date:20060208

Sorry but can't you post in one message? Also, Zope does do SSL but it's not as good as Apache. And some advice - keep personal insults out of it.On 2/8/06, 
Chris Withers <[EMAIL PROTECTED]> wrote:
michael nt milne wrote:> ok, I've gone into the security tab in the site root and set 'view' to> 'authenticated' whilst de-selecting aquire.Yay!> However, using the password that> gets me into the overall 8080/manage doesn't work.
Huh? Can you provide any less information, or maybe make it a bitvaguer? ;-)>  Also the front page still> comes up if you cancel the login box and the page displays without css.Then you still haven't sorted your permissions properly...
> This> shouldn't happen with view set to authenticated.Then _you're_ doing something wrong, 'cos it works just fine for therest of us...Chris--Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

Look I'm having genuine issues here and to be honest there's no need to become personally insulting. I've just set-up Plone on an Windows server with SSL Apache and multiple virtual hosts so don't take kindly to a few of these remarks. The last piece of my jigsaw is authenication which is becoming an issue. 
On 2/8/06, Chris Withers <[EMAIL PROTECTED]> wrote:
michael nt milne wrote:> I have major problems here trying to set-up authentication over a whole> Plone site using Zope. Using my superuser account I've navigated to the site> root page in the ZMI where it lists all the site pages and objects etc. I've
> then gone into security, scrolled down to the bottom and for the 'View'> option I have tried all combinations of 'Manager', 'Authenticated' and> 'Aquire'. It simply won't work.You're simply doing it wrong then ;-)
> I get a pop-up box but the superuser manager pass doesn't work.What does it say when you hit cancel? have you tried enabling verbosesecurity in zope.conf?> I find the Zope security, permissions set-up hideously complex and unusable
> to be honest and it doesn't even seem to work.Then for gods sake stop trying to use Zope and go find some toy systemyou do understand!> Very frustrated.So are we, quit bugging us until you've learned a bit more about how
things work, started with something simple, or just plain raised your IQa little ;-)Chris--Simplistix - Content Management, Zope & Python Consulting- 
http://www.simplistix.co.uk-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Zope=ZEO connection


Dennis Allison wrote:
2006-02-06T14:07:20 INFO ZPublisher.Conflict ConflictError at 
: 
database conflict error (oid 0x086e, class BTrees._OOBTree.OOBTree, serial 
this txn started with 0x03633ca95f75e900 2006-02-06 22:01:22.373575, 
serial currently committed 0x03633caf59114244 2006-02-06 22:07:20.875176) 
(463 conflicts (0 unresolved) since startup at Mon Feb  6 08:21:26 2006)


Well, at least the new conflict error logging stuff works :-)


--
2006-02-06T14:09:09 INFO ZServer HTTP server started at Mon Feb  6 
14:09:09 2006

Hostname: x-harper
Port: 8081

which also triggers a connection drop and restarBt of ZEO.


Odd... not seen this at all, what OS you running on?

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] proxy roles on Product methods


Palermo, Tom wrote:
Is it possible to set proxy roles on methods located in Zope Products. 


Not really, why do you think you need to?


see them in a sitemap (uses dtml-tree). However, I've got an edit_html
method located in a Zope product that then needs to use stuff in one of the
folders that has "View" set to off for that user (who's running edit_html).


If the code is in a disk-based class method, security won't be coming 
into play.


What errors are you seeing?
(if you get an auth box, consider hitting cancel or enabling verbose 
security in zope.conf, restarting and trying again)


cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?


michael nt milne wrote:

I have major problems here trying to set-up authentication over a whole
Plone site using Zope. Using my superuser account I've navigated to the site
root page in the ZMI where it lists all the site pages and objects etc. I've
then gone into security, scrolled down to the bottom and for the 'View'
option I have tried all combinations of 'Manager', 'Authenticated' and
'Aquire'. It simply won't work.


You're simply doing it wrong then ;-)


I get a pop-up box but the superuser manager pass doesn't work.


What does it say when you hit cancel? have you tried enabling verbose 
security in zope.conf?



I find the Zope security, permissions set-up hideously complex and unusable
to be honest and it doesn't even seem to work.


Then for gods sake stop trying to use Zope and go find some toy system 
you do understand!



Very frustrated.


So are we, quit bugging us until you've learned a bit more about how 
things work, started with something simple, or just plain raised your IQ 
a little ;-)


Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Re: htaccess with zope/plone ?


michael nt milne wrote:

ok, I've gone into the security tab in the site root and set 'view' to
'authenticated' whilst de-selecting aquire. 


Yay!


However, using the password that
gets me into the overall 8080/manage doesn't work.


Huh? Can you provide any less information, or maybe make it a bit 
vaguer? ;-)



 Also the front page still
comes up if you cancel the login box and the page displays without css. 


Then you still haven't sorted your permissions properly...


This
shouldn't happen with view set to authenticated.


Then _you're_ doing something wrong, 'cos it works just fine for the 
rest of us...


Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Re: htaccess with zope/plone ?


michael nt milne wrote:

But if you've got Apache ssl as well then it's more secure.


Yes, SSL is a transport encryption method, not an authentication method...


The problem I've found is that you can't put this in the httpd.conf unless
it is wrapped in a  directive

AuthType Basic
AuthName "Members Only"
AuthUserFile /path/to/.htpasswd
require valid-user


This is an Apache question, take it elsewhere!

Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: htaccess with zope/plone ?


michael nt milne wrote:

Also, just to say that I did a test on only letting authenticated and
managers view the root page of the site over ssl.


How?


If you just cancelled the
login box or closed it, the whole front page was displayed without any css
but you could still get all the content.


Well, then you didn't set permissions correctly...


I've had this quite a bit before so
that's why I'm looking into Apache authentication. I just don't think that
Zope authentication is secure.


You just don't think, or research, which is more your problem...

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: htaccess with zope/plone ?


michael nt milne wrote:

Also I'm implementing an extranet solution where extra security is
required-so therefore an apache login and a further plone login for
editing the site.


I commented to someone asking similar questions about them being stupid, 
lazy or both. I don't think you're lazy ;-)


Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: htaccess with zope/plone ?


michael nt milne wrote:

Sorry but there's alot of Apache knowledge here and it's completely
relevant. 


No it isn't, if you want to use Apache auth, go ask on an Apache forum.
You don't, but you think you do, and you won't listen to anyone, which 
is annoying in its own right...


Also Zope doesn't do SSL well 


Zope doesn't do SSL at all, there's no point. Secure transport and 
authentication have little to do with each other...



and all password - login is
basically insecure! 


Not if it's over SSL...


I've found out that  I'm best using httpd.conf and
not htaccess . Also irc.freenode is unusable.


Oh don't be so rediculous...

Chris

--
Simplistix - Content Management, Zope & Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

2006-02-08 Thread Andreas Pakulat

On 08.02.06 21:38:26, michael nt milne wrote:
> Of course I did. Why on earth would you be able to view a front page of a
> site when it is labelled as 'authenticated' and also as 'manager' ? just by
> pressing cancel or return a few times.

I just checked that with a plain Zope's index_html. I cannot view
localhost:8080/ when I change the security setting of index_html to
allow View only for authenticated. However I can view it when I
authenticate with the initial user information.

Now the same thing with a plone site, removed the view-right from
front_page I get a screen telling me to authenticate. Not the "box"
because Plone normally uses cookie-auth, you should be able to change
that in the UserFolder. If I use the initial-user with the
cookie-based-form I can see the plone site.

Then I removed the View right from the plone-site-object for anonymous
and when I access localhost:8080/p1 I get the Basic-HTTP-Login Box,
giving it the initial-user-info it lets me view the front_page. 

> Big security flaw I'm sorry.

I wonder why you are the only one experiencing this... Maybe because the
error is on your side (or sits in front of your monitor)? And not Zope.

> Also
> superuser passwords don't work when security is set up and I've tried this
> on a couple of set-ups. And this is apart from the usability.

What do you mean with superuser? There is no superuser, you have an
initial user but that's not a user you'd normally use to login. You add
new Users in the user-folder.

And what usability problem are you now talking about?

Andreas

-- 
Reply hazy, ask again later.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

Mark Barratt schrieb:
> michael nt milne wrote:
> 
...
> My other advice is to try not to touch ZMI security screens: if you're
> using Plone you should try to set up the security you need in Plone as

Ah yes, things are a bit different when plone comes in. Then Plone
documentation should be consulted, of course.

Regards
Tino
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

michael nt milne schrieb:
> Sorry but this is not my experience and I have experimented. Am using
> gmail basic setting which I like.

Be sure mailinglist people dont like it :-)

Actually it should not bee too hard to
1) create a role, lets call it "Guests" (in / )
2) create a user: guest (in /acl_folder) with role "Guests"
3) remove [ ] acquire  for "View" and if you want "Access Contents
Information" and make a [x] for Manager and [x] Guests

thats it.

Go with a new browser (closed and reopen if you want)
to / of your site and you will get the standard_error_page
with "Unauthorized" if you "cancel" the login box.

You can customize standard_error_page if you want.

How can this be easier with Apache? I'd like to see :-)

(Yes, I know Apache quite good)

Regards
Tino
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

2006-02-08 Thread Mark Barratt


michael nt milne wrote:

I find the Zope security, permissions set-up hideously complex and 
unusable to be honest and it doesn't even seem to work.


Yes. But security is hard on any capable system, with users, groups, 
objects, applications all having security attributes and all those 
things inheriting and interacting in unexpected ways. Netware and 
Windows are the same.


As for 'doesn't even seem to work', that may be true (welcome to Open 
Source!), but you may 'just' be experiencing interactions between Zope 
security (hideously complex, etc) and Plone security (also complex). The 
interactions between these systems are basically beyond ordinary humans 
- or, possibly, just don't work.


It may be most sensible to try to hand off security to another system 
entirely and let Zope/Plone share/inherit it - as your original 
intention. If it's an extranet, can you use the surrounding network's 
system? Pluggable authentication can use Windows or LDAP (or, perhaps, 
other) authentication to provide access to a Zope/Plone, so visitors log 
in to your network rather than to the Zope site, and the Zope/Plone can 
inherit whatever the domain authentication system knows about them.


My other advice is to try not to touch ZMI security screens: if you're 
using Plone you should try to set up the security you need in Plone as 
far as possible. You really don't need Plone and Zope trying to do 
different things at the same time: it's a fragile and complex marriage 
and the partners all too easily end up stalking out of the room.


(this also suggests you might have better luck on the Plone discussion 
lists, eg nntp://gmane.comp.web.zope.plone.user)


best

Mark Barratt
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

Sorry but this is not my experience and I have experimented. Am using gmail basic setting which I like. On 2/8/06, Tino Wildenhain <
[EMAIL PROTECTED]> wrote:michael nt milne schrieb:> Of course I did. Why on earth would you be able to view a front page of
> a site when it is labelled as 'authenticated' and also as 'manager' ?> just by pressing cancel or return a few times. Big security flaw I'm> sorry. Also superuser passwords don't work when security is set up and
> I've tried this on a couple of set-ups. And this is apart from the> usability.I dont get what you tried... many of us are doing it and it justworks. Much easier as with apache I say. Apropos getting and trying...
could you try to set your mail-client to text only and quote likeall others do? This would make it easier to read what you type :-)You only remove [ ] Acquire for View and assign it toAuthenticated or better to whatever role your users should belong.
Canceling Authentication requester will not show you contentsbut the standard_error_page - unless you have a broken useragent(e.g. Internetexplorer) with horrible cache settings and didview the authenticated page before.
RegardsTino Wildenhain-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

michael nt milne schrieb:
> Of course I did. Why on earth would you be able to view a front page of
> a site when it is labelled as 'authenticated' and also as 'manager' ?
> just by pressing cancel or return a few times. Big security flaw I'm
> sorry. Also superuser passwords don't work when security is set up and
> I've tried this on a couple of set-ups. And this is apart from the
> usability.

I dont get what you tried... many of us are doing it and it just
works. Much easier as with apache I say. Apropos getting and trying...
could you try to set your mail-client to text only and quote like
all others do? This would make it easier to read what you type :-)

You only remove [ ] Acquire for View and assign it to
Authenticated or better to whatever role your users should belong.

Canceling Authentication requester will not show you contents
but the standard_error_page - unless you have a broken useragent
(e.g. Internetexplorer) with horrible cache settings and did
view the authenticated page before.

Regards
Tino Wildenhain
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

I printed out the section on Zope security quite a while ago and read it. So it's not just in the last ten minutes. I haven't tried verbosesecurity just yet as I haven't had the time. Basically, the security should work without that.
On 2/8/06, Andreas Pakulat <[EMAIL PROTECTED]> wrote:
On 08.02.06 21:25:33, michael nt milne wrote:> I've just tried this on a completely different server. I also made sure that> 'access contents information' was set to 'manager' and 'authenticated'.Wow, you read the zope-book on security, setup a new zope on a server
and checked this in just 10 minutes? Forgive me if I don't believe this.> The same thing happens. The main password doesn't work and also you still> get the main page contents if you keep cancelling or pressing return on the
> login box.So no Plone this time? What does VerboseSecurity tell you? Do you haveto login to get access to the ZMI? Have you tried to allownon-authenticated access to the ZMI?> Complete nightmare. This was the reason I wanted to go with Apache security
> as it's more robust.No it's not, it's not less robust either, at least that's what Iexperienced until now.Andreas--You can rent this space for only $5 a week.___
Zope maillist  -  Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev
 )-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

2006-02-08 Thread Andreas Pakulat

On 08.02.06 21:25:33, michael nt milne wrote:
> I've just tried this on a completely different server. I also made sure that
> 'access contents information' was set to 'manager' and 'authenticated'.

Wow, you read the zope-book on security, setup a new zope on a server
and checked this in just 10 minutes? Forgive me if I don't believe this.

> The same thing happens. The main password doesn't work and also you still
> get the main page contents if you keep cancelling or pressing return on the
> login box.

So no Plone this time? What does VerboseSecurity tell you? Do you have
to login to get access to the ZMI? Have you tried to allow
non-authenticated access to the ZMI?

> Complete nightmare. This was the reason I wanted to go with Apache security
> as it's more robust.

No it's not, it's not less robust either, at least that's what I
experienced until now.

Andreas

-- 
You can rent this space for only $5 a week.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

Of course I did. Why on earth would you be able to view a front page of a site when it is labelled as 'authenticated' and also as 'manager' ? just by pressing cancel or return a few times. Big security flaw I'm sorry. Also superuser passwords don't work when security is set up and I've tried this on a couple of set-ups. And this is apart from the usability.
On 2/8/06, Tino Wildenhain <[EMAIL PROTECTED]> wrote:
michael nt milne schrieb:>  Thanks for the advice. I'll have another look at the security settings> but this is undoubtedly an issue.  The superuser password not working is> the main one etc. But ultimately my  comments on usabiltity should be
> taken on board because Zope security is overly complex.Actually its not that hard - and its just fine grained - a very strengthof zope. You can use VerboseSecurity to debug your security issues.
Did you read the chapter about users and security in the zope book?RegardsTino-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

michael nt milne schrieb:
>  Thanks for the advice. I'll have another look at the security settings
> but this is undoubtedly an issue.  The superuser password not working is
> the main one etc. But ultimately my  comments on usabiltity should be
> taken on board because Zope security is overly complex.

Actually its not that hard - and its just fine grained - a very strength
of zope. You can use VerboseSecurity to debug your security issues.

Did you read the chapter about users and security in the zope book?

Regards
Tino
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

I've just tried this on a completely different server. I also made sure that 'access contents information' was set to 'manager' and 'authenticated'.The same thing happens. The main password doesn't work and also you still get the main page contents if you keep cancelling or pressing return on the login box.
Complete nightmare. This was the reason I wanted to go with Apache security as it's more robust.MichaelOn 2/8/06, michael nt milne <
[EMAIL PROTECTED]> wrote: Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue. The superuser password not working is the main one etc. But ultimately my comments on usabiltity should be taken on board because Zope security is overly complex.
On 2/8/06, Dieter Maurer <
[EMAIL PROTECTED]> wrote:
michael nt milne wrote at 2006-2-8 16:48 +:>I have major problems here trying to set-up authentication over a whole>Plone site using Zope. Using my superuser account I've navigated to the site>root page in the ZMI where it lists all the site pages and objects etc. I've
>then gone into security, scrolled down to the bottom and for the 'View'>option I have tried all combinations of 'Manager', 'Authenticated' and>'Aquire'. It simply won't work.You can use "VerboseSecurity" to analyse difficult authorization
problems."VerboseSecurity" is an integral part of Zope from 2.8 on.Previously, it has been a separate product.--Dieter--
Michael

-- Michael
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

 Thanks for the advice. I'll have another look at the security settings but this is undoubtedly an issue.  The superuser password not working is the main one etc. But ultimately my  comments on usabiltity should be taken on board because Zope security is overly complex.
On 2/8/06, Dieter Maurer <[EMAIL PROTECTED]> wrote:
michael nt milne wrote at 2006-2-8 16:48 +:>I have major problems here trying to set-up authentication over a whole>Plone site using Zope. Using my superuser account I've navigated to the site>root page in the ZMI where it lists all the site pages and objects etc. I've
>then gone into security, scrolled down to the bottom and for the 'View'>option I have tried all combinations of 'Manager', 'Authenticated' and>'Aquire'. It simply won't work.You can use "VerboseSecurity" to analyse difficult authorization
problems."VerboseSecurity" is an integral part of Zope from 2.8 on.Previously, it has been a separate product.--Dieter-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Session Variables Redux

2006-02-08 Thread Dennis Allison


Zope 2.9.0
Python 2.4.2

There appears to still be a problem with session variables that does not
appear to be the result of interactions with conflicts nor the result of
unexpected restarts.  It does not appear to be load related.

The problem we see is a sudden disappearance of all, one, or a small 
number of session variables.  In a session varaiable stateful system this 
is an embarassment.   The behavior is a bit like a variable which is 
not identified as persistent, but all read and write accesses go through
a getSessionVariable/setSessionVariable interface:

## Script (Python) "getSessionVariable"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=varname
##title=
##
request=container.REQUEST
session=request['SESSION']
return session[varname]

## Script (Python) "setSessionVariable"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=var, val
##title=
##
request = container.REQUEST
session=request['SESSION']
# write only if necessary
if not session.has_key(var) or session[var]!=val:
session[var]=val


Our session lifetimes are long (hours, days) and conflicts are fairly 
frequent.  Hand checking of the logs does not show any obvious correlation 
between session variable loss and conflict.  Moreover, all conflicts are 
"resolved".

Does anyone else see this sort of problem?  Any suggestions as to how to 
isolate the problem?  



___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

2006-02-08 Thread Dieter Maurer

michael nt milne wrote at 2006-2-8 16:48 +:
>I have major problems here trying to set-up authentication over a whole
>Plone site using Zope. Using my superuser account I've navigated to the site
>root page in the ZMI where it lists all the site pages and objects etc. I've
>then gone into security, scrolled down to the bottom and for the 'View'
>option I have tried all combinations of 'Manager', 'Authenticated' and
>'Aquire'. It simply won't work.

You can use "VerboseSecurity" to analyse difficult authorization
problems.

"VerboseSecurity" is an integral part of Zope from 2.8 on.
Previously, it has been a separate product.

-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Zope=ZEO connection

2006-02-08 Thread Dieter Maurer

Dennis Allison wrote at 2006-2-7 18:18 -0800:
> ...
>What sort of Zope failure can cause this sort of behavior?  What's the 
>best approach to get more information to localize the failure.

A crash presented to Zope as a fatal signal (usually "SIGSEGV"
or "SIGBUS").

Reconfigure your Linux account running Zope to write
core files ("ulimit -Sc 10"). With a bit of luck
you will get a core file written in case of such crashes.
Look into the core with GDB. Note, that the value "10"
might not be big enough to get a complete core file.
GDB may have problems to really understand incomplete ones.


-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] proxy roles on Product methods

2006-02-08 Thread Dieter Maurer

Palermo, Tom wrote at 2006-2-8 09:59 -0500:
>Is it possible to set proxy roles on methods located in Zope Products.

No, but I posted some time ago (to "zope-cmf" or "plone-users")
code that allows you to set proxy roles on a region in
trusted code. Search for "ProxyContext".



-- 
Dieter
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

2006-02-08 Thread Andreas Pakulat

On 08.02.06 16:48:08, michael nt milne wrote:
> I have major problems here trying to set-up authentication over a whole
> Plone site using Zope.

Start simple, start up a plain Zope, create a ZPT or DTML and change
it's view right. See what happens.

> I find the Zope security, permissions set-up hideously complex and unusable
> to be honest and it doesn't even seem to work.

Have you read the zope documentation on how security works? Have you
checked what happens when you access the Plone-url "behind the scenes"?

Andreas

-- 
You seek to shield those you love and you like the role of the provider.
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] major problems placing authentication on an extranet site-security flaw?

2006-02-08 Thread Jens Vagelpohl



On 8 Feb 2006, at 16:48, michael nt milne wrote:

I get a pop-up box but the superuser manager pass doesn't work.


If the superuser password is indeed set up correctly then this is a  
fault of the user folder. There are some bad implementations out that  
that do not respect the superuser/emergency user.



Then, even with 'authenticated' checked and using a different  
browser to the one I'm using for the management screen, clicking  
return on the login box over and over again eventually produces the  
front page sans CSS. It shouldn't do this and when the extranet is  
live, if the public were to be able to view it this would be a  
serious risk. I've set view to authenticated only but it still lets  
me in.


I find the Zope security, permissions set-up hideously complex and  
unusable to be honest and it doesn't even seem to work.


I'll be more explicit this time: You don't know enough to make  
blanket statements like this. From your emails it is obvious that you  
don't know much at all about the way Zope security works. You need to  
get a clue about what you're doing first. From the lack of similar  
complaints from the many Zope and Plone users out there and the lack  
of interest (meaning lack of responses to your emails) the only  
logical conclusion is that the fault is on your end.


Since this is a Plone site I would suggest you move this discussion  
to a Plone-related mailing list.


jens

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] major problems placing authentication on an extranet site-security flaw?

HiI have major problems here trying to set-up authentication over a whole Plone site using Zope. Using my superuser account I've navigated to the site root page in the ZMI where it lists all the site pages and objects etc. I've then gone into security, scrolled down to the bottom and for the 'View' option I have tried all combinations of 'Manager', 'Authenticated' and 'Aquire'. It simply won't work. 
I get a pop-up box but the superuser manager pass doesn't work. Then, even with 'authenticated' checked and using a different browser to the one I'm using for the management screen, clicking return on the login box over and over again eventually produces the front page sans CSS. It shouldn't do this and when the extranet is live, if the public were to be able to view it this would be a serious risk. I've set view to authenticated only but it still lets me in.
I find the Zope security, permissions set-up hideously complex and unusable to be honest and it doesn't even seem to work.Very frustrated.-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] Startup error with Formulator

2006-02-08 Thread Dennis Allison

Zope 2.8.4
Python 2.4.2

Startup error with Formulator.  What's missing or broken?

Out of the box:

2006-02-08T01:51:58 ERROR Zope Couldn't install Five
Traceback (most recent call last):
  File "/usr/local/src/zope/Zope2.8/lib/python/OFS/Application.py", line 
773, in install_product
initmethod(context)
  File "/usr/local/src/zope/Zope2.8/lib/python/Products/Five/__init__.py", 
line 29, in initialize
zcml.load_site()
  File "/usr/local/src/zope/Zope2.8/lib/python/Products/Five/zcml.py", 
line 45, in load_site
_context = xmlconfig.file(file)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/xmlconfig.py", 
line 439, in file
include(context, name, package)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/xmlconfig.py", 
line 375, in include
processxmlfile(f, context)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/xmlconfig.py", 
line 245, in processxmlfile
parser.parse(src)
  File 
"/usr/local/lib/python2.4/site-packages/_xmlplus/sax/expatreader.py", line 
109, in parse
xmlreader.IncrementalParser.parse(self, source)
  File "/usr/local/lib/python2.4/site-packages/_xmlplus/sax/xmlreader.py", 
line 123, in parse
self.feed(buffer)
  File 
"/usr/local/lib/python2.4/site-packages/_xmlplus/sax/expatreader.py", line 
216, in feed
self._parser.Parse(data, isFinal)
  File 
"/usr/local/lib/python2.4/site-packages/_xmlplus/sax/expatreader.py", line 
364, in end_element_ns
self._cont_handler.endElementNS(pair, None)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/xmlconfig.py", 
line 225, in endElementNS
self.context.end()
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/config.py", 
line 518, in end
self.stack.pop().finish()
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/config.py", 
line 665, in finish
actions = self.handler(context, **args)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/Products/Five/fiveconfigure.py", 
line 56, in loadProducts
xmlconfig.include(_context, zcml, package=product)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/xmlconfig.py", 
line 375, in include
processxmlfile(f, context)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/xmlconfig.py", 
line 245, in processxmlfile
parser.parse(src)
  File 
"/usr/local/lib/python2.4/site-packages/_xmlplus/sax/expatreader.py", line 
109, in parse
xmlreader.IncrementalParser.parse(self, source)
  File "/usr/local/lib/python2.4/site-packages/_xmlplus/sax/xmlreader.py", 
line 123, in parse
self.feed(buffer)
  File 
"/usr/local/lib/python2.4/site-packages/_xmlplus/sax/expatreader.py", line 
216, in feed
self._parser.Parse(data, isFinal)
  File 
"/usr/local/lib/python2.4/site-packages/_xmlplus/sax/expatreader.py", line 
353, in start_element_ns
AttributesNSImpl(newattrs, qnames))
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/xmlconfig.py", 
line 206, in startElementNS
self.context.begin(name, data, info)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/config.py", 
line 515, in begin
self.stack.append(self.stack[-1].contained(__name, __data, __info))
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/config.py", 
line 815, in contained
return RootStackItem.contained(self, name, data, info)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/config.py", 
line 683, in contained
factory = self.context.factory(self.context, name)
  File 
"/usr/local/src/zope/Zope2.8/lib/python/zope/configuration/config.py", 
line 461, in factory
raise ConfigurationError("Unknown directive", ns, n)
ZopeXMLConfigurationError: File 
"/usr/local/src/zope/Zope2.8/lib/python/Products/Five/skel/site.zcml", 
line 12.2-12.23
ZopeXMLConfigurationError: File 
"/opt/zope/zproducts/standard/Formulator/configure.zcml", line 7.2
ConfigurationError: ('Unknown directive', 
u'http://namespaces.zope.org/i18n', u'registerTranslations')
--


The offending file is:

http://namespaces.zope.org/zope";
xmlns:i18n="http://namespaces.zope.org/i18n";
>

  
  




-- 

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

[Zope] proxy roles on Product methods

2006-02-08 Thread Palermo, Tom




Hi All,
 
Is it possible to set proxy 
roles on methods located in Zope Products. I need to turn the View permission 
off on some folders so certain users can't see them in a sitemap (uses 
dtml-tree). However, I've got an edit_html method located in a Zope product that 
then needs to use stuff in one of the folders that has "View" set to 
off for that user (who's running edit_html).
 
Thanks,
Tom 
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] ExtFile - wrong file extension and content_type

2006-02-08 Thread Martijn Pieters

On 2/7/06, Michael Vartanyan <[EMAIL PROTECTED]> wrote:
> well. I would really like to know what does this "b/w" mean in this
> context? Not black&white for sure :-)

I'd guess at 'backward compatibility'.

--
Martijn Pieters
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Re: htaccess with zope/plone ?