RE: [Zope] Collector status on password change bug?
I see that the "Can't change User Roles without their Password" bug mentioned in: http://classic.zope.org:8080/Collector/1102/view http://classic.zope.org:8080/Collector/1134/view http://classic.zope.org:8080/Collector/1138/view (etc) is still in 2.1.6 http://classic.zope.org:8080/Collector/1138/view provides a patch. What is the recommended way to solve this long-standing problem? Kent - the fix for this is in the forthcoming 2.2. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] 2.1.4 to 2.1.6 nightmare
Finally it works. Thanks. Do you know why DigitalCreations haven't release a patch? Dunno :S I guess i'm not the first one getting mad with 2.1.6. Had us fooled for about a week :( I think it's all fixed in 2.2 anyway, which may be why no patch was released... That's basically right - it boils down to that releasing a patch for every bug/feature just doesn't scale. We have made some internal adjustments to allow our release schedule to be much more flexible and frequent than it was, which should address this. Of course, if having every latest bug fix is of burning importance to you, you can run from the public CVS - though you are also, of course, going to get every latest bug as well :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] WebDAV, Web Folders and collaborative work
I am happily dragging and dropping documents between my Zope server and my desktop using the 'Open as Web Folder' facility of IE5. This seems to save me from writing an upload page but not much else. What I am looking for is a way to prevent others from editing the document whilst I have it. I thought WebDAV helped with this. Maybe I need to do something with a Version? have I missed the point? No - the current incarnation of WebFolders (Microsoft's product) does not deal with locking. Office 2K does (it locks a document while editing it). Zope currently "fakes" locking support as an unofficial measure to allow folks to open O2K docs stored in Zope. We faked it partly because there was (even fairly recently) some disagreement in the DAV group about how locking ultimately should work, and partly because DAV clients haven't exactly taken the world by storm at this point and that has to be reflected in our priorities. Note that even if locking were supported on the Zope side, I don't think that this would help your situation since WF will not lock an object just because you dragged it to your local desktop. AFAIK, O2K will only lock something if you open it directly with O2K. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] is WebDAV a security hole?
Been playing around with WebDAV from IE5 connecting to a RedHat 6.1 +Zope 2.1.6 And it seems that quite a bit of the stuff that propably shouldn't be visible can be seen, for example acl_users What other things are you referring to? (see answer for acl_users below) Without being logged in I can start a download of it, eventually IE5 fails, but I get this uncomfortable feeling that this is more due to IE5 not handling this document type than anything else... If I used some other WebDAV client, could I then download acl_users, and if so, would this expose usernames/passwords? It would not expose passwords - I believe that what you are seeing is a sort of non-obvious but basically harmless thing. User folders (acl_users) do not have an index_html method (by design). When a DAV client tries to "download" acl_users, it is actually acquiring the closest index_html from above and downloading that :^) One could argue that this is lame and that attempting to GET .../acl_users/ should raise an error (404?). I'm interested in other viewpoints on this - if there is some consensus, a proposed change should be put in the Collector. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] is WebDAV a security hole?
Thanx for an informative response! Btw I tried WebDAV vs. www.zope.org and that site refused the connection attempt. Is there some obvious setting that I can use to disable WebDAV, since I don't need it (as far as I know;) DAV won't work for zope.org because it runs behind apache and we've never done the incantation apache requires to let cgi-ish processes handle their own DAV requests. As far as disabling DAV support, there's no real way to do that (except for running behind apache or another server that interferes with DAV requests by default). This really shouldn't be a problem - the extended HTTP methods that provide DAV support all basically have Zope api corollaries, so the DAV methods are protected by the analogous permissions. For example: PROPFIND - manage properties PROPPATCH - manage properties DELETE- delete objects MKCOL - Add folders ...and so on. GET, POST and PUT are used by DAV exactly as in the HTTP spec, so if you can "download" something via DAV then you could also have gotten it with your normal non-DAV aware browser. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Re: [Zope-dev] possible security flaw? - and, request for a phone conference. conference.
Basically, if a user with manager privileges to a folder changes their password to be empty, then anyone (from permitted domains) can access the management screen for that folder Without Logging On... Zope assumes that you are the user without the password and treats you as if you have those rights. This is a feature, but I don't know if or where it is documented besides the source code (which is a bug if it isn't I guess). You're right - it is a feature. You are also right that it isn't documented anywhere that I can find :( I would suggest adding this to the Collector (as a 'Documentation Request'). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Plea: sequence-item and sequence_item in 2.2?
Hi all, Can I make a plea that the .diff patch that Jonothan Farr posted a while back be included into the 2.2 release? http://www.zope.org/Members/jfarr/Patches/dtml-in-sv I have yet to hear a downside to this patch. I second that motion. The patch has allowed me to clean up my code signifigantly. While I understand your wanting this, the problem is a little deeper than just naming consistency. The sequence-* names were done that way intentionally to avoid consuming possible names and avoid clashes in the standard namespace, and changing the convention could cause clashes to become effective. Have you looked at the "named dtml in loop" proposal on the DTML wiki on Zope.org? http://www.zope.org/Members/4am/DTMLWiki/NamedDTMLInLoop I think that this proposal would go a long way toward easing the spelling issue as well as solving some other pains involving using nested dtml-in loops... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Wrong mime type sent by Zope on every page
But what if there are side effects to calling the document? What should happen? I don't want a counter to go up or anything just because a HEAD was called on the object. This is not as black-and-white and simple an issue. The web is an imperfect medium, but returning a junk content type isn't good. I'll throw out a proposal on this. It also is not perfect, but seems to strike a happier balance. When HEAD is called on an object, what currently happens is: if a 'content_type' attribute exists, it is used else if the object's id seems to have a file extension (. in the id), try to use guess_content_type else fall back to the hated application/octet-stream (or, I've seen x-unknown-content-type used before, but I don't know if this is really any better). What if we change this to: if a 'content_type' attribute exists, it is used else if the object's id seems to have a file extension (. in the id), try to use guess_content_type else if there is a 'default_content_type' attribute, use that else fall back to the hated application/octet-stream (or, I've seen x-unknown-content-type used before, but I don't know if this is really any better). Then we could put a 'default_content_type' attribute in the class of dtml documents and methods, which would take care of the most common case. Thoughts? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Wrong mime type sent by Zope on every page
-Original Message- From: Dan L. Pierson [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 08, 2000 3:47 PM To: Brian Lloyd Cc: 'Chris Withers'; Martijn Pieters; Andrew Diller; [EMAIL PROTECTED] Subject: RE: [Zope] Wrong mime type sent by Zope on every page Brian Lloyd writes: What if we change this to: if a 'content_type' attribute exists, it is used else if the object's id seems to have a file extension (. in the id), try to use guess_content_type else if there is a 'default_content_type' attribute, use that else fall back to the hated application/octet-stream (or, I've seen x-unknown-content-type used before, but I don't know if this is really any better). Then we could put a 'default_content_type' attribute in the class of dtml documents and methods, which would take care of the most common case. Thoughts? Sounds pretty good. Setting 'default_content_type' can then be another item in the unwritten Guide to Writing a Zope Product. That's right - I expect that it could be useful for a few products. I can see XMLDocuments having a default of 'text/xml', but I suspect that a lot of products won't really have to care. Things that have no real similarity to conventional "pages" (like database connection objects, etc.) are probably useless to a robot that works with "pages" anyway, so they are better off sending a default non-committal response like "application/octet-stream". Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2 beta 1 released
Zope 2.2.0 beta 1 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b1/ This release contains refinements to the new ownership model as well as better undo management and many bug fixes. For more information, see: http://www.zope.org/Products/Zope/2.2.0b1/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document http://www.zope.org/Products/Zope/2.2.0b1/upgrading_to_220 for information on the recent changes to the Zope security model and other upgrade information. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2 beta 1 released
On Mon, 12 Jun 2000, Brian Lloyd wrote: Zope 2.2.0 beta 1 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b1/ Either the -src file name is wrong, or the file is wrong, because it still says 2.2.0a1. I think it's the file, 'cause the control panel still says 2.2.0a1... --RDM Ack - damned autocomplete :^) The right one is there now... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2 beta 1 released
Trying to run the b1 on Windows, I get the following: C:\Program Files\Z220b1"C:\Program Files\Z220b1\bin\python.exe" "C:\Program Fil es\Z220b1\z2.py" -D Traceback (innermost last): File "C:\Program Files\Z220b1\z2.py", line 524, in ? import ZServer File "C:\Program Files\Z220b1\ZServer\__init__.py", line 87, in ? from medusa import max_sockets, asyncore ImportError: No module named medusa Throwing an empty __init__.py file into $Zope/ZServer/medusa solved the problem for me. Ack - apparently something in the win installer thinks that empty files are not worth preserving :( Note that I've tweaked this and re-uploaded the win32 beta. If you've already downloaded it, the above solution is fine (just create an empty file named __init__.py in your ZServer/medusa directory). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] upgrade from zope-2.1.6 to zope-2.2.0b1
Zope starts ok, but i can't get view or manage the site. here's the traceback --- Traceback (innermost last): File /home/kdie/Zope-2.2.0b1-src/lib/python/ZPublisher/Publish.py, line 222, in publish_module snip File /home/kdie/Zope-2.2.0b1-src/lib/python/ZPublisher/BaseRequest. py, line 501, in old_validation (Object: broken) AttributeError: (see above) - i use UserDb for authentication, got a few ZClass of my own, SiteSummary, and a few other zope products. can anyone shed some light ? It _looks_ like you have a "broken" object in your top-level Folder. "Broken" objects are created when Zope has a problem unpickling an object (usually because the add-on product that defines the class of the object is missing). Are you sure that you got all of your add-on products installed (and any other dependencies like external methods) copied to the beta install? Alternatively, it is possible that one of your add-on products is incompatible somehow with the beta (if it can't import correctly, for example, then objects created from the product would be broken). One way you could probably test this theory: o shut down your beta installation o cd to your lib/python directory and crank up a Python prompt o do 'import Zope'. Look for any tracebacks (though the product import process will likely consume exceptions when trying to import products). o for each 3rd party product in lib/python/Products, try to do: 'import Products.xxx' where xxx is the product package name. If a product cant be imported, you should get a traceback for it (please post it if you get one). Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] getSize()? was [Zope] Zope 2.2 beta 1 released
After noticing that ZWiki throws an Attribute Error / getSize in RecentChanges, I tried a simple dtml-var "index_html.getSize()" This works in 2.1.6, but throws the aforementioned exception in 2.2b1, too. Is this a bug or a feature? It's been changed to "get_size()". I don't know whether that would be a bug or a feature. ;-) getSize is deprecated, but since folks are still using it I have added the alias back in for final. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope security alert and 2.1.7 update [*important*]
Hello all, We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org: http://www.zope.org/Products/Zope/2.1.7/ A patch is also available if it is not feasible to update your Zope installation at this time (the patch is based on 2.1.6): http://www.zope.org/Products/Zope/2.1.7/DT_String.diff If you are evaluating any of the recent 2.2 alpha or beta releases, you should apply the patch noted above if your site is accessible by untrusted clients. A forthcoming 2.2 beta 2 release will contain the fix for this issue. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients take the appropriate mitigation steps immediately. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Comfirming Hotfix is installed.
Is there any way to confirm that the hotfix has been installed? I extracted the files and restarted Zope but it would be nice if there was a way to confirm that it is installed. Yes - that is one of the nice side-benefits of doing it this way: look in the Control_Panel/Products and you will see the hotfix product in the listing. Click on it and click the "README" tab to view the readme file that describes the hotfix. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Zope 2.1.5/6/7 upgrading issues
Hi guys, First of all, I'd like to apologize for the pain factor here - there has been some CM process changes around here and the 2.1.x branch is suffering as a result :( I have a proposal, however, that I hope will make this much easier. How about if we: o release a "Product" today that, if you install it and restart your Zope (no matter what version), patches the hole at runtime (in memory change only). o retract the 2.1.7 release in favor of getting 2.2 beta 2 out on Monday, which doesn't have the cruft problem of the 2.1.x branch and contains all fixes to date (and which will fix SQLMethod problems and support the SiteAccess release that Evan is making today). I can have the new "hotfix" product ready by 12:00pm EST today. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Updated security alert
Hi all - I've updated the security alert (below). Short story: a new "hotfix product" is available on zope.org that will work for all 2.0+ Zopes and has no side effects or upgrade implications for Zope installations. This feels like a much better model for things like this, especially for production sites. We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect. http://www.zope.org/Products/Zope/Hotfix_06_16_2000/Hotfix_06_16_2000.tg z The hotfix will work for all versions of Zope 2.0 and higher, including the recent 2.2 alpha and beta releases. The forthcoming Zope 2.2 beta 2 release will contain a fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2. (though nothing bad will happen if you don't uninstall it). Note that the 2.1.7 release that was initially made to address this issue has been pulled in favor of this hotfix product, which will allow managers of Zope sites to address this issue without worrying about other implications of upgrading their installations. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients install the 06/16/2000 hotfix product immediately. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Beta Zope Error
I get the same problem. A SQL method of mine is apparrently accessible from within a DTML method but not from within another SQL method. (I do this to determine if a record exists before overwriting it). I also have an external method that augments query objects with special grouping records. Here's one of my tracebacks (hey, I get a different one every time I click REFRESH): traceback snipped I've been trying to reproduce this with a Gadfly connection and I haven't been able to make this happen - have you checked to make sure that all of the sql methods in question have the same ownership and permission settings? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Does dtml-sendmail work with 2.1.7?
Just thought I'd rephrase the question after doing more troubleshooting. Does anyone have this tag working for them when using Zope 2.1.6??? Mark - A number of fixes have been made to dtml-sendmail for 2.2. The version in 2.1.7 is hosed due to some configuration management issues that let some (but not all) of those fixes get into the 2.1.7 release :( You really would be better off sticking with 2.1.6 for another day or so until 2.2 beta 2 comes out. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Quickstart problems...
Do I have something misconfigured, or is Quickstart broken with latest beta? Darren Addy Darren - The QuickStart was broken in beta 1. Its fixed in beta 2 (out late today or early tomorrow). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2 beta 2 released
Hi all, Zope 2.2.0 beta 2 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b2/ This release resolves the outstanding issues from beta 1 as well as the integrated fix for the recent security issue and further refinements of the help system. For more information, see the CHANGES.txt file for the release: http://www.zope.org/Products/Zope/2.2.0b2/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document "Upgrading to Zope 2.2" for information on the recent changes to the Zope security model and other upgrade information. http://www.zope.org/Products/Zope/2.2.0b2/upgrading_to_220 Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] RE: Zope2.2.0b2 not workink on win98
On my Win box Zope dont allow add _no one_ objects (eg. Folder), dont allow enter Control Panel if product incorect installed, etc.. Zope 2.1.6 and 2.1.7 (with apropriate patches) works very well. What I am doing wrong or eventually how can I help to avoid this problems ? platform: Win98, Zope2.2.0b2 from official installer, empty (default) Data.fs Eg. if i try to add a Folder that is happend: STRONGError Type: SuperCannotOwn/STRONGBR STRONGError Value: Objects cannot be owned by the superuser/STRONGBR snip Adam, In Zope 2.2 and above, the superuser should *only* be used to bootstrap your system and create management users. The superuser can not own objects in Zope now for security reasons. Please see the "upgrading to Zope 2.2.0" document on Zope.org for more information on this. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope2.2.0b2 - cannot import tutorial
I started to do experiments with 2.2.0b2 (I skipped b1). Looks good. I lpayed a little and found tutorial.zexp in directory import. I tried to import, but Zope complains. That import file is used by Amos' new Zope Tutorial object (you add that via the normal add list). It probably shouldn't blow up if you try to import it normally though - I'll forward this to Amos. I remember DC promises to add a screen to configure the number of threads instead of default 7, but I didn't found the screen. Will it be added later? Who promised you that? :^) I hadn't heard of this... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Short urls? SHORT URLS???
Geeez, I thought that one of Zope's promises was nice short URLS. Wutts up with this? http://xanadu.unk.edu:8080/QuickStart/index_html?tree-e=eJyLVn eEASdPW3UdBSR-JCrf1cRWPRYAGNELbA#AE4 They _are_ nice and short - if you don't use the Tree tag :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Please test this Zope 2.2 beta 1 ZSQLMethods fix...
Hi all, Several folks have reported problems in beta 1 with SQLMethods having authentication problems when trying to call other SQL Methods. I'd like a few intrepid volunteers to try something for me to see if it fixes the problem. I'd like to make a 2.2 beta 2 release tomorrow but I want to make sure this issue is resolved first. Make a backup of the file: lib/python/Shared/DC/ZRDB/DA.py in your current (beta 1) installation and replace it with the DA.py attached to this email, restart and let me know if the problem goes away. Thanks! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com DA.py
RE: [Zope] 2.2.0b2 dies in Windows NT4
I've tried this again. When I access the manage page, an Import/Export tab at folder / comes up, and then Python.exe dies with an NT exception which is a stack overflow :-( Same thing happened with 2.2.0b1. Graham, Do you have another (clean, preferably SP4) NT machine available to you to test with? I cannot reproduce on any of a fair number of NT boxes available to me, which leads me to believe that either: 1 the problem is a difference in our Zope installations (i.e. installed products) or 2 we each have a different set of gremlins active in our NT installations (1) should be fairly simple to diagnose. If you install a fresh, clean b2 on your NT box and start it with the *default* database and _no_ third party products installed, do you get these odd crashes? If not, then the next step is to determine which product is activating the problem. If you still crash with a totally clean install and using the default object database, then I don't know what else to do but assume (2) :(. Also, if I try to access any pages that use SQLSession ( an older version ), I get authentication challenges from ZopeSecurityPolicy.py when I use the getName() method of the session object. Hopefully this will go away if I upgrade to the latest version. Hopefully, but there is a possibility that some products may need to be updated to behave correctly in the tighter security policies in 2.2. I have as action for me to post a guide for product developers on monday that advise product authors on how to update their products if they are affected. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Please test this Zope 2.2 beta 1 ZSQLMethods fix...
I think that you have hit it on the head - we're trying *hard* to make Zope harder to fool :^) Try adding the following to your class statement, for example: class MyClass: __allow_access_to_unprotected_subobjects__=1 Just a question: Is this documented somewhere.. I've seen some more of these things here and wonder if there's some explanation what exactly has changed in 2.2 and which constants can be used to control these things.. I plan to publish a guide for Product authors Monday that captures the essence of what has changed about the security policy and what product objects need to do to play nicely within it. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Moving Z Classes around
Having discovered that [my] Z Class is in the wrong product, I'd like to move it elsewhere. The obvious thing to do is to use Cut + Paste; unfortunately, I get: The item my-item does not support this operation. (The function manage_copyObjects is not happy!) I can't think of another way to move my classes without rebuilding them -- any advice? Michael, I agree that this is a pain, but it is a fact of life for now in ZClass development. ZClasses have a different relationship with other Zope objects than normal, in that other instances in the object space refer to them as their class. That makes picking them up and moving them something not to be done lightly. In the Python world, this would be equivalent to pickling a bunch of objects and then moving the class for those objects to a different package. Without some explicit action, all of the pickled objects would break because they would be referencing a class that is no longer there. It's the same deal with ZClasses. It may be possible in the future to move ZClasses around, but something will still need to be done about existing instances created from a class that moves. So far we have avoided the hard thinking required to solve that :^) This would be a good candidate for a proposal in the forthcoming ZopeDev area on Zope.org. More on that later... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2.0b2 - PythonMethods
I remember DC submitted PythonMethods into CVS, but I cannot find PythonMethod in 2.2.0b2. Are PythonMethods for later versions? Or it will be separated Product forever? I have downloaded latest PythonMethods and successfully installed the component, but shouldn't it be in distribution? Or I just don't understand something? Oleg, There is still some work that we want to do on PythonMethods to get them where we want them for inclusion in Zope -- we need to get them well integrated with the Zope security policies and roll in some other work that will make all method-like objects behave in more consistent manner. I'm hoping that this will happen relatively soon (though I can't give you a date). Until then, there's no problem using the latest distribution. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2.0 beta 3 released...
Hi all, Zope 2.2.0 beta 3 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b3/ This release resolves the "len of unsized object" error some folks were seeing with their SQL methods as well as an issue with broken installed products causing a recursion problem instead of appearing as normal "broken" objects. I'm hopeful that this will be the last 2.2 beta, assuming that no other real problems arise that need fixes tested before final. For more information, see the CHANGES.txt file for the release: http://www.zope.org/Products/Zope/2.2.0b3/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document upgrading to Zope 2.2: http://www.zope.org/Products/Zope/2.2.0b3/upgrading_to_220 for information on the recent changes to the Zope security model and other upgrade information. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Creating PythonMethod from ZClass constructor/method.
Using Zope 2.2b3, I am trying to create a PythonMethod from the constructor of my ZClass and keep getting an authorization dialog. In my MyZClass_add method, I have: dtml-with "MyZClass.createInObjectManager(...)" dtml-call "manage_addFolder(id='testFolder')" !-- works! -- dtml-with "manage_addProduct['PythonMethod']" dtml-call "manage_addPythonMethod( this(), 'testMethod', 'Test Method', 'self', 'pass' )" /dtml-with /dtml-with Every pemutation I have tried gives the same result: an Unauthorized exception. Hi Jeff - Thanks for reporting this. It turns out that there was a missing security assertion in the product dispatcher (manage_addProduct) that was causing this. The fix will be in b4. If you want to patch your install in the meantime, edit lib/python/App/FactoryDispatcher.py and change: class ProductDispatcher(Acquisition.Implicit): " " def __getitem__(self, name): ... to: class ProductDispatcher(Acquisition.Implicit): " " # Allow access to factory dispatchers __allow_access_to_unprotected_subobjects__=1 def __getitem__(self, name): ... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] NOTICE: issue with database packing in current Zope releases
Hi all, Jim found a problem with the algorithm for packing the Zope database that we wanted to announce so that folks can avoid being bitten by it until the fix is out (in b4). The gist of it is that you should not pack your database to a given time and then subsequently pack the database to an *earlier* time. For example, do not pack to "older than 0 days" and then pack to "older than 10 days". The algorithm in the current Zope releases doesn't handle this correctly and depending on the exact circumstances can end up getting rid of objects that it shouldn't in the packed version of the database. Note that if you _are_ inadvertantly bitten by this, you can recover by using the Data.fs.old in the /var directory that is created at pack time. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] DTML Document class Id bug, somewhat fixed. But now setName ...
And indeed the problem was with the fact that I was subclassing the DTML Document, which as explained in http://www.zope.org/Members/AlexR/ZClassIDBug somewhat mangles the Id property. Public thanks to Rik Hoekstra [EMAIL PROTECTED] for suggesting that. I added this fix (from the page I mention above) to the constructor method, !--#with "myZClass.createInObjectManager(REQUEST['id'], REQUEST)"-- dtml-call "setName(REQUEST['id'])" !--#/with-- And when I try creating a new object, it blows up in my face with this error: Walter - this is sort of a tricky one :( The problem is that the ZClass id bug is a legitimate bug (fixed in the 2.2 series), but your fix uses a method that should never have been accessible in the first place (and in fact the hotfix makes it inaccessible, as it should have been all along). So there are two things you could do here to get along until you can upgrade to 2.2. One, you could edit the __init__.py in the Hotfix product's directory and comment out the line: DocumentTemplate.DT_String.String.setName__roles__=[] ...and restart Zope. That will make the setName method unprotected again though, so don't do this lightly. By unprotected I mean that other people could call setName on _your_ objects and screw things up if they wanted to. An alternative would be to create an external method like the following in your class: def temporary_hack(self, id): self._setId(id) ...and try using: !--#with "myZClass.createInObjectManager(REQUEST['id'], REQUEST)"-- dtml-call "temporary_hack(REQUEST['id'])" !--#/with-- That should let you solve it without reopening a security hole. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Kid clicking and Zope thread deadlock
"Kid clicking" is a technical term used in multimedia game programs, referring to firing multiple click events quickly. The most scary part is that under intense clicking, a multi-threaded program would go into dead-lock. I have a Zope application running. When I kid-click on one button, it actually locks Zope up. This error does not happen when I run Zope in single-thread mode. So, for the bug seems to come from Zope thread dead-locking. snip My Zope is 2.1.6. More info: it happens both with Netscape and IE. More info: when kid clicking on the webpage, actual requests are sent to the Zope server, I see from the terminal 4 lines about 2000-06-30T00:29:43 PROBLEM(100) ZSybaseDA Changed database context to 'master'. Changed database context to 'mydatabase'. and it then goes into deadlock. Not sure whether it's Sybase or Zope problem. The quick way to determine this: install a fresh Zope without SybaseDA installed and see if you can reproduce the kid-clicking behavior. Another thing potentially to look at: there is problem with Sybase connections that I have run into before where if you have a request that runs a transactional query, then a non- transactional query, then trys another transactional query you get a hang :( I don't know if this could be the case here, but if so you might want to look here for more info: http://classic.zope.org:8080/Collector/1059/view Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] 2.2b3 hangs a lot
been running 2.2.0b3 for a few days now. config redhat6.1 postgres ZPygreSql kmnetnews after some time, zope just hangs. when i do top, there's no processor usage at all on all python processes. after a few minutes, zopes wake up and continue to serve. the cycle continues after some time. the hangup is very sporadic. snip If you look at the server logs when it hangs, do you see any pattern as to what was requested when this happens? I haven't been hearing of any hanging issues with the 2.2 betas, which makes me suspect that something specific to this site may be in play here. The fact that it comes back to life on its own after a while makes me think that this is either a very strange system issue or tied up with something that has a timeout (for ex. is it possible that a query is trying to run, timing out against the postgres database?) If the PygresSql DA is not fully thread-safe then I could imagine this as a possiblity. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] wierdness with 2.2, Security, and manage_addProduct[' ']..
Why won't this work in Zope 2.2? Make a DTML method containing: dtml-with "manage_addProduct['ZCatalog']" dtml-call "manage_addVocabulary(id='doofus')" /dtml-with I cannot find a way to make the security system let this through. snip I've pretty much convinced myself it's a bug in the 2.2 security system... Anyone? Brian? It is (or rather was). The fix is in beta 4, out late today/ early tomorrow. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Patch to DateTime.py
The people who want this site want the local time, not UTC+0 that strftime enforces. So, I created a tiny patch which adds _.DateTime().strfltime(), which works identically, except it passes LOCALTIME instead of GMTIME. It's tiny, it's simple, but it's REALLY HANDY! Curtis - Please submit this to the Collector http://classic.zope.org:8080/Collector/ ...as a feature request w/patch. Patches posted via email tend to get lost in the rushing current of the lists :) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope 2.2.0 beta 4 released
Hi all, Zope 2.2.0 beta 4 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b4/ This release includes fixes for a number of bugs found in the beta cycle, including a fix for the recent database packing issue. It also contains updated online help and API documentation. I expect this to be the last beta before 2.2 final. For more information, see the CHANGES.txt file for the release: http://www.zope.org/Products/Zope/2.2.0b4/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document upgrading to Zope 2.2: http://www.zope.org/Products/Zope/2.2.0b4/upgrading_to_220 for information on the recent changes to the Zope security model and other upgrade information. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] data record exceeds transaction record
It's not a server or a hardware problem because I tested my data.fs on another hardware,machine. As well as it's not a another file in zope, because I tested that data.fs on zope linux, and zope windows. So it's really inside data.fs The data file is definiately corrupted. That's what the error tracsbeack says. It's a "FileStorage.CorruptedTransactionError". The question is how the file got that way. Johnathan, A few days ago R. David Murray posted this to you: This may not be of any help, but I got this kind of error when I was trying to build a Zope site on a computer that had one of the bad Intel motherboards. I banged my head agaist the wall hard before I finally figured out that it was a hardware problem... Have you verified that you're not running into the same problem (or same sort of problem)? Its easy enough to fix a corrupted database, but it will do you no good if you actually have a hardware problem because it will just happen again eventually. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Beta -problem
while starting Zope this morning I got this message.Yestersday I installed the newest beta. -Traceback (innermost last): snip import sys, ExtensionClass, TimeStamp, cPersistence, Persistence ImportError: No module named ExtensionClass Are you using a source or binary release? If you are using a source release you need to follow the installation instructions to build the binaries... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope patches or update for Python 2.0?
Does anyone have a patch for Zope (any version = 2.0) to enable it to run reliably under the latest versions of CVS in the SourceForge repository? The decision was made to tighten up both the multi-arg append and multi-arg connect items. I was hoping someone else had already gone through the code and fixed all these items, saving me the time. Hi Skip - I would suggest trying 2.2 beta 4. I think that all of the multi-arg append()'s are out of that (not so sure about connect()'s, but I think some enterprising folks are using it with the new stuff). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope patches or update for Python 2.0?
I would suggest trying 2.2 beta 4. I think that all of the multi-arg append()'s are out of that Not quite. I currently found 3 events. I will send apropriate patches to Collector today. I promise that will check all of Zope sources for append() incompatibility (without non-standard Products of course :). Maybe for socket.connect() too. Great - if you hunt 'em down, I'll make sure the fixes get in for 2.2 final. thanks! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] upgrade to 2.2 zsql authentication problem
I create a zsql method in 2.2b4, using the test tab the zsql method works ok. The problem is when I use a dtml method or document (executable objects) to call the zsql method with a IN statment, a not authorized browser box appears. I'm aware of the ownership changes but on my port I'm having this problems only with zsql methods so I wonder if this is only related with this product before diving into the ownership issues. Julio - I can't reproduce this here (using the Gadfly db connection and DTML that looks like: dtml-in getdata dtml-var item_id, dtml-var item_name, dtml-var item_desc br /dtml-in Can you tell me: o What db connection you are using o What the dtml of your in statement looks like o the permissions on the DTML method, the DB connection and the SQLMethod you are calling o and the ownership settings of each of the above? Thanks! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] testing for local roles
Well, while we're on the subject of AUTHENTICATED_USER.has_role, I've just come upon an error that just popped up all of a sudden in an SQL query that was working fine before. The problematic line is: dtml-if "AUTHENTICATED_USER.has_role('Manager',this())" and the error I get when trying to test it is: Error, exceptions.NameError: AUTHENTICATED_USER snip Another query in the same folder uses the exact same if statement, and works fine. I am running 2.2b4. Can anyone suggest a solution? Aaron - Are you passing AUTHENTICATED_USER as an argument to the query that is working (and not doing so on this one?) Remember that SQL methods don't automagically get the same namespace that DTML does - the only things it can use are attributes that are named in the arguments list (this is to prevent names that are coincidentally the same in a REQUEST form or something from being inserted into queries). One common way of doing what you want is to add REQUEST to the arguments list of the SQLMethod and use: dtml-with REQUEST dtml-if "AUTHENTICATED_USER.has_role('Manager',this())" select * from data /dtml-if /dtml-with Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2 final released!
Hi all, Zope 2.2.0 final has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0/ Many thanks go to all of those who have worked with the alpha and beta releases and helped work through the more than 110 (!) issues that have been closed since Zope 2.1.6 came out. The Zope 2.2 release includes: - The new security policy implementation and object ownership that addresses the server-side trojan issue: http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan - The new online help system which provides context-sensitive help for all Zope management screens and includes Zope API documentation - A built-in Zope tutorial to get new users started with Zope - Basic internal support for mountable object databases - A new "history" tab for selected objects that provides access to previous revisions through the web - Better performance on many systems as a result of setting a more appropriate value for the "check interval" of the Python runtime - Many, many bugfixes! For more information on what is new in Zope 2.2, see the CHANGES.txt and HISTORY.txt files for the release: - http://www.zope.org/Products/Zope/2.2.0/CHANGES.txt - http://www.zope.org/Products/Zope/2.2.0/HISTORY.txt Note that there are important changes to the security model in Zope 2.2 that both site maintainers and Zope product developers need to be aware of. Site maintainers should read the document "Upgrading to Zope 2.2.0" for important information on upgrading their Zope sites: - http://www.zope.org/Products/Zope/2.2.0/upgrading_to_220 Product authors should read the "Product author's guide to Zope 2.2+ security" to learn about the changes in 2.2 that may affect their products: - http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide Enjoy! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Hot fix and 2.20
Do I have this right? I do not have to install the hot fix if I just installed the recently released version 2.2.0 final. correct? -mjm That is correct - the hotfix is only required for sites running versions prior to 2.2. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Announcing dev.zope.org
Hello all, For some time now, it has been a goal of ours to open up the Zope development process. Some of you may have heard me promise this at the Zope track back in January. Well, it took a little longer than I had hoped it would, but I'm happy to announce an important step in making that a reality: http://dev.zope.org. dev.zope.org is the place for discovering, initiating, and contributing to work on the core Zope platform and related Zope technologies. You can think of it as the rough equivalent of what Mozilla.org is to Mozilla. Why has it taken so long? Because there is much more to "opening the development process" than simply doling out CVS access. Evolving a relatively large and complex piece of software like Zope is a non-trivial task, and doing it in a highly distributed environment is harder still. The dev.zope.org site will provide the background materials and tools to ensure that work on Zope is consistent in organization and execution. It will also help those new to Zope development to come up to speed and get involved quickly. There is still plenty to do be done on the site, but it is done enough to start using it so I want to start learning by doing. If you have questions or comments on the dev site, please send them to me at [EMAIL PROTECTED] and CC the zope-dev list (which is where I expect traffic related to dev.zope.org should go in the near term). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] upgrade to 2.2 and zsql methods problems
I have the exact same problem. Júlio Hi guys - For those of you (I've mostly heard ODBC adapter users) having authorization problems with your SQL methods, heres the scoop: Database connections use one of two classes in the framework for wrapping up result data returned from queries. One of those classes (that understands results in RDB format) was missing a required security assertion. The results returned by the ODBC adapter were bitten by this - probably there are other adapters that could be affected. I've attached a patch file for the file: lib/python/Shared/DC/ZRDB/RDB.py ...as well as an updated version of the whole file (since I know a lot of you will be on Windows w/o patch :) Either patch or replace the file and restart Zope to fix the problem. This is also checked in for a 2.2.1 release that will probably happen after a few weeks when enough people have upgraded to shake out any other problems. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com RDB.py RDB.py.patch
RE: [Zope] SECURITY ROLES and DTML-IN
I am having trouble rendering a DTML IN in ZOPE 2.2.0 to any user regardless of roles. I have allocated the proper rights to all objects used and nothing happens. The IN will not let any user view its contents. Theodore - I bet you're running into the same problem as the folks using the ODBC adaptor. I've attached the post I made addressing this a few minutes ago. If this fixes your problem, could you send a note to the zope-list and let the folks there know that the fix works for the Oracle DA too? (I'm going out of town today, so I won't be able to forward it if you only reply to me) Thanks! Hi guys - For those of you (I've mostly heard ODBC adapter users) having authorization problems with your SQL methods, heres the scoop: Database connections use one of two classes in the framework for wrapping up result data returned from queries. One of those classes (that understands results in RDB format) was missing a required security assertion. The results returned by the ODBC adapter were bitten by this - probably there are other adapters that could be affected. I've attached a patch file for the file: lib/python/Shared/DC/ZRDB/RDB.py ...as well as an updated version of the whole file (since I know a lot of you will be on Windows w/o patch :) Either patch or replace the file and restart Zope to fix the problem. This is also checked in for a 2.2.1 release that will probably happen after a few weeks when enough people have upgraded to shake out any other problems. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com RDB.py RDB.py.patch
[Zope] Your feedback: what should DateTime strftime() behavior be?
Hi all - There has recently been some confusion over the expected behavior of various approaches to DateTime formatting in Zope regarding timezone representation. I would like to resolve this for the next release by making a proposal and asking you to reply to the list with a "vote": +1 == agree +/-0 == no strong opinion -1 == disagree So then, here is the situation. In Zope 2.2 (and earlier), formatting a date using either: dtml-var theDate fmt="%A, %B %d %Y, %H:%M:%S" dtml-var "theDate.strftime('%A, %B %d %Y, %H:%M:%S')" ...would give you the date *formatted based on GMT rather than the timezone (usually local) representation of the object*. Simply doing: dtml-var theDate ...however, would print the date in the current timezone of the datetime object. Many feel that this difference is unintuitive and a pain. The proposal is that both: dtml-var theDate fmt="%A, %B %d %Y, %H:%M:%S" dtml-var "theDate.strftime('%A, %B %d %Y, %H:%M:%S')" ...would be changed to apply the format to the current TZ representation of the object rather than convert to GMT. Of course, this could be a problem if there are people currently counting on the output being GMT, which is why we're putting it to a vote. If this change is made for 2.2.1, those who still wanted the output in GMT could just call the 'toZone()' method of the datetime object to get a GMT version before formatting: dtml-var "theDate.toZone('GMT').strftime('%A, %B %d %Y, %H:%M:%S')" What do you think? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Your feedback: what should DateTime strftime() behavior be?
| -1 == disagree You will only ever see votes from people wanting change... apathy rules otherwise. Then when it changes you'll see a whole bunch of bitching about the change, and how there's 1,000 people on the list and only 20 people voted... etc. d8) Mailling list votes are often a bad idea... I don't know of a better one though :( We have exactly the same problem in the Real World, of course. The alternative is to have some arbitrary group trying to guess the right decision, which will (of course) always lead to an equal or greater amount of bitching :) I'll be moving off the list to some sort of web-poll, but the fact will remain that those who only become opinionated after the fact will never be happy :) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] permission settings do not work like expected
I use zope 2.2.0 and I've got a problem with permission settings. When I try to limit the permissions for user to add only on type of objects to a folder then I get always two types back: - the one, which I like - and "Z Gadfly Database Connection" I just fixed this today - it turned out that all older products that don't use the 'initialize' method in their __init__ (in other words, that use the old implicit way of initialization) weren't correctly screened in the add list. The fix will be in the next release. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] webdav q
Goliath has locking support, but disables that feature when talking to a Zope server. Also I was fiddling with Zope versions, but the webdav client seems to slip content underneath the versioning interface in Zope. I was wondering if it would be possible to make Zope version map into the webdav concept of locking, or does Zope have a concept of locking? You have hit on exactly the reason why we didn't implement DAV level 2 locking yet :^) It would have been relatively simple to do so, but it would have been in a way that only DAV clients would respect locks. In an environment where people may be changing content via HTTP, FTP, DAV, xml-rpc, in versions, etc., it seemed like it would be better to think harder about the 'locking problem' and what would make the most sense given all the things going on. Unfortunately we haven't been able to get back to thinking about that yet. I'd love to see someone take up the mantle for this on dev.zope.org though :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] AArgh. Zope-2_2-branch and head of CVS breaks SQLMethods.
Thanks Anthony - I've checked in a fix to the 2.2 branch and the trunk. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com -Original Message- From: Anthony Baxter [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 10, 2000 6:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Zope] AArgh. Zope-2_2-branch and head of CVS breaks SQLMethods. Aha! Nailed it. It's the 1.131 version of OFS/Application.py cvs log entry: revision 1.131 date: 2000/08/02 17:31:54; author: brian; state: Exp; lines: +71 -46 branches: 1.131.4; Merged fix for products with old-style initialization not being properly filtered by permission in the filtered add list. Ok, the problem is that when it sees an initialize() method, it stops looking for other stuff. ZSQLMethods has a __methods__ thing, tho. Oops. Patch appended to make it always look for __methods__. Note that it doesn't break ZSQLMethods from working, just from being added or edited. Argh. This would've been much easier to figure out if I hadn't managed to confuse myself (tooo many installations of zope, all slightly different - need to make it better :) Anthony Anthony Baxter wrote The current Zope-2_2-branch and head of CVS is busted - you cannot add or edit SQLMethods. It appears that Products.ZSQLMethods.__init__.__methods__ doesn't get into the namespace of the product properly, as neither the add or edit screens can see SQLConnectionIDs. Blah. More to come - I'll try to figure out why it's broken, and when. Anthony ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] SECURITY: Zope security alert and hotfix product...
Hi all - We have recently become aware of an important security issue that affects all released Zope versions prior to 2.2.1 beta 1. The issue involves the fact that the getRoles method of user objects contained in the default UserFolder implementation returns a mutable Python type. Because the mutable object is still associated with the persistent User object, users with the ability to edit DTML could arrange to give themselves extra roles for the duration of a single request by mutating the roles list as a part of the request processing. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site running versions of Zope prior to 2.2.1 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges. A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect. http://www.zope.org/Products/Zope/Hotfix_08_09_2000/Hotfix_08_09_2000.tg z The hotfix will work for all versions of Zope 2.0 and higher. The forthcoming Zope 2.2.1 beta 1 release will contain the fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2.1 beta 1 or higher (though nothing bad will happen if you don't uninstall it). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope 2.2.1 beta 1 released
Hi all - Zope 2.2.1 beta 1 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.1b1/ This release contains many bug fixes, including the fix for the recently announced security issue. It also includes fixes to the ZODB code for supporting object databases over 2GB (provided your platform supports large files). For more information on what is new in this release, see the CHANGES.txt and HISTORY.txt files for the release: http://www.zope.org/Products/Zope/2.2.1b1/CHANGES.txt http://www.zope.org/Products/Zope/2.2.1b1/HISTORY.txt Note that we have also posted "diff" updates as .tgz files that will let you easily upgrade an existing 2.2.x site. These updates are available for those currently using the 2.2.x source release or the 2.2.x binary releases for either solaris or linux. To apply a differential update to your site: - download the appropriate .tgz file from zope.org - shutdown your Zope process - copy the .tgz to your Zope directory and extract it - run w_pcgi or wo_pcgi *if you are not using a binary release* - restart your process Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Hotfixes: serious suggestion
I already wrote it to DC but got no response, so I will try to get some feedback here. Who did you send it to? I don't recall seeing it... At the moment DC uses the north american way of expressing dates and assigns them in this form to the names of the Hotfixes. I propose another naming scheme and will explain the reasons below. The current format is Hotfix_08_09_2000, my proposed format is Hotfix_2000-08-09. This is the ISO 8601 format (abbreviated form). That sounds reasonable. We'll move to this for future hotfix releases. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope is very slow!
I am pretty sure (61%) that in the original release of 2.2.0 there was something about a speed increase. One talked about on single processor (20-40%) and the other was dual processor (60-80%). It partly has to do with that "one line of magic code" in the z2.py. Ethan? Paul? DC? Care to shed some light? The speedup involves changing sys.checkinterval, which controls the interval (# of bytecodes) at which the Python runtime performs certain housekeeping chores. For multithreaded programs, upping this interval can cause a significant performance improvement (more about this on python.org in the sys module docs). 2.2 sets the interval to 120, a value that seemed to provide a general speedup across a number of systems I tested. Granted, this is not very scientific, which is why there is an '-i' option to z2.py that allows you to pass your own values for the interval to experiment and find a sweet spot for your given environment (see the z2.py docstring / command help). else changed I didnt see? I noticed that 2.1.6 wasnt making the best use of dual processors. I thought only ZEO would make good use fo dual processors? Note that effective use of multiple processors is mostly a function of the Python runtime (specifically the global interpreter lock) rather than an issue that Zope can address directly. So yes, ZEO is the best way to make effective use of MP. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: updated Hotfix release for recent mutable object issue
Hi all - We recently made a Hotfix release to address an issue dealing with Zope APIs returning mutable objects that could be changed inappropriately from DTML (Hotfix_08_09_2000). After further investigation, there was another aspect to the problem that was not addressed in the recent hotfix. I've uploaded a new hotfix release (Hotfix_2000-08-17) that supercedes the one from the 9th and includes the extra fix required. http://www.zope.org/Products/Zope/Hotfix_2000-08-17/ If you run a Zope site and allow untrusted users to edit DTML on your site, you should install this updated hotfix. There is no need to uninstall the prior hotfix release. These fixes will also be in the 2.2.1 release, expected next week. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] review waiting for 3 days!!!
Yellow ppl at DC, Is everybody on holyday at DC? :-) I've a some reviews waiting for 3 days now to be validated on zope.org Maybe there's a lot more reviews waiting from other guys. We've been offline since sometime Monday due to network problems :( We're back on now. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] QSurvey 0.23 and Zope 2.2.1b
Error Type: Permission mapping error Error Value: Attempted to map a permission to a permission, Add QSurveyResultsItems, that is not valid. This should never happen. (Waaa). I believe I saw a message that said that this bug would be fixed in 2.2.1 final (which presumably means you can get the fix by checking out the CVS version of Zope). Search the archives... That's right - or you can wait 'til tomorrow when I hope to make 2.2.1 final :) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] RE: [ZOPE Collector] Zope Bug entry: An alt attribute of img element inserted by Image objectsent inserted by Image objects
It's not required, actually, just recommended, and a filename is better than NOTHING, which is what he proposed. I'd definately be -3 on this one. Actually, I'd rather see BORDER=0 be the default. I've yet to find a single person who wants a border on their images... Chris 1. 'alt' IS required, look at DTD: !ATTLIST IMG src %URI; #REQUIRED -- URI of image to embed -- alt %Text;#REQUIRED -- short description -- 2. The way you want every single image will leave some garbage on the screen when you browse with Lynx, even if it has only meaning for GUI browsers. Ok - I propose that image.tag() and .__str__ will: o use the content of the 'title' property if defined o otherwise generate alt="" o include border="0" by default Unless people complain loudly, I'll put on the benevolent dictator hat and have this is 2.2.1 (should be out tomorrow) :) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope 2.2.1 released
Hi all, Zope 2.2.1 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.1/ This release contains many bug fixes, including the fixes covered by all Hotfixes to date. Special thanks go to Dieter Maurer, Adam Karpierz, Jeff Sasmor and others who have been prolific patch submitters over the last few weeks. For more information on what is new in this release, see the CHANGES.txt and HISTORY.txt files for the release: http://www.zope.org/Products/Zope/2.2.1/CHANGES.txt http://www.zope.org/Products/Zope/2.2.1/HISTORY.txt Note that we have also posted "diff" updates as .tgz files that will let you easily upgrade an existing 2.2.x site. These updates are available for those currently using the 2.2.x source release or the 2.2.x binary releases for either solaris or linux. To apply a differential update to your site: - download the appropriate .tgz file from zope.org - shutdown your Zope process - copy the .tgz to your Zope directory and extract it - run w_pcgi or wo_pcgi *if you are not using a binary release* - restart your process Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] problem on newly installed Zope2.2.0: I have lost a folder
does this error means something for you: 2000-08-31T14:06:05 ERROR(200) ZODB Couldn't load state for '\000\000\000\000\000\000\014\021' Traceback (innermost last): File /home/sms/Zope_220/lib/python/ZODB/Connection.py, line 447, in setstate SystemError: Failed to import class MEM from module __main__ It means that the object can't be unpickled because the module that the objects class is defined in cannot be imported. Whatever product / python code defines the MEM class is probably installed in your old instance but not in your new instance... Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Python, persistent objects and caching
I'm developing a Python-based product that uses persistent objects in ZODB to store its configuration. No surprises there, but my product is also using volatile attributes to do a bit of caching of its own. The thing is, when ZODB takes a sweep every 60 seconds to flush it's own cache it will quite often flush my product as well, essentially rendering my 15 minute caching ineffective. If there a way I can prevent this from happening? References: http://www.zope.org/Members/MikeP/volatile http://www.zope.org/Members/Zen/tips/VolatileAttributes Soren Roug One approach would be to cache your data in the module's namespace. For ex: mycache={} class MyClassThatKeepsGoingAway: ... def get_data(self, id): if mycache.has_key(id): return mycache[id] else: ... Note that my example is a little contrived, since using a module variable means that you will have to implement this in a way that is safe for a multi-threaded environment. You will also want to make sure that your module-level cache doesn't grow forever and take up a lot of memory. Hope this helps! Brian Lloyd ([EMAIL PROTECTED]) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2.1 Solaris 8 dumps core
I've downloaded the src of Zope 2.2.1 on my UltraSparc running Solaris 8, built it ok, but when I try run ./start it it dumps core with a segmentation fault. Is this problem known? Anything I can do? I am completely new to both Python and Zope ... I don't know of any problems inherent to running on Sol8. It seems like maybe it could have something to do with your Python installation. One way you could test that is to cd to the lib/python dir of your Zope installation, start your local Python interpreter and try: import ExtensionClass Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] how to change the 'Zope' realm/resource??
Steve Drees wrote: WHat if we want to change the realm dependent on the folder? I.e. Is there a way to change this at run-time? I'd love to know the answer to this one too :-) Chris The realm is currently an attribute of the RESPONSE object. There is a 'realm' class attribute which provides the default realm - you could either somehow change this as needed (which may be sort of hard, especially since unauthorized usually gets raised before user code ever gets run), or change the default class attribute. You could change the default class attribute by either: - hacking the code (bleah) - or maybe better, create a "product" in your lib/python/Products (say RealmHack). The product dir would only have an __init__.py file that looked like: import ZPublisher.HTTPResponse ZPublisher.HTTPResponse.HTTPResponse.realm='whatever' ...which would allow you change the default class attr without hacking the code itself. When your product gets imported (at startup time), your realm would be used. Note that wouldn't help with "per folder" realm changing. I'm open to suggestions on that. One way I suppose would be to subclass Folder and implement an extended version of __bobo_traverse__ that changed the realm upon traversal. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] zope 2.2.1 and python 1.6
i couldn't find anything in the list archives or the docs about python 1.6 from python's site, it looks like there are a lot of changes that could break code. can i run zope 2.2.1 on python 1.6 or should i stick with 1.5.2? thanks, -jon Hi Jon, I've seen some people report using 1.6 successfully with Zope - at this point I can't recommend doing that for a *production* site, since while it may *work* we still need to assess some things regarding their impact on security. For example in 1.6 strings have methods, which may or may not have an impact on DTML safety. This is also the case for Python 2.0. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Clean Zope source patch
I need to patch Zope source code to make an I18N module of my own work. The function I need to patch is Publish.py in lib/python/ZPublisher (only the publish function). I'd like to to it a 'clean' way, that is, without modifying the actual source code. To achieve this, I can copy the publish function into MyPublish.py, patch it, and, somewhere in the Zope source file hierarchy, put something the following statement : ZPublisher.publish = MyPublish Well, huh... This is theory. It doesn't work because I don't know where ZPublisher is actually imported into Zope, and, thus, where my affectation will really take effect. Does anyone knows how to do this ? Or perhaps someone knows a better way to "cleanly" patch Zope source ?. An ideal way to do "guerilla patching" like this is with a Product. This is in fact how HotFix products work. At Zope startup time, the Zope machinery tries to import each package in lib/python/Products. So you can create your own "product" which is nothing more than a package with an "__init__.py" that performs the replacement. For example, create a directory "I18NHack" in your lib/python/Products and a file therein "__init__.py" (along with your MyPublish module). The __init__.py would look something like: from MyPublish import publish import ZPublisher.Publish # replace the original publish function... ZPublisher.Publish.publish=publish This way you don't modify any Zope source and can pretty easily manage and distribute your patch. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] FYI: Python product tutorial updated
This tutorial looks great...it explained a lot of things to me that I wasn't able to put together before. But...on looking at it, a nagging thought keep recurring...this is a really quite long and complicated process for a Poll product. As much as I like Zope and thing it is a great platform on which to develop web applications, I often wonder about the complexity and obscurity of some of the procedures that need to executed while making what are, on the face of it, often quite simple web objects or applications. Consequently I have honestly had quite a hard time convincing PHP-savvy colleagues that the path to Zope Zen is something worth starting on. Does anyone else experience these nagging doubtful thoughts occasionally ? I think yours is a valid criticism. Zope provides the infrastructure to do a lot of powerful and complex things, with the downside that (currently) as a developer a lot of the details are "in your face". One major goal I have for Zope going forward is to strive for "optional complexity" - not only for day-to-day use of Zope but also for component developers. I'd be very interested to hear any ideas you folks have on ways to help "make simple things simple" for development and to allow people to deal with complexity only as they begin to need it... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] status of SOAP for Zope?
MS has released ROPE for client-side SOAP development (finally). I can't seem to find anything in Zope for doing SOAP, but it was announced in Dec 1999 as "upcoming". What is the status of SOAP on Zope, I need to know if I can use ROPE.. Hi Brad - SOAP is still something we want to do, but it is on hold right now (we just don't have the resources at the moment). I've been hoping that someone might take the lead and start a project on dev.zope.org, but so far that hasn't happened :( Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] status of SOAP for Zope?
Okay, has anything been done at all? Where would I start? What's left to do? Petru Paler contributed some preliminary work: http://classic.zope.org:8080/Collector/1360/view While I think that this is a good thing and I'm glad he did it, I think that experience has shown that just suddenly making *everything* available via a new protocol (xml-rpc, SOAP) is not really the right approach. There are a number of people who have recently voiced their (legitimate) concern that by default *practically everything* on their site is xml-rpc enabled - and they have no easy way to turn it off or make things selectively available. This is a very important point - I think people would rather be able to implement SOAP services selectively rather than by One Big Switch that may expose just about anything. I would very much like to see a project started on dev.zope.org that starts off by drafting a "user manual" that describes how SOAP services would be implemented from the standpoint of a Zope developer. This would give us a good way to come to agreement without worrying about code just yet. Some attention should be given to how SOAP services get exposed by other systems at this point (they do *not* just suddenly expose every in-memory object to SOAP). We should also anticipate some of the work being done in "discoverability" of SOAP services in our draft (which I think will affect how you go about "defining" a Web service. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope in Windows is faster than Linux ???
Concurrency Level: 25 Time taken for tests: 1.807 seconds Complete requests: 1000 Failed requests:137 (Connect: 0, Length: 137, Exceptions: 0) Non-2xx responses: 864 Total transferred: 660974 bytes HTML transferred: 473471 bytes Requests per second:553.40 Transfer rate: 365.79 kb/s received Linux Concurrency Level: 25 Time taken for tests: 7.688 seconds Complete requests: 1000 Failed requests:0 Total transferred: 595000 bytes HTML transferred: 396000 bytes Requests per second:130.07 Transfer rate: 77.39 kb/s received There's a big difference in the number of requests per second, four times more in the Windows machine. Anyone knows why? Does it mean that Zope running in Windows is better than in Linux? No - look at your results. Every request failed on the win32 box (and they all succeeded on linux). You have some sort of problem in your windows setup, and you'll always get higher throughput for errors than you can for completed requests... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] GET requests in Medusa web server
Why does the Medusa server in Zope not handle GET requests which specify a full URI? For example, if I have a web server running on web.mydomain.com, and I want to get a file called "file.html", doing a GET request of the form GET http://web.mydomain.com/file.html HTTP/1.1 gives me a 404. Doing a GET of the form GET /file.html HTTP/1.1 works fine. If I understand RFC 2068 correctly, a HTTP 1.1 compliant server is expected to handle both cases (5.1.12 of RFC 2068) ... Hi Sean - What version of Zope are you seeing this with? I seem to remember fixing something along these lines fairly recently. Is it still the case in Zope 2.2.2? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Re: [Zope-dev] Task, Job or Operation?
Unsafe has also been proposed. I do not like this either because it is not accurate. Simply because something dangerous, foolish or stupid can be done using this method type does not mean it will be. Are we to label all objects "unsafe" simply because of the capacity of harm? Safety is in the hands of the programer. I agree with this vehemently :) Would you want to use "unsafe C++" or "unsafe Java"? I think "restricted" and "unrestricted" are clear and concise. This is not about "safety" per se, but about capabilities. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Verify Watermark.
In Zope2.1.6 there was a function called 'verify watermark' in module Accesscontrol.User. This function seems to have gone in the 2.2.2 release. My question: Is there any direct replacement for this method ? Or at least a some kind of equivalent code ? verify_watermark was an interim step in dealing with some security things that have since been superceded by the new SecurityPolicy architecture (see: http://www.zope.org/Members/michel/Projects/Interfaces/SecurityPolicies You shouldn't need verify_watermark in post-2.1.6 code. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] XML Document DTML's tree, HiperDOM
The answer to these questions and more can be found at dev.zope.org. The fishbowl keeps better track of projects than any human. The tempation to say "and the fishbowl confuses more humans than any project can keep track of" was to great ;-) It's not actually true, I guess, except for me. I went and had a look at the HiperDOM project and couldn't make heads or tails of what the status was. That put me off even looking for session tracking... Note that the Fishbowl is still somewhat immature - the specific problem of finding out the status of things is something I'm working on (albeit slowly, unfortunately). Very Soon Now there will be some built-in support to help this. In the meantime, project leaders will need to go the extra mile to try to make it clear to readers where things stand. There is, after all, a "CurrentStatus" page dedicated to this. If the CurrentStatus is empty or clearly out of date, readers of the project should prod the project leader about that (their contact email should be in the project). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope 2.2.3 released...
Hello all - Zope 2.2.3 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.3/ This bug-fix release contains the fixes for all released Hotfixes to date, as well as fixes for a memory leak in the Acquisition module, various ZCatalog fixes and a fix for the infamous "__call__" bug (and there was much rejoicing!). For more information on what is new in this release, see the CHANGES.txt and HISTORY.txt files for the release: http://www.zope.org/Products/Zope/2.2.3/CHANGES.txt http://www.zope.org/Products/Zope/2.2.3/HISTORY.txt Note that we have also posted "diff" updates as .tgz files that will let you easily upgrade an existing 2.2.x site. These updates are available for those currently using the 2.2.x source release or the 2.2.x binary releases. To apply a differential update to your site: - download the appropriate .tgz file from zope.org - shutdown your Zope process - copy the .tgz to your Zope directory and extract it - run w_pcgi or wo_pcgi *if you are not using a binary release* - restart your process Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] RE: ANNOUNCE Zope 2.2.3 release...
FYI - someone has noticed a problem with the posted 2.2.3 release that needs looking into, so I've unlisted it for the time being. I'll send out a note and re-list it after we dig into this a bit... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] RE: ANNOUNCE Zope 2.2.3 release...
Oh no, not this one again ... How good that I learned my lesson from the infamous 2.1.x series, when you always replaced or withdrew the latest bugfix release due to "some errors" right after we had updated all our servers ... I think "always" is a bit strong... What about having a "beta" phase for every release, even the x.x.x ones? I think that is reasonable - in practice I have found that many people tend not to upgrade until something is declared "final", but your point is taken and a little feedback is better than none. I'll make Monday's release 2.2.4 b1. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] RE: ANNOUNCE Zope 2.2.3 release...
How long before we end up with 2.2.4 a3 and 2.2.4 b1 with no-one really knowing what's going on? Taking what is effectively another point onto the version number doesn't really help. I can only think of 2.1.7 that was withdrawn, and as long as 2.2.4 comes along pretty swiftly, there shouldn't really be a problem, should there? Well, some people perceive it to be problem (and I can't really blame them). What we _really_ need is some regression testing infrastructure. We have started taking some baby steps in that direction with the inclusion of PyUnit, but it will take some time and resources to get a meaningful amount of tests. Hopefully the recent Good Things happening here at DC will mean that the necessary resources will become available to make that happen. In the meantime, since Brian is a poor regression test rig, I plan to have a (generally very short - like a week) beta period for third-dot releases. One beta should usually do it, and it will allow at least for more coverage than I can easily contrive from my desktop as a sanity check. When the test infrastructure is more mature we could revisit this though. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] ANNOUNCE: Zope 2.2.4 beta 1 released...
I'm not quite sure wether it's me, my system or this beta, but a fresh installation of 2.2.4 beta 1 says: exceptions.AttributeError ... line 140, in index_html (Object: zope_button.jpg) AttributeError: _p_mtime Actually, none of the images in p_ is accessible Thanks - that is fixed for final. Let me know if you see anything else... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Speaking of Python Methods....
What's the PythonMethod equivalent of: dtml-with callTypes dtml-var "_.getitem(_.str(2)).Name" /dtml-with I should guess: callTypes['2'].Name Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope 2.2.4 (final) released...
Hello all, Zope 2.2.4 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.4/ This release supercedes the 2.2.3 release, which had an error that prevented permissions from being acquired correctly. Until the testing infrastructure that has been started in the 2.3 CVS is more mature and there is a useful regression test rig, we'll be planning for at least one (short) beta period for third-dot releases. This bug-fix release contains the fixes for all released Hotfixes to date, as well as fixes for a memory leak in the Acquisition module, various ZCatalog fixes and a fix for the infamous "__call__" bug. It also contains a fix for a problem in header parsing in the dtml sendmail tag that has affected some users recently. The problem with caching of ImageFile objects (mainly icons in the Zope management interface) in the 2.2.4 beta is also fixed (and verified using the Cacheability Engine (http://www.web-caching.com/cacheability.html). For more information on what is new in this release, see the CHANGES.txt and HISTORY.txt files for the release: - http://www.zope.org/Products/Zope/2.2.4/CHANGES.txt - http://www.zope.org/Products/Zope/2.2.4/HISTORY.txt Note that we have also posted "diff" updates as .tgz files that will let you easily upgrade an existing 2.2.x site. These updates are available for those currently using the 2.2.x source release or the 2.2.x binary releases. To apply a differential update to your site: - download the appropriate .tgz file from zope.org - shutdown your Zope process - copy the .tgz to your Zope directory and extract it - run w_pcgi or wo_pcgi *if you are not using a binary release* - restart your process Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] 2.2.4 upgrade query
Further to my paniced posting earlier, I reinstalled 2.2.0, copied over my data.fs* and various products and everything fired up fine but i did one experiment (following on from Chris) - i didnt install zdiscussions. This resulted in major oids errors and my broken zclass as before/ install zdiscussions and bingo i am back in business. so. two questios: 1. why does my zclass appear to require zdiscussions when it is not based on it? Not sure on that... 2. does 2.2.4 contain some parts of what was previously the standalone zdiscussions product? No. The only thing I could think of is maybe some change in the way products are registered or something that affects ZDiscussions badly. I'm just guessing here. Have you tried going from 2.2.0 - 2.2.1 or 2.2.2? If you see the same thing on one of them, that would narrow it down and we could look at the diffs between those releases and see if anything looks suspicious... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] The not-very-Super user
I notice there were some CVS checkins about renaming it to the 'emergency user'. Cool, does this mean you're going to be able to define a manager at install-time? Yes - the whole lame login-as-superuser-create-a-manager-and-relogin process will be gone in 2.3. At install time you'll create a first manager and just use that. A "superuser" will not even exist, unless and until you need it and explicitly create it. Hmmm, if so, what is it that the emergency/super user can do that a normal manager can't? He can un-screw permissions or users if you ever manage to get totally locked out of your site. Think of it as a user mounted in a box on the wall labeled "in case of emergency, break glass". In practice, few should ever have to break the glass. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] The not-very-Super user
I notice there were some CVS checkins about renaming it to the 'emergency user'. Cool, does this mean you're going to be able to define a manager at install-time? Yes - the whole lame login-as-superuser-create-a-manager-and-relogin process will be gone in 2.3. At install time you'll create a first manager and just use that. Yay! As Max asked, any 2.3 timeframe? Python Scripts and no Super User alone make it _very_ enticing :-)) I would reaaally like to see a beta by the end of Dec. - but don't quote me yet. Part of what I'm doing today is figuring what the resource situation looks like. He can un-screw permissions or users if you ever manage to get totally locked out of your site. Think of it as a user mounted in a box on the wall labeled "in case of emergency, break glass". How does this differ from a normal manager and how would you 'create a super user' as you descriebd in the bit I snipped? An example might be: if somehow someone took all permissions away from all of your managers, they'd be out of luck. The superuser could still log in and fix that though. I don't know the exact details of how a superuser is created yet - I expect that you will run zpasswd.py with a special option though (and restart). The relevant install docs will be updated to outline this when that branch is merged. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.3 plan updated...
Hi all - We're gearing up for getting a new feature release out so for those interested I've updated the Zope 2.3 plan at: http://dev.zope.org/Resources/zope_230_plan.html The main changes from the prior version are that it is much more detailed, some items have been added and the item for updating ZDOM to DOM level 2 has been dropped (until there is a clearer justification for it). I hope to make an alpha 1 release on Monday the 11th with the new Python Scripts and fixed user bootstrapping, among other things (see the plan for details). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope's default icons not displayed
Yikes, can someone help me out? My browser isn't rendering Zope's default icons on its management screens. I'm running Zope version: Zope 2.2.4b1 This is fixed in 2.2.4 final... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] SECURITY alert and hotfix release
Hi all, Aleksander Salwa has brought a security issue to our attention that affects all Zope versions up to and including Zope 2.2.4. We have released a Hotfix product to address the issue that can be downloaded from zope.org. (Thanks to Aleksander for finding this and to Shane Hathaway for his quick response in resolving it!) The issue involves security registration of "legacy" names for certain object constructors such as the constructors for DTML Method objects. Security was not being applied correctly for the legacy names, making it possible to call those constructors without the permissions that should have been required. This issue could allow anonymous users with enough internal knowledge of Zope to instantiate new DTML Method instances through the Web. The hotfix for this issue is available on the zope.org web site: o http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz We *highly* recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue. The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] regex vs ts_regex
Apropos http://www.zope.org/Documentation/How-To/ThreadSafety Am I missing something here? There seem to be a number of places in the current 2.2.4 source where the python regex module is used - not ts_regex, thus apparently violating your advice on thread safety? For example, I was just spelunking through /lib/python/AccessControl/User.py, App/Product.py so I started greping a few subdirectories. DateTime.py uses ts_regex as does OFS/ObjectManager.py but NOT OFS/SimpleItem.py ... Is there some reason why it's ok for some modules to use regex rather than ts_regex ??? It is safe to use it in certain cases where the thread safety problems of the regex internals are not an issue. I think Jim and some others who have used regex purposefully have added a #TS comment to indicate that they have thought through the threading issues before using it. This will be moot in the future - one of the things we'll _have_ to do to move to Python2.0 is become SRE compliant. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope 2.3.0 alpha 1 released...
Hello all, As promised, Zope 2.3.0 alpha 1 is now available. You can download it from Zope.org: http://www.zope.org/Products/Zope/2.3.0a1/ This release contains a number of important new usability features, and also marks the first release where a substantial amount of the work done happened in the Fishbowl on dev.zope.org. Some highlights of this release: - Python Scripts are now part of the Zope core. Big whopping kudos to Evan Simpson for all of the work he has put into this! Having Python Scripts in the core will allow people to much more easily separate logic and presentation (and get that logic out of DTML!) More information and prototype documentation for Python Scripts can be found in the dev.zope.org project: http://dev.zope.org/Wikis/DevSite/Projects/PythonMethods - The process of creating an initial user at install time has finally been fixed. Before you had to create a superuser, login as the superuser, create a normal manager, logout, then log back in as the normal manager. This was obtuse and caused big problems for newbies who would log in as the superuser and start trying to work immediately (leading to errors since the superuser cannot own objects). This process is now much more sane. Now, at install time a default initial manager (not a superuser) is created. The superuser has been renamed to the "emergency user" and is not even created by default. If you ever have a need to log in as the emergency user, you can use zpasswd.py to create it. - The new security assertion support has been checked in. For more information and an updated version of the "Zope security for developers" guide see the project on dev.zope.org: http://dev.zope.org/Wikis/DevSite/Projects/DeclarativeSecurity - Added new getId() method to SimpleItem.Item. This should now be used instead of referencing 'object.id' directly, as it is guaranteed to always be a method and to always return the right thing regardless of how the id of the object is stored internally. This relieves DTML writers of the contortions they previously had to go through to handle varying cases of 'id' being a method or an attribute. - Improved Ownership controls. Now you simply choose whether or not to take ownership of sub-objects when taking ownership. Implementation details about whether ownership is implicit or explicit are no longer forced on the user. - Unit testing infrastructure for the Zope core. PyUnit has been checked in, and a utility has been added that will allow us to incrementally begin accumulating (and running) test suites. The new testrunner.py in the utilities directory is a basic utility for running PyUnit based unit tests. It can be used to run all tests found in the Zope tree, all test suites in a given directory or in specific files. The testrunner will be used to ensure that all checked in tests pass before releases are made. For more information, see the docstring of the actual testrunner.py module. For more information on what is new in this release, see the CHANGES.txt and HISTORY.txt files for the release: http://www.zope.org/Products/Zope/2.3.0a1/CHANGES.txt http://www.zope.org/Products/Zope/2.3.0a1/HISTORY.txt *Please note* that we do not build binary distributions for alpha releases - the alpha is available as a source release only. When we move into the beta period for 2.3, we will build and distribute binary releases. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: ANNOUNCE: Zope security alert and hotfix release
The hotfix will work for all versions of Zope 2.2.0 and higher. A future version of Zope will contain the fix for this issue, and you will be able to uninstall the hot fix after upgrading. This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix won't work, and that no fix exists. Is that correct, or is the fix simply not tested with 2.1.6 ? Gregor Sorry - 2.1.6 _is_ vulnerable, and the Hotfix will work for 2.1.6. I'll update that README. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] new 2.2.4 security/role bug ?? (ZCatalog related ??)
The second weird thing (should help for a diagnostic) is : While i have "manager" role (i can do whatever i want on the manage interface), i tried to give a proxy role to my test method, to see if i could investigate further. And trying to change the proxy role raised an execption, despite the fact i have manager role with full autorisations. Didier - Note that 'Manager' does not automatically give you "full authorization". It is only a convention that Manager often has all permissions. This is important, because in Zope 2.2, you can't give a proxy role unless you have *that role* yourself. For example, you can't give the proxy role "Editor" to a DTMLMethod unless you have it yourself (this is true even if you have the "Manager" role). The quick fix here is that you need to give yourself the roles you want to set as proxy roles, and then you will be allowed to set them. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope security alert and hotfix release
Hi all - Tis the season for hot - fix - es, fa la la la la, waa waa waa waa... Peter Kelly has brought another potential security issue to our attention that is important enough to make a Hotfix available for those who allow untrusted users to edit DTML on their sites. The issue involves incorrect protection of a data updating method on Image and File objects. Because the method was not correctly protected, it was possible for users with DTML editing priveleges to update the raw data of a File or Image object via DTML though they did not have editing priveleges on the objects themselves. We recommend that any Zope site running versions of Zope up to and including 2.2.4 have this hotfix product installed to mitigate the issue if the site is accessible by untrusted users who have DTML editing privileges. http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz The hotfix will work for all versions of Zope 2.1.x and higher. A Zope 2.2.5 release later this week will contain the fix for this issue (as well as all hot fixes to date) and you will be able to uninstall the hot fix after upgrading. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Editing Property Sheet HTML
The question is ... how do I do it? I'd like to make the default textarea field quite a bit bigger -- but I wasn't able to explore my way to success in the interface, and about 20 mins of seaching has yielded no answers. You could edit lib/python/OFS/properties.dtml, which renders the property management screen. The DTML in there has gotten pretty scary over time though :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Editing Property Sheet HTML
If I want to make a custom Properties view for a specific ZClass, how do I proceed? Just create an additional method for the class and add it under Views? That's what I'd do. And if I do this, is there any kind of DTML templete (sort of like the default add and addForm methods) that I can work from? And do I need to go this far if I (for example) simply want to change the display order for existing properties? Yes - if you don't like the existing property form, you need to make your own. You should be able to start with the stock properties.dtml source for the new view and make your changes starting from there... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] [BUG] Background processes interfere with Zope's HTTP responses
How to fix the problem: There should be a (file) control "CloseOnExec", that tells Unix to automatically close the file like object upon an exec. ZServer should probably use it on each of its sockets. I can not see a serious application that should have direct access to ZServer's HTTP request socket. I will soon file a bug report into the Collector. Dieter I'm on the win32 platform and thought that the problem was with my proxy software. Now I'm not so sure. Note that what Dieter is talking about would only affect you if you were spawning an external process that inherited the filehandles of the zope process. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] read_raw() not allowed below root ?
Didier - read_raw() is an internal api that should never have been exposed in the first place (as you've noticed, that hole has since been closed up). You probably want to use the 'document_src()' method, which does what you want and is protected by the 'View management screens' permission. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Didier Georgieff Sent: Wednesday, December 20, 2000 10:25 AM To: [EMAIL PROTECTED] Subject: [Zope] read_raw() not allowed below root ? Hello, I have a new problem wich i suspect is related with the weird things i didn't solved yet. I still don't found if it's a misunderstanding about new 2.2 security (like setting a local role ONLY if you have this local role) or a real problem. I have a view_code method (stolen from Yihaw) wich basically look at code, properties, folders and print it. It was working like a charm under 2.1.6. Now on 2.2.4 (with the 12-08, 12-15a and 12-18 hotfix) and TransparentFolder 0.3: * I don't have access to read-raw() (Unauthorized traceback below) , even if i'm manager (and even on folders without local roles) and even with manager as proxy role for this method. * ownership is implicit * and i deleted the remaining "superuser" having a local role on this method. Until i understand what is going on (a bug or a misunderstanding), i guess i'll (gently ;-) flood the list. I'm deeply sorry to post again, but i found no information on the archive (read_raw), the explanations on the new security model didn't ring a bell, so Thanks for any help or tip. Unauthorized You are not authorized to access read_raw. Traceback (innermost last): File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 222, in publish_module File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 187, in publish File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 171, in publish File /zope/2-2-2/lib/python/ZPublisher/mapply.py, line 160, in mapply (Object: view_code) File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 112, in call_object (Object: view_code) File /zope/2-2-2/lib/python/OFS/DTMLMethod.py, line 172, in __call__ (Object: view_code) File /zope/2-2-2/lib/python/DocumentTemplate/DT_String.py, line 528, in __call__ (Object: view_code) File /zope/2-2-2/lib/python/DocumentTemplate/DT_In.py, line 691, in renderwob (Object: objectItems('DTML Method')) File /zope/2-2-2/lib/python/DocumentTemplate/DT_Var.py, line 278, in render (Object: read_raw()) File /zope/2-2-2/lib/python/DocumentTemplate/DT_Util.py, line 331, in eval (Object: read_raw()) (Info: read_raw) File /zope/2-2-2/lib/python/OFS/DTMLMethod.py, line 194, in validate (Object: view_code) File /zope/2-2- 2/lib/python/AccessControl/SecurityManager.py, line 139, in validate File /zope/2-2- 2/lib/python/AccessControl/ZopeSecurityPolicy.py, line 183, in validate Unauthorized: (see above) -- Didier Georgieff DDAF du Bas-Rhin - Cellule SIG 2, rue des Mineurs 67070 Strasbourg Cedex tél : 03.88.25.20.33 - fax : 03.88.25.20.01 email : [EMAIL PROTECTED] SIT du Bas-Rhin : http://www.bas-rhin.sit.gouv.fr GéoWeb http://sertit10.u-strasbg.fr ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )