at 16:45, [EMAIL PROTECTED] wrote:
  

--On 17. März 2007 15:16:31 -0400 [EMAIL PROTECTED] wrote:


I had this problem on another server I recently built...and it  
  

went away

all by itself! I'm now rebuilding my home server, and it's  
  

cropped up

again. Last time, Maciej Wisniowski suggested I go to a zopectl  
  

prompt

and type in import Products.CMFPlone, but apparently that  
  

doesn't work

on Zope 2.7.8/Plone 2.1.4. Here is the traceback. Please advise.  
  

TIA,


Tony

  

Consult the plone-users list for Plone-related questions.



  
I did that last time and no one addressed the issue, so I came  
here. Would you care to address the issue?




The fact that no one helped on the Plone list does not invalidate  
Andreas' assertion that this is a Plone issue and it belongs on the  
Plone list.


jens


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFF/WJ3RAx5nvEhZLIRAuWpAJ9GeeP3YoAGkbWLugO1xzjyxgomSgCdHZ58
vbdZ1mjfZn9827vjr1h6Z6E=
=t3JN
-END PGP SIGNATURE-


--

Message: 2
Date: Sun, 18 Mar 2007 19:29:34 +
From: Laurence Rowe [EMAIL PROTECTED]
Subject: [Zope] Re: How do people work with html-designers?
To: zope@zope.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Gaute Amundsen wrote:
  

I have been meaning to ask this for a while..

How do people set up the zope development process and servers to work well 
with web-designers who use wysiwyg editors like dreamweaver?


snip/

Take a look at deliverance http://openplans.org/projects/deliverance

The other option is to find someone with very good CSS skills who can 
design without adding changing the underlying html. In my experience 
that has been fairly rare though.


Laurence



--

Message: 3
Date: Sun, 18 Mar 2007 16:22:29 -0400
From: Norbert Marrale [EMAIL PROTECTED]
Subject: [Zope] losing random session data
To: zope@zope.org
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

In Zope 2.7.5-final, python 2.3.5, freebsd6 with Transient Object 
Container settings:

Data timeout: 20
Timeout resolution: 20
Maximum subobjects: 1000

and a python script that does this:

req = context.REQUEST
prev_order=(req.SESSION.get('order'))
if prev_order == None:
   order=[]
else:
   order = prev_order
order.append(req.form)
req.SESSION.set('order',order)

my data ends up 

Re: [Zope] catalog aware not working.. help

2007-03-20 Thread Jonathan


- Original Message - 
From: Allen Huang [EMAIL PROTECTED]

To: Zope zope@zope.org
Sent: Tuesday, March 20, 2007 3:09 AM
Subject: [Zope] catalog aware not working.. help


I made a pyhon product with catalogaware as one of my base class but my 
zcatalog named 'catalog' doesn't automatically catalog when I add a product 
item. what could be a problem?


I am not sure if this is your problem, but I have a vague recollection that 
the ZCatalog needs to be named 'Catalog' (initial capital).



Jonathan 


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] I keep getting validate error.. why?

2007-03-20 Thread Jonathan


- Original Message - 
From: Allen Huang [EMAIL PROTECTED]

Subject: [Zope] I keep getting validate error.. why?


I keep getting this error, but the same code work on another zope server 
and I didn't use any key or attribute named 'validate'. What is the cause 
of this?


Time2007/03/20 17:38:03.726 GMT+8
User Name (User Id)admin (admin)
Request URLhttp://localhost/WEBGIS/test1
Exception TypeKeyError
Exception Value'validate'

Traceback (innermost last):
Module ZPublisher.Publish, line 115, in publish
Module ZPublisher.mapply, line 88, in mapply
Module ZPublisher.Publish, line 41, in call_object
Module OFS.DTMLMethod, line 153, in __call__
DTMLMethod at /WEBGIS/test1
URL: http://localhost/WEBGIS/test1/manage_main
Physical Path:/WEBGIS/test1
KeyError: 'validate'


Try googling for KeyError: 'validate'  (there are a couple of posts that 
deal with this error as it relates to ZCatalogs).  If your dtml method 
'test1' is not doing anything with ZCatalogs, then post the source.



Jonathan 


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] I keep getting validate error.. why?

2007-03-20 Thread Dieter Maurer
Allen Huang wrote at 2007-3-20 05:39 -0700:
I keep getting this error, but the same code work on another zope server and I 
didn't use any key or attribute named 'validate'. What is the cause of this?

Time2007/03/20 17:38:03.726 GMT+8
User Name (User Id)admin (admin)
Request URLhttp://localhost/WEBGIS/test1
Exception TypeKeyError
Exception Value'validate'

Traceback (innermost last): 
Module ZPublisher.Publish, line 115, in publish 
Module ZPublisher.mapply, line 88, in mapply 
Module ZPublisher.Publish, line 41, in call_object 
Module OFS.DTMLMethod, line 153, in __call__
DTMLMethod at /WEBGIS/test1
URL: http://localhost/WEBGIS/test1/manage_main
Physical Path:/WEBGIS/test1 
KeyError: 'validate'

I remember that I have seen a similar report and that
I helped someone to find a workaround for the problem (although
I did not understand how this problem could arise).

Please search the mailing list archive (via your favorite search engine)
to find the thread (and see whether you can use the same workaround).


-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


[Zope] Who's using Quanta+ / Kdevelop for ZPT?

2007-03-20 Thread Mihamina (R12y) Rakotomandimby
Hi,
I just wondered if there was some Quanta+/Kdevelop users in here.
I am looking for their way to handle ZPTs.
I know it's pretty close to XML, but any tip would interest me.
Thank you!

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Addressbook Product

2007-03-20 Thread Mihamina (R12y) Rakotomandimby
On Tuesday 20 March 2007 11:39, Frank Drews wrote:
 Hi,

 I have realy searched for a nice addressbook product for a couple two
 days now. I dont find anything suitable. I need it for a collaboration
 plattform running on zope, cmf. I like zope very much and am looking for
 a shared addressbook.
 Anybody any experiences or suggestions?
 What would be realy great, but no must-have feature for me would be an
 integration of the user-data and some permission features to set (who
 can view/write which addresses)..

 Imho a shared addressbook (both for userdata and external contacts) is
 the most important missing feature to make zope a very powerfull
 groupware-portal (forums, mails, calender, documents, workflow, wiki,
 chat ... all already very nice).

What's wrong with this?
http://plone.org/products/myaddressbook

Anyway, while CPS was not turned to Java it had a nice basic addressbook.
Ithink you could also consider setting up an LDAP directory and then put any 
LDAP backend to query it.

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] catalog aware not working.. help

2007-03-20 Thread Bakhtiar A Hamid

On 3/20/07, Allen Huang [EMAIL PROTECTED] wrote:


I made a pyhon product with catalogaware as one of my base class but my
zcatalog named 'catalog' doesn't automatically catalog when I add a product
item. what could be a problem?

Please help

this is part of my code that include catalogawareness:

class ShpTypePointClass(Item, Persistent, Implicit, CatalogAware):


iirc, CatalogAware has to first like so:
class ShpTypePointClass( CatalogAware, Item, Persistent, Implicit):

hth


#print ShpTypePointClass
id='ShpTypePoint'
meta_type='ShpTypePoint'
manage_options = (
{
'label':'Properties','action':'manage_editShpTypePoint' },
) + Item.manage_options

#_properties=(
#{ 'id':'title', 'type':'string', 'mode':'w'},
#{ 'id':'x', 'type':'string', 'mode':'w'},
#{ 'id':'y', 'type':'string', 'mode':'w'}
#)

def __init__(self, id, x, y, dbfInfo):
#print 'initializing'
self.id = id
self.x = x
self.y = y
self.dbfInfo = dbfInfo
self.reindex_object()
def printPoint(self):
#print print Point
return br printPoint Method br ID: + self.id +  -- (  +
self.x  + ,  + self.y +  )
def edit(self, x, y, REQUEST=None):
Edit the Point
#print edit
self.x = x
self.y = y
self.reindex_object()
if REQUEST is not None:
return self.manage_editShpTypePoint(self, REQUEST)
##Web Methods
index_html = HTMLFile('DTML/index_html', globals())
manage_editShpTypePoint =
HTMLFile('DTML/manage_editShpTypePoint', globals())
InitializeClass(ShpTypePointClass)


 
We won't tell. Get more on shows you hate to love
(and love to hate): Yahoo! TV's Guilty Pleasures list.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )





--
http://myzope.kedai.com.my - my-zope org
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope-DB] MySQL gone away

2007-03-20 Thread Andreas Jung



--On 20. März 2007 09:18:19 +0100 [EMAIL PROTECTED] wrote:


Hello,

I am getting errors in queries on a MySQL 5.027 database using zmysqlda
2.0.9b3 and mysql-python 1.2.1 with Zope 2.10.2.

The errors occured the next day after setting the whole thing up and
while at first it was working all right. The event log tells me that
MySQL has 'gone away', it probably has lost its connection in the zmysql
adapter. But why or how?


How shall we know why your database went down? :-)
Check for indications on the mysql server side  - means: check your mysql
server logs.

-aj

pgpzBhEtSOr4e.pgp
Description: PGP signature
___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


RE: [Zope-DB] DCOracle2 with a Stored Procedure that Returns REFCURSOR / ORA TIMESTAMP DataType Issue

2007-03-20 Thread Maan M. Hamze
To give an update:
To run a stored procedure which returns a ref cursor, I tried:
c1 = db.cursor()
c2 = db.cursor()
sql = storedProcedureName(:inparam1, :inparam2, etccc, :outparam)
options = (inparam1, inparam2, et, c2)
c1.execute(sql, options)
As recommended below.
This did not work.

However, this worked:
c1 = db.cursor()
c2 = db.cursor()
c2 = c1.procedures.storedProcedureName(INparam1, INparam2, etc..)
Only the INparams are given as arguments.  c2 is returned as a cursor
OUTparam.
Then,
r = c2.fetchall(), or
r = c2.fetchone()
Etc.

This was causing a segmentation fault on a Sun Solaris box.
On Windows, I got an actual error message.  While fetching, the cursor
has a field of ora datatype TimeStamp.  This was crashing DCOracle2.  a
to_char solved the issue.
I am using DCOracle2 and Oracle 10 on Solaris (and Windows XP).
Did anyone run into issues of handling TimeStamp oracle data type with
DCOracle2?
Maan


-Original Message-
From: Maan M. Hamze [mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 17, 2007 5:32 PM
To: zope-db@zope.org
Subject: Re: [Zope-DB] DCOracle2 with a Stored Procedure that Returns
REFCURSOR

m.banaouas [EMAIL PROTECTED]:
options = (2714,  + ' +  + ', + 36, 1, c2)

it's wrong!
you must give a sequence as second parameter of execute method.

So you do like this:
options = (2714, '',36, 1, c2)
c1.execute(sql, options)
--
I tried it both ways.
With what you suggest:
Import DCOracle2
db = DCOracle2.connect(connectionString)
c1 = db.cursor()
c2 = db.cursor()
options = (2714, '', 36, 1, c2)
sql = storedProcedureName(:INparam1, :INparam2, :INparam3, :INparam4,
:OUTparam)
c1.execute(sql, options)

I am getting now:
Traceback (most recent call last):
  File stdin, line 1, in ?
  File /opt/python/lib/python2.4/site-packages/DCOracle2/DCOracle2.py,
line 98
7, in execute
self._cursor.bindbypos(i, p)
ValueError: invalid data type bound

Printing options yield:
 print options
(5920, '', 36, 1, DCOracle2.DCOracle2.cursor instance at
0x19eee0)
Would this be causing the invalid data type bound error above?

Also, should not the following work:
c2 = c1.storedProcedureName(2714, '', 36, 1)  ??
Maan


Maan M. Hamze a écrit :
  Hello -
  Thanks for your help.  I am still getting errors -
  You wrote:
  sql = sp1(INparam1, :INparam2, :INparam3, :INparam4, :ref_cur)
 
  Did you mean:
  sql = sp1(:INparam1, :INparam2, :INparam3, :INparam4, :ref_cur)
  (notice :INparam1 instead of INparam1)
 
  Assume sp1 is hrpofficial, INparam1 = 2714, INparam2 = '',
  INparam3 = 36, and INparam4 = 1
 
  db = DCOracle2.connection(connectionString)
  c1 = db.cursor()
  c2 = db.cursor()
  sql = hrpofficial(:INparam1, :INparam2, :INparam3, :INparam4,
  :ref_cur)
  options = (2714,  + ' +  + ', + 36, 1, c2)
  c1.execute(sql, options)
 
  I am getting an error:
  DatabaseError: (900, 'ORA-00900: invalid SQL statement')
 
  Any hints?
  Thanks again,
  Maan
 
  for row in C2:
...
 
  Maan M. Hamze a écrit :
  I am using DCOCralce2 with Python 2.41, and Oracle 9.
  I have a stored procedure (sp1) that takes 4 IN parameters, with one
  OUT
  parameter.  The OUT parameter is a **ref_cursor** that holds a data
  set.
  I am doing the following:
  db = DCOracle2.connection(connectionString)
  C1 = db.cursor()
  C2 = db.cursor()
  #I run the following holding the result into the cursor C2
  #since the OUT param is a ref_cur
  C2 = C1.sp1(INparam1, INparam2,INparam3,INparam4, ref_cur)
 
  I expect to get a data set
  I know there is data when sp1 is run
  But I am getting an empty data set when I fetch data via C2 cursor.
  Do you have any idea how to make this work when a stored procedure
has
  a
  ref_cur OUT parameter?
  Thanks,
  Maan
 
 
  ___
  Zope-DB mailing list
  Zope-DB@zope.org
  http://mail.zope.org/mailman/listinfo/zope-db
 





--

___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


End of Zope-DB Digest, Vol 44, Issue 9
**




___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


RE: [Zope-DB] DCOracle2 with a Stored Procedure that Returns REFCURSOR

2007-03-20 Thread Maan M. Hamze
You have a point Maciej - but I got used to DCOracle2 and so far it has
performed quite well.  I link it with Oracle lib32 libraries, but use it
with ora lib 64-bit libraries in the path.  So far, there has been no
issues I am aware of.  The only thing that came up recently is how to
use it with a stored procedure returning a ref cursor.  This has been
resolved, with a new issue on how to handle Ora TimeStamp data type
which is crashing DCOracle2 with a segmentation fault on Sun Solaris
(DCOracle2 exits fine with an actual error message on Windows XP.
By the way I am using now DCOracle2 with Oracle 10 using the archive you
sent me.
So far, I have not run into any problems.  However, I need to make a
summary of what needs to be done to keep the scripts in one set for
various platforms (Windows and Sun etc...) using C macros (DEFs),
instead of allowing them to diverge.
Maan

So do you really have to use DCOracle2?
I see that your code is plain python. You're not using
Zope database adapter here(?) so maybe it is better to use something
that is in active developement like cx_Oracle or SQLRelay? You'll avoid
some problems, eg. DCOracle2 is not 64 bit compatible.

-- 
Maciej Wisniowski


___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


Re: [Zope-DB] DCOracle2 with a Stored Procedure that Returns REFCURSOR / ORA TIMESTAMP DataType Issue

2007-03-20 Thread Matthew T. Kromer
Chances are good that the C code that is trying to construct the  
timestamp doesn't know how to convert it...


A quick peek into the source code hints the code doesn't have a type  
converter for SQLT_TIMESTAMP, although there is a converter for  
SQLT_DAT (date).


Putting a converter into the C code shouldn't be all that tough, if  
you need to do it you can probably figure it out :)


Take a look at the function CONVERTOUTF(SQLT_DAT) -- although that  
might also be where the segfault comes from.  That function hops  
around on one leg a bit to try to get the C library mktime and gmtime  
system time conversion routines to do the heavy lifting.


On Mar 20, 2007, at 8:53 AM, Maan M. Hamze wrote:


To give an update:
To run a stored procedure which returns a ref cursor, I tried:
c1 = db.cursor()
c2 = db.cursor()
sql = storedProcedureName(:inparam1, :inparam2, etccc, :outparam)
options = (inparam1, inparam2, et, c2)
c1.execute(sql, options)
As recommended below.
This did not work.

However, this worked:
c1 = db.cursor()
c2 = db.cursor()
c2 = c1.procedures.storedProcedureName(INparam1, INparam2, etc..)
Only the INparams are given as arguments.  c2 is returned as a cursor
OUTparam.
Then,
r = c2.fetchall(), or
r = c2.fetchone()
Etc.

This was causing a segmentation fault on a Sun Solaris box.
On Windows, I got an actual error message.  While fetching, the cursor
has a field of ora datatype TimeStamp.  This was crashing  
DCOracle2.  a

to_char solved the issue.
I am using DCOracle2 and Oracle 10 on Solaris (and Windows XP).
Did anyone run into issues of handling TimeStamp oracle data type with
DCOracle2?
Maan


-Original Message-
From: Maan M. Hamze [mailto:[EMAIL PROTECTED]
Sent: Saturday, March 17, 2007 5:32 PM
To: zope-db@zope.org
Subject: Re: [Zope-DB] DCOracle2 with a Stored Procedure that Returns
REFCURSOR

m.banaouas [EMAIL PROTECTED]:
options = (2714,  + ' +  + ', + 36, 1, c2)

it's wrong!
you must give a sequence as second parameter of execute method.

So you do like this:
options = (2714, '',36, 1, c2)
c1.execute(sql, options)
--
I tried it both ways.
With what you suggest:
Import DCOracle2
db = DCOracle2.connect(connectionString)
c1 = db.cursor()
c2 = db.cursor()
options = (2714, '', 36, 1, c2)
sql = storedProcedureName(:INparam1, :INparam2, :INparam3, :INparam4,
:OUTparam)
c1.execute(sql, options)

I am getting now:
Traceback (most recent call last):
  File stdin, line 1, in ?
  File /opt/python/lib/python2.4/site-packages/DCOracle2/ 
DCOracle2.py,

line 98
7, in execute
self._cursor.bindbypos(i, p)
ValueError: invalid data type bound

Printing options yield:

print options

(5920, '', 36, 1, DCOracle2.DCOracle2.cursor instance at
0x19eee0)
Would this be causing the invalid data type bound error above?

Also, should not the following work:
c2 = c1.storedProcedureName(2714, '', 36, 1)  ??
Maan


Maan M. Hamze a écrit :

Hello -
Thanks for your help.  I am still getting errors -
You wrote:
sql = sp1(INparam1, :INparam2, :INparam3, :INparam4, :ref_cur)

Did you mean:
sql = sp1(:INparam1, :INparam2, :INparam3, :INparam4, :ref_cur)
(notice :INparam1 instead of INparam1)

Assume sp1 is hrpofficial, INparam1 = 2714, INparam2 = '',
INparam3 = 36, and INparam4 = 1

db = DCOracle2.connection(connectionString)
c1 = db.cursor()
c2 = db.cursor()
sql = hrpofficial(:INparam1, :INparam2, :INparam3, :INparam4,
:ref_cur)
options = (2714,  + ' +  + ', + 36, 1, c2)
c1.execute(sql, options)

I am getting an error:
DatabaseError: (900, 'ORA-00900: invalid SQL statement')

Any hints?
Thanks again,
Maan

for row in C2:
  ...

Maan M. Hamze a écrit :

I am using DCOCralce2 with Python 2.41, and Oracle 9.
I have a stored procedure (sp1) that takes 4 IN parameters, with one

OUT

parameter.  The OUT parameter is a **ref_cursor** that holds a data

set.

I am doing the following:
db = DCOracle2.connection(connectionString)
C1 = db.cursor()
C2 = db.cursor()
#I run the following holding the result into the cursor C2
#since the OUT param is a ref_cur
C2 = C1.sp1(INparam1, INparam2,INparam3,INparam4, ref_cur)

I expect to get a data set
I know there is data when sp1 is run
But I am getting an empty data set when I fetch data via C2 cursor.
Do you have any idea how to make this work when a stored procedure

has

a

ref_cur OUT parameter?
Thanks,
Maan


___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db







--

___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


End of Zope-DB Digest, Vol 44, Issue 9
**




___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db


___
Zope-DB mailing list

Re: [Zope-DB] DCOracle2 with a Stored Procedure that Returns REFCURSOR / ORA TIMESTAMP DataType Issue

2007-03-20 Thread Maciej Wisniowski

 This was causing a segmentation fault on a Sun Solaris box.
 On Windows, I got an actual error message.  While fetching, the cursor
 has a field of ora datatype TimeStamp.  This was crashing DCOracle2.  a
 to_char solved the issue.
 I am using DCOracle2 and Oracle 10 on Solaris (and Windows XP).
 Did anyone run into issues of handling TimeStamp oracle data type with
 DCOracle2?
We had problems with segmentation faults on 64 bit systems.
We didn't realized what caused this (except that it was DCOracle2).
Problem appeared only under high load of our servers so it was hard
to debug. On 32 bit systems everything was ok. Is your problem with
TimeStamp related to 64 bit platform or it happens on 32 bit platforms too?

-- 
Maciej Wisniowski
___
Zope-DB mailing list
Zope-DB@zope.org
http://mail.zope.org/mailman/listinfo/zope-db