RE: [Zope] Collector status on password change bug?

[Brian Lloyd]

 I see that the "Can't change User Roles without their Password"
 bug mentioned in:
 
 http://classic.zope.org:8080/Collector/1102/view
 http://classic.zope.org:8080/Collector/1134/view
 http://classic.zope.org:8080/Collector/1138/view
 (etc)
 
 is still in 2.1.6 
 
 http://classic.zope.org:8080/Collector/1138/view provides a patch.
 What is the recommended way to solve this long-standing problem?

Kent - the fix for this is in the forthcoming 2.2.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] 2.1.4 to 2.1.6 nightmare

[Brian Lloyd]

  Finally it works. Thanks.
  
  Do you know why DigitalCreations haven't release a patch?
 
 Dunno :S
 
  I guess i'm not the first one getting mad with 2.1.6.
 
 Had us fooled for about a week :(
 
 I think it's all fixed in 2.2 anyway, which may be why no patch was
 released...

That's basically right - it boils down to that releasing a
patch for every bug/feature just doesn't scale. We have made
some internal adjustments to allow our release schedule to be 
much more flexible and frequent than it was, which should 
address this. 

Of course, if having every latest bug fix is of burning importance
to you, you can run from the public CVS - though you are also, of 
course, going to get every latest bug as well :^)


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] WebDAV, Web Folders and collaborative work

[Brian Lloyd]

 I am happily dragging and dropping documents between my Zope 
 server and my desktop using the 'Open as Web Folder' facility 
 of IE5. This seems to save me from writing an upload page but 
 not much else.
 
 What I am looking for is a way to prevent others from editing 
 the document whilst I have it.  I thought WebDAV helped with 
 this. Maybe I need to do something with a Version?
 
 have I missed the point?

No - the current incarnation of WebFolders (Microsoft's product) 
does not deal with locking. Office 2K does (it locks a document
while editing it). Zope currently "fakes" locking support as an 
unofficial measure to allow folks to open O2K docs stored in Zope. 

We faked it partly because there was (even fairly recently) some 
disagreement in the DAV group about how locking ultimately should 
work, and partly because DAV clients haven't exactly taken the 
world by storm at this point and that has to be reflected in our 
priorities. Note that even if locking were supported on the Zope
side, I don't think that this would help your situation since 
WF will not lock an object just because you dragged it to your 
local desktop. AFAIK, O2K will only lock something if you open
it directly with O2K.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] is WebDAV a security hole?

[Brian Lloyd]

 Been playing around with WebDAV from IE5 connecting to a RedHat 6.1
 +Zope 2.1.6
 
 And it seems that quite a bit of the stuff that propably shouldn't be
 visible can be seen,
 for example acl_users

What other things are you referring to? (see answer for acl_users
below)

 
 Without being logged in I can start a download of it, eventually IE5
 fails, but I get this uncomfortable feeling that this is more 
 due to IE5
 not handling this document type than anything else...
 
 If I used some other WebDAV client, could I then download 
 acl_users, and
 if so, would this expose usernames/passwords?

It would not expose passwords - I believe that what you are seeing
is a sort of non-obvious but basically harmless thing. User folders
(acl_users) do not have an index_html method (by design). When a 
DAV client tries to "download" acl_users, it is actually acquiring
the closest index_html from above and downloading that :^) One 
could argue that this is lame and that attempting to GET 
.../acl_users/ should raise an error (404?). I'm interested in 
other viewpoints on this - if there is some consensus, a proposed 
change should be put in the Collector.



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] is WebDAV a security hole?

[Brian Lloyd]

 Thanx for an informative response!
 
 Btw I tried WebDAV vs. www.zope.org and that site refused the 
 connection
 attempt.
 Is there some obvious setting that I can use to disable 
 WebDAV, since I
 don't need it (as far as I know;)

DAV won't work for zope.org because it runs behind apache and 
we've never done the incantation apache requires to let 
cgi-ish processes handle their own DAV requests.

As far as disabling DAV support, there's no real way to do that
(except for running behind apache or another server that interferes
with DAV requests by default). This really shouldn't be a problem - 
the extended HTTP methods that provide DAV support all basically 
have Zope api corollaries, so the DAV methods are protected by the 
analogous permissions. For example:

PROPFIND  - manage properties
PROPPATCH - manage properties
DELETE- delete objects
MKCOL - Add folders

...and so on. GET, POST and PUT are used by DAV exactly as in 
the HTTP spec, so if you can "download" something via DAV then 
you could also have gotten it with your normal non-DAV aware 
browser.

Hope this helps!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Re: [Zope-dev] possible security flaw? - and, request for a phone conference. conference.

[Brian Lloyd]

  Basically, if a user with manager privileges to a folder changes
  their
  password to be empty, then anyone (from permitted domains) 
 can access the
  management screen for that folder Without Logging On... 
 Zope assumes that
  you are the user without the password and treats you as if 
 you have those
  rights.
 
 This is a feature, but I don't know if or where it is 
 documented besides
 the source code (which is a bug if it isn't I guess).

You're right - it is a feature. You are also right that it isn't 
documented anywhere that I can find :(  I would suggest adding 
this to the Collector (as a 'Documentation Request'). 

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Plea: sequence-item and sequence_item in 2.2?

[Brian Lloyd]

 Hi all,
 Can I make a plea that the .diff patch that Jonothan Farr posted a 
 while back be included into the 2.2 release?
 http://www.zope.org/Members/jfarr/Patches/dtml-in-sv
 
 I have yet to hear a downside to this patch. I second that motion. 
 The patch has allowed me to clean up my code signifigantly.

While I understand your wanting this, the problem is a little 
deeper than just naming consistency.

The sequence-* names were done that way intentionally to avoid 
consuming possible names and avoid clashes in the standard 
namespace, and changing the convention could cause clashes to 
become effective.

Have you looked at the "named dtml in loop" proposal on the DTML 
wiki on Zope.org?

http://www.zope.org/Members/4am/DTMLWiki/NamedDTMLInLoop

I think that this proposal would go a long way toward easing the 
spelling issue as well as solving some other pains involving using 
nested dtml-in loops...




Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Wrong mime type sent by Zope on every page

[Brian Lloyd]

  But what if there are side effects to calling the document? 
 What should
  happen? I don't want a counter to go up or anything just 
 because a HEAD was
  called on the object.
  
  This is not as black-and-white and simple an issue.
 
 The web is an imperfect medium, but returning a junk content 
 type isn't
 good.

I'll throw out a proposal on this. It also is not perfect, but 
seems to strike a happier balance. When HEAD is called on an 
object, what currently happens is:

  if a 'content_type' attribute exists, it is used

  else if the object's id seems to have a file extension
  (. in the id), try to use guess_content_type

  else fall back to the hated application/octet-stream 
   (or, I've seen x-unknown-content-type used before,
but I don't know if this is really any better).


What if we change this to:

  if a 'content_type' attribute exists, it is used

  else if the object's id seems to have a file extension
  (. in the id), try to use guess_content_type

  else if there is a 'default_content_type' attribute, use that

  else fall back to the hated application/octet-stream 
   (or, I've seen x-unknown-content-type used before,
but I don't know if this is really any better).

Then we could put a 'default_content_type' attribute in the 
class of dtml documents and methods, which would take care of 
the most common case. Thoughts?

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Wrong mime type sent by Zope on every page

[Brian Lloyd]

 -Original Message-
 From: Dan L. Pierson [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, June 08, 2000 3:47 PM
 To: Brian Lloyd
 Cc: 'Chris Withers'; Martijn Pieters; Andrew Diller; [EMAIL PROTECTED]
 Subject: RE: [Zope] Wrong mime type sent by Zope on every page
 
 Brian Lloyd writes:
   What if we change this to:
   
 if a 'content_type' attribute exists, it is used
   
 else if the object's id seems to have a file extension
 (. in the id), try to use guess_content_type
   
 else if there is a 'default_content_type' attribute, use that
   
 else fall back to the hated application/octet-stream 
  (or, I've seen x-unknown-content-type used before,
   but I don't know if this is really any better).
   
   Then we could put a 'default_content_type' attribute in the 
   class of dtml documents and methods, which would take care of 
   the most common case. Thoughts?
 
 Sounds pretty good.  Setting 'default_content_type' can then be
 another item in the unwritten Guide to Writing a Zope Product.

That's right - I expect that it could be useful for a few products. 
I can see XMLDocuments having a default of 'text/xml', but I suspect
that a lot of products won't really have to care. Things that have 
no real similarity to conventional "pages" (like database connection 
objects, etc.) are probably useless to a robot that works with "pages"
anyway, so they are better off sending a default non-committal 
response like "application/octet-stream".


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope 2.2 beta 1 released

[Brian Lloyd]

Zope 2.2.0 beta 1 has been released - you can download it from
Zope.org:
http://www.zope.org/Products/Zope/2.2.0b1/


This release contains refinements to the new ownership model as 
well as better undo management and many bug fixes. For more 
information, see:

http://www.zope.org/Products/Zope/2.2.0b1/CHANGES.txt

If you are still using a 2.1.x version of Zope, be sure to 
see the document 
http://www.zope.org/Products/Zope/2.2.0b1/upgrading_to_220

for information on the recent changes to the Zope security model 
and other upgrade information.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope 2.2 beta 1 released

[Brian Lloyd]

 On Mon, 12 Jun 2000, Brian Lloyd wrote:
  Zope 2.2.0 beta 1 has been released - you can download it from
  Zope.org:
  http://www.zope.org/Products/Zope/2.2.0b1/
 
 Either the -src file name is wrong, or the file is wrong, because it
 still says 2.2.0a1.  I think it's the file, 'cause the
 control panel still says 2.2.0a1...
 
 --RDM

Ack - damned autocomplete :^) The right one is there now...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope 2.2 beta 1 released

[Brian Lloyd]

 Trying to run the b1 on Windows, I get the following:
 
 C:\Program Files\Z220b1"C:\Program 
 Files\Z220b1\bin\python.exe" "C:\Program
 Fil
 es\Z220b1\z2.py" -D
 Traceback (innermost last):
   File "C:\Program Files\Z220b1\z2.py", line 524, in ?
 import ZServer
   File "C:\Program Files\Z220b1\ZServer\__init__.py", line 87, in ?
 from medusa import max_sockets, asyncore
 ImportError: No module named medusa
 
 
 Throwing an empty __init__.py file into $Zope/ZServer/medusa 
 solved the
 problem for me.

Ack - apparently something in the win installer thinks that empty
files are not worth preserving :( Note that I've tweaked this and
re-uploaded the win32 beta. If you've already downloaded it, the 
above solution is fine (just create an empty file named __init__.py 
in your ZServer/medusa directory).

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] upgrade from zope-2.1.6 to zope-2.2.0b1

[Brian Lloyd]

 Zope starts ok, but i can't get view or manage the site.  
 here's the traceback
 ---
 
 Traceback (innermost last):
   File 
 /home/kdie/Zope-2.2.0b1-src/lib/python/ZPublisher/Publish.py, 
 line 222, in publish_module
   snip
   File 
 /home/kdie/Zope-2.2.0b1-src/lib/python/ZPublisher/BaseRequest.
 py, line 501, in old_validation
 (Object: broken)
 AttributeError: (see above)
 
 -
 
 i use UserDb for authentication, got a few ZClass of my own, 
 SiteSummary, and a
 few other zope products.
 
 can anyone shed some light ?

It _looks_ like you have a "broken" object in your top-level 
Folder. "Broken" objects are created when Zope has a problem 
unpickling an object (usually because the add-on product that 
defines the class of the object is missing). Are you sure that 
you got all of your add-on products installed (and any other 
dependencies like external methods) copied to the beta install?

Alternatively, it is possible that one of your add-on products 
is incompatible somehow with the beta (if it can't import 
correctly, for example, then objects created from the product 
would be broken). One way you could probably test this theory:

  o shut down your beta installation

  o cd to your lib/python directory and crank up a Python prompt

  o do 'import Zope'. Look for any tracebacks (though the product 
import process will likely consume exceptions when trying to 
import products).

  o for each 3rd party product in lib/python/Products, try to 
do: 'import Products.xxx' where xxx is the product package 
name. If a product cant be imported, you should get a 
traceback for it (please post it if you get one).

Hope this helps!



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] getSize()? was [Zope] Zope 2.2 beta 1 released

[Brian Lloyd]

  After noticing that ZWiki throws an Attribute Error / getSize in
  RecentChanges, I tried a simple
  
 dtml-var "index_html.getSize()"
  
  This works in 2.1.6, but throws the aforementioned exception in
  2.2b1, too. Is this a bug or a feature?
 
 It's been changed to "get_size()".  I don't know whether that would be
 a bug or a feature. ;-)

getSize is deprecated, but since folks are still using it I have
added the alias back in for final.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope security alert and 2.1.7 update [*important*]

[Brian Lloyd]

Hello all,


We have recently become aware of an important security issue 
that affects all released Zope versions including the recent 
2.2 beta 1 release.

The issue involves an inadequately protected method in one of 
the base classes in the DocumentTemplate package that could allow 
the contents of DTMLDocuments or DTMLMethods to be changed 
remotely or through DTML code without forcing proper user 
authorization. 

A Zope 2.1.7 release has been made that resolves this issue for 
Zope 2.1.x users. This release is available from Zope.org:
  
  http://www.zope.org/Products/Zope/2.1.7/

A patch is also available if it is not feasible to update your 
Zope installation at this time (the patch is based on 2.1.6):

  http://www.zope.org/Products/Zope/2.1.7/DT_String.diff

If you are evaluating any of the recent 2.2 alpha or beta releases, 
you should apply the patch noted above if your site is accessible 
by untrusted clients. A forthcoming 2.2 beta 2 release will contain 
the fix for this issue.

While we know of no instances of this issue being used to exploit a 
site, we *highly* recommend that any Zope site that is accessible by 
untrusted clients take the appropriate mitigation steps immediately.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Comfirming Hotfix is installed.

[Brian Lloyd]

 Is there any way to confirm that the hotfix has been installed?
 
 I extracted the files and restarted Zope but it would be nice 
 if there was
 a way to confirm that it is installed.

Yes - that is one of the nice side-benefits of doing it this
way: look in the Control_Panel/Products and you will see the 
hotfix product in the listing. Click on it and click the "README" 
tab to view the readme file that describes the hotfix.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: Zope 2.1.5/6/7 upgrading issues

[Brian Lloyd]

Hi guys,

First of all, I'd like to apologize for the pain factor here - 
there has been some CM process changes around here and the 
2.1.x branch is suffering as a result :(

I have a proposal, however, that I hope will make this much 
easier. How about if we:

  o release a "Product" today that, if you install it and 
restart your Zope (no matter what version), patches the 
hole at runtime (in memory change only).

  o retract the 2.1.7 release in favor of getting 2.2 beta 2 
out on Monday, which doesn't have the cruft problem of 
the 2.1.x branch and contains all fixes to date (and 
which will fix SQLMethod problems and support the SiteAccess
release that Evan is making today).


I can have the new "hotfix" product ready by 12:00pm EST today.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Updated security alert

[Brian Lloyd]

Hi all -

I've updated the security alert (below). Short story: a new 
"hotfix product" is available on zope.org that will work for 
all 2.0+ Zopes and has no side effects or upgrade implications 
for Zope installations. This feels like a much better model for 
things like this, especially for production sites.





We have recently become aware of an important security issue 
that affects all released Zope versions including the recent 
2.2 beta 1 release.

The issue involves an inadequately protected method in one of 
the base classes in the DocumentTemplate package that could allow 
the contents of DTMLDocuments or DTMLMethods to be changed 
remotely or through DTML code without forcing proper user 
authorization. 

A hotfix for this issue in the form of an add-on Zope product has 
been made available on zope.org. To install the hotfix, simply 
download and install the package as you would any other Zope add-on 
product (extract it in the root of your Zope installation). Remember 
to restart your Zope installation for the hotfix to take effect.

http://www.zope.org/Products/Zope/Hotfix_06_16_2000/Hotfix_06_16_2000.tg
z

The hotfix will work for all versions of Zope 2.0 and higher, 
including the recent 2.2 alpha and beta releases. The forthcoming 
Zope 2.2 beta 2 release will contain a fix for this issue, and you 
be able to uninstall the hot fix after upgrading to 2.2. (though 
nothing bad will happen if you don't uninstall it).

Note that the 2.1.7 release that was initially made to address this 
issue has been pulled in favor of this hotfix product, which will 
allow managers of Zope sites to address this issue without worrying 
about other implications of upgrading their installations.

While we know of no instances of this issue being used to exploit a 
site, we *highly* recommend that any Zope site that is accessible by 
untrusted clients install the 06/16/2000 hotfix product immediately.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Beta Zope Error

[Brian Lloyd]

 I get the same problem.  A SQL method of mine is apparrently 
 accessible from
 within a DTML method but not from within another SQL method.  
 (I do this to
 determine if a record exists before overwriting it).  I also have an
 external method that augments query objects with special 
 grouping records.
 
 Here's one of my tracebacks (hey, I get a different one every 
 time I click
 REFRESH):

traceback snipped

I've been trying to reproduce this with a Gadfly connection and I 
haven't been able to make this happen - have you checked to make 
sure that all of the sql methods in question have the same 
ownership and permission settings? 

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Does dtml-sendmail work with 2.1.7?

[Brian Lloyd]

 Just thought I'd rephrase the question after doing more 
 troubleshooting.
 Does anyone have this tag working for them when using Zope  2.1.6???
 

Mark - 

A number of fixes have been made to dtml-sendmail for 2.2. The 
version in 2.1.7 is hosed due to some configuration management 
issues that let some (but not all) of those fixes get into the 
2.1.7 release :( You really would be better off sticking with 
2.1.6 for another day or so until 2.2 beta 2 comes out.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Quickstart problems...

[Brian Lloyd]

 
 Do I have something misconfigured, or is Quickstart broken with latest
 beta?
 
 
 Darren Addy

Darren - 

The QuickStart was broken in beta 1. Its fixed in beta 2 (out late 
today or early tomorrow).


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope 2.2 beta 2 released

[Brian Lloyd]

Hi all,

Zope 2.2.0 beta 2 has been released - you can download it from
Zope.org:

http://www.zope.org/Products/Zope/2.2.0b2/

This release resolves the outstanding issues from beta 1 as well 
as the integrated fix for the recent security issue and further 
refinements of the help system. 

For more information, see the CHANGES.txt file for the release:

http://www.zope.org/Products/Zope/2.2.0b2/CHANGES.txt

If you are still using a 2.1.x version of Zope, be sure to see the 
document "Upgrading to Zope 2.2" for information on the recent 
changes to the Zope security model and other upgrade information.

http://www.zope.org/Products/Zope/2.2.0b2/upgrading_to_220


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] RE: Zope2.2.0b2 not workink on win98

[Brian Lloyd]

 On my Win box Zope dont allow add _no one_  objects (eg. Folder),
 dont allow enter Control Panel if product incorect installed, etc..
 Zope 2.1.6 and 2.1.7 (with apropriate patches)  works very well.
 
 What I am doing wrong or eventually how can I help to avoid 
 this problems ?
 
 platform: Win98, Zope2.2.0b2 from official installer, empty 
 (default) Data.fs
 
 Eg. if i try to add a Folder that is happend:
 
 STRONGError Type: SuperCannotOwn/STRONGBR
 STRONGError Value: Objects cannot be owned by the 
 superuser/STRONGBR

 snip

Adam,

In Zope 2.2 and above, the superuser should *only* be used to 
bootstrap your system and create management users. The superuser 
can not own objects in Zope now for security reasons. Please see 
the "upgrading to Zope 2.2.0" document on Zope.org for more 
information on this.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope2.2.0b2 - cannot import tutorial

[Brian Lloyd]

I started to do experiments with 2.2.0b2 (I skipped b1). 
 Looks good.
 
I lpayed a little and found tutorial.zexp in directory 
 import. I tried
 to import, but Zope complains.

That import file is used by Amos' new Zope Tutorial object 
(you add that via the normal add list). It probably shouldn't 
blow up if you try to import it normally though - I'll forward 
this to Amos.

I remember DC promises to add a screen to configure the number of
 threads instead of default 7, but I didn't found the screen. 
 Will it be
 added later?

Who promised you that? :^) I hadn't heard of this...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Short urls? SHORT URLS???

[Brian Lloyd]

 Geeez,
 I thought that one of Zope's promises was nice short URLS. 
 Wutts up with
 this?
 http://xanadu.unk.edu:8080/QuickStart/index_html?tree-e=eJyLVn
 eEASdPW3UdBSR-JCrf1cRWPRYAGNELbA#AE4

They _are_ nice and short - if you don't use the Tree tag :^) 



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Please test this Zope 2.2 beta 1 ZSQLMethods fix...

[Brian Lloyd]

Hi all,

Several folks have reported problems in beta 1 with SQLMethods 
having authentication problems when trying to call other SQL 
Methods. I'd like a few intrepid volunteers to try something 
for me to see if it fixes the problem. I'd like to make a 2.2 
beta 2 release tomorrow but I want to make sure this issue is 
resolved first.

Make a backup of the file:

lib/python/Shared/DC/ZRDB/DA.py

in your current (beta 1) installation and replace it with the 
DA.py attached to this email, restart and let me know if the 
problem goes away.

Thanks!

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





 DA.py

RE: [Zope] 2.2.0b2 dies in Windows NT4

[Brian Lloyd]

 I've tried this again.  When I access the manage page, an 
 Import/Export
 tab at folder / comes up, and then Python.exe dies with an NT 
 exception
 which is a stack overflow :-(
 
 Same thing happened with 2.2.0b1.

Graham,

Do you have another (clean, preferably SP4) NT machine available 
to you to test with? I cannot reproduce on any of a fair number 
of NT boxes available to me, which leads me to believe that 
either:

  1 the problem is a difference in our Zope installations 
(i.e. installed products) 

  or 

  2 we each have a different set of gremlins active in our NT
installations


(1) should be fairly simple to diagnose. If you install a fresh, 
clean b2 on your NT box and start it with the *default* database 
and _no_ third party products installed, do you get these odd 
crashes? If not, then the next step is to determine which product 
is activating the problem.

If you still crash with a totally clean install and using the 
default object database, then I don't know what else to do but 
assume (2) :(.


 Also, if I try to access any pages that use SQLSession ( an older
 version ), I get authentication challenges from ZopeSecurityPolicy.py
 when I use the getName() method of the session object.  Hopefully this
 will go away if I upgrade to the latest version.

Hopefully, but there is a possibility that some products may 
need to be updated to behave correctly in the tighter security 
policies in 2.2. I have as action for me to post a guide for 
product developers on monday that advise product authors on 
how to update their products if they are affected.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Please test this Zope 2.2 beta 1 ZSQLMethods fix...

[Brian Lloyd]

  I think that you have hit it on the head - we're trying *hard* to 
  make Zope harder to fool :^) Try adding the following to your 
  class statement, for example:
  
  class MyClass:
  
__allow_access_to_unprotected_subobjects__=1
 
 Just a question: Is this documented somewhere.. I've seen some more
 of these things here and wonder if there's some explanation 
 what exactly
 has changed in 2.2 and which constants can be used to control these
 things..

I plan to publish a guide for Product authors Monday that captures 
the essence of what has changed about the security policy and 
what product objects need to do to play nicely within it.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Moving Z Classes around

[Brian Lloyd]

 Having discovered that [my] Z Class is in the wrong product, 
 I'd like to
 move it elsewhere.  The obvious thing to do is to use Cut + Paste;
 unfortunately, I get:
 
   The item my-item does not support this operation.
 
 (The function manage_copyObjects is not happy!)
 
 I can't think of another way to move my classes without 
 rebuilding them --
 any advice?

Michael,

I agree that this is a pain, but it is a fact of life for now 
in ZClass development. ZClasses have a different relationship 
with other Zope objects than normal, in that other instances 
in the object space refer to them as their class. That makes 
picking them up and moving them something not to be done 
lightly. In the Python world, this would be equivalent to 
pickling a bunch of objects and then moving the class for 
those objects to a different package. Without some explicit 
action, all of the pickled objects would break because they 
would be referencing a class that is no longer there. 

It's the same deal with ZClasses. It may be possible in the 
future to move ZClasses around, but something will still need 
to be done about existing instances created from a class that 
moves. So far we have avoided the hard thinking required to 
solve that :^) This would be a good candidate for a proposal 
in the forthcoming ZopeDev area on Zope.org. More on that 
later...

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope 2.2.0b2 - PythonMethods

[Brian Lloyd]

I remember DC submitted PythonMethods into CVS, but I cannot find
 PythonMethod in 2.2.0b2. Are PythonMethods for later 
 versions? Or it will
 be separated Product forever?
 
I have downloaded latest PythonMethods and successfully 
 installed the
 component, but shouldn't it be in distribution? Or I just 
 don't understand
 something?

Oleg, 

There is still some work that we want to do on PythonMethods 
to get them where we want them for inclusion in Zope -- we 
need to get them well integrated with the Zope security 
policies and roll in some other work that will make all 
method-like objects behave in more consistent manner. I'm 
hoping that this will happen relatively soon (though I can't 
give you a date).

Until then, there's no problem using the latest distribution. 


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope 2.2.0 beta 3 released...

[Brian Lloyd]

Hi all,

Zope 2.2.0 beta 3 has been released - you can download it from
Zope.org:

http://www.zope.org/Products/Zope/2.2.0b3/

This release resolves the "len of unsized object" error some 
folks were seeing with their SQL methods as well as an issue 
with broken installed products causing a recursion problem 
instead of appearing as normal "broken" objects. I'm hopeful 
that this will be the last 2.2 beta, assuming that no other 
real problems arise that need fixes tested before final.

For more information, see the CHANGES.txt file for the release:

http://www.zope.org/Products/Zope/2.2.0b3/CHANGES.txt

If you are still using a 2.1.x version of Zope, be sure to 
see the document upgrading to Zope 2.2:

http://www.zope.org/Products/Zope/2.2.0b3/upgrading_to_220

for information on the recent changes to the Zope security model 
and other upgrade information.



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Creating PythonMethod from ZClass constructor/method.

[Brian Lloyd]

 
 Using Zope 2.2b3, I am trying to create a PythonMethod from the
 constructor of my ZClass and keep getting an authorization 
 dialog. In my
 MyZClass_add method, I have:
 
   dtml-with "MyZClass.createInObjectManager(...)"
   dtml-call "manage_addFolder(id='testFolder')" !-- works! --
   dtml-with "manage_addProduct['PythonMethod']"
   dtml-call "manage_addPythonMethod(
   this(),
   'testMethod',
   'Test Method',
   'self',
   'pass'
   )"
   /dtml-with
   /dtml-with
 
 Every pemutation I have tried gives the same result: an Unauthorized
 exception.

Hi Jeff - 

Thanks for reporting this. It turns out that there was a 
missing security assertion in the product dispatcher 
(manage_addProduct) that was causing this. The fix will 
be in b4. If you want to patch your install in the meantime,
edit lib/python/App/FactoryDispatcher.py and change:


class ProductDispatcher(Acquisition.Implicit):
" "

def __getitem__(self, name):
...

to:

class ProductDispatcher(Acquisition.Implicit):
" "

# Allow access to factory dispatchers
__allow_access_to_unprotected_subobjects__=1

def __getitem__(self, name):
...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] NOTICE: issue with database packing in current Zope releases

[Brian Lloyd]

Hi all,

Jim found a problem with the algorithm for packing the Zope
database that we wanted to announce so that folks can avoid 
being bitten by it until the fix is out (in b4).

The gist of it is that you should not pack your database to 
a given time and then subsequently  pack the database to an 
*earlier* time. For example, do not pack to "older than 0 days"
and then pack to "older than 10 days". The algorithm in the 
current Zope releases doesn't handle this correctly and 
depending on the exact circumstances can end up getting rid 
of objects that it shouldn't in the packed version of the 
database.

Note that if you _are_ inadvertantly bitten by this, you can 
recover by using the Data.fs.old in the /var directory that is 
created at pack time.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] DTML Document class Id bug, somewhat fixed. But now setName ...

[Brian Lloyd]

   And indeed the problem was with the fact that I was 
 subclassing the
 DTML Document, which as explained in 
 http://www.zope.org/Members/AlexR/ZClassIDBug
 somewhat mangles the Id property. Public thanks to Rik 
 Hoekstra [EMAIL PROTECTED]
 for suggesting that. 
   I added this fix (from the page I mention above) to the 
 constructor method,
 
 !--#with "myZClass.createInObjectManager(REQUEST['id'], REQUEST)"--
 dtml-call "setName(REQUEST['id'])"
 !--#/with--
 
 And when I try creating a new object, it blows up in my face with this
 error:

Walter -

this is sort of a tricky one :(  The problem is that the 
ZClass id bug is a legitimate bug (fixed in the 2.2 series), 
but your fix uses a method that should never have been 
accessible in the first place (and in fact the hotfix makes
it inaccessible, as it should have been all along).

So there are two things you could do here to get along until
you can upgrade to 2.2. One, you could edit the __init__.py
in the Hotfix product's directory and comment out the line:

DocumentTemplate.DT_String.String.setName__roles__=[]

...and restart Zope. That will make the setName method 
unprotected again though, so don't do this lightly. By 
unprotected I mean that other people could call setName 
on _your_ objects and screw things up if they wanted to.

An alternative would be to create an external method like
the following in your class:

def temporary_hack(self, id):
  self._setId(id)


...and try using:

  !--#with "myZClass.createInObjectManager(REQUEST['id'], REQUEST)"--
  dtml-call "temporary_hack(REQUEST['id'])"
  !--#/with--


That should let you solve it without reopening a security hole.

Hope this helps!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Kid clicking and Zope thread deadlock

[Brian Lloyd]

 "Kid clicking" is a technical term used in multimedia game programs, 
 referring to firing multiple click events quickly. The most 
 scary part is 
 that under intense clicking, a multi-threaded program would go into 
 dead-lock.
 
 I have a Zope application running. When I kid-click on one button, it 
 actually locks Zope up. This error does not happen when I run Zope in 
 single-thread mode. So, for the bug seems to come from Zope thread 
 dead-locking.
 
 snip
 
 My Zope is 2.1.6. More info: it happens both with Netscape 
 and IE. More 
 info: when kid clicking on the webpage, actual requests are 
 sent to the Zope 
 server, I see from the terminal 4 lines about
 
 2000-06-30T00:29:43 PROBLEM(100) ZSybaseDA Changed database 
 context to 
 'master'.
 Changed database context to 'mydatabase'.
 
 and it then goes into deadlock. Not sure whether it's Sybase or Zope 
 problem.

The quick way to determine this: install a fresh Zope without 
SybaseDA installed and see if you can reproduce the kid-clicking 
behavior.

Another thing potentially to look at: there is problem with 
Sybase connections that I have run into before where if you 
have a request that runs a transactional query, then a non-
transactional query, then trys another transactional query 
you get a hang :(  I don't know if this could be the case 
here, but if so you might want to look here for more info:

http://classic.zope.org:8080/Collector/1059/view




Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] 2.2b3 hangs a lot

[Brian Lloyd]

 been running 2.2.0b3 for a few days now.  
 config
 redhat6.1
 postgres
 ZPygreSql
 kmnetnews
 
 after some time, zope just hangs.  when i do top, there's no 
 processor usage at
 all on all python processes.  after a few minutes, zopes wake 
 up  and continue
 to serve.  the cycle continues after some time.  the hangup 
 is very sporadic.
 snip

If you look at the server logs when it hangs, do you see any 
pattern as to what was requested when this happens? I haven't 
been hearing of any hanging issues with the 2.2 betas, which 
makes me suspect that something specific to this site may be 
in play here.

The fact that it comes back to life on its own after a while 
makes me think that this is either a very strange system 
issue or tied up with something that has a timeout (for ex.
is it possible that a query is trying to run, timing out 
against the postgres database?) If the PygresSql DA is not 
fully thread-safe then I could imagine this as a possiblity.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] wierdness with 2.2, Security, and manage_addProduct[' ']..

[Brian Lloyd]

 Why won't this work in Zope 2.2? Make a DTML method containing:
 
 dtml-with "manage_addProduct['ZCatalog']"
   dtml-call "manage_addVocabulary(id='doofus')"
 /dtml-with
 
 I cannot find a way to make the security system let this 
 through. 

 snip
 
 I've pretty much convinced myself it's a bug in the 2.2 
 security system...
 
 Anyone? Brian?

It is (or rather was). The fix is in beta 4, out late today/
early tomorrow.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Patch to DateTime.py

[Brian Lloyd]

   The people who want this site want the local time, not 
 UTC+0 that strftime 
 enforces.
 
   So, I created a tiny patch which adds  
 _.DateTime().strfltime(), which works 
 identically, except it passes LOCALTIME instead of GMTIME.
 
   It's tiny, it's simple, but it's REALLY HANDY!
 

Curtis - 

Please submit this to the Collector

http://classic.zope.org:8080/Collector/

...as a feature request w/patch. Patches posted via email 
tend to get lost in the rushing current of the lists :)


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope 2.2.0 beta 4 released

[Brian Lloyd]

Hi all,

Zope 2.2.0 beta 4 has been released - you can download it from
Zope.org:

http://www.zope.org/Products/Zope/2.2.0b4/


This release includes fixes for a number of bugs 
found in the beta cycle, including a fix for 
the recent database packing issue. It also 
contains updated online help and API documentation. 
I expect this to be the last beta before 2.2 final.

For more information, see the CHANGES.txt file for the 
release:

http://www.zope.org/Products/Zope/2.2.0b4/CHANGES.txt


If you are still using a 2.1.x version of Zope, be sure to 
see the document upgrading to Zope 2.2:

http://www.zope.org/Products/Zope/2.2.0b4/upgrading_to_220

for information on the recent changes to the Zope security 
model and other upgrade information.



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] data record exceeds transaction record

[Brian Lloyd]

  It's not a server or a hardware problem because I tested my 
 data.fs on another hardware,machine. As well as it's not a 
 another file in zope, because I tested that data.fs on zope 
 linux, and zope windows. So it's really inside data.fs
 
 The data file is definiately corrupted. That's what the error 
 tracsbeack says.
 It's a "FileStorage.CorruptedTransactionError".  The question 
 is how the file
 got that way.

Johnathan,

A few days ago R. David Murray posted this to you:

 This may not be of any help, but I got this kind of error when
 I was trying to build a Zope site on a computer that had
 one of the bad Intel motherboards.  I banged my head agaist
 the wall hard before I finally figured out that it was a
 hardware problem...

Have you verified that you're not running into the 
same problem (or same sort of problem)? Its easy 
enough to fix a corrupted database, but it will do 
you no good if you actually have a hardware problem
because it will just happen again eventually.



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Beta -problem

[Brian Lloyd]

 while starting Zope this morning I got this 
 message.Yestersday I installed
 the newest beta.

 -Traceback (innermost last):
 snip
 import sys, ExtensionClass, TimeStamp, cPersistence, Persistence
 ImportError: No module named ExtensionClass

Are you using a source or binary release? If you are using a 
source release you need to follow the installation instructions 
to build the binaries...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope patches or update for Python 2.0?

[Brian Lloyd]

 Does anyone have a patch for Zope (any version = 2.0) to 
 enable it to run
 reliably under the latest versions of CVS in the SourceForge 
 repository?
 The decision was made to tighten up both the multi-arg append 
 and multi-arg
 connect items.  I was hoping someone else had already gone 
 through the code
 and fixed all these items, saving me the time.

Hi Skip -

I would suggest trying 2.2 beta 4. I think that all of 
the multi-arg append()'s are out of that (not so sure 
about connect()'s, but I think some enterprising folks 
are using it with the new stuff).


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope patches or update for Python 2.0?

[Brian Lloyd]

 I would suggest trying 2.2 beta 4. I think that all of
 the multi-arg append()'s are out of that
 
 Not quite. I currently found 3 events.
 I will send apropriate patches to Collector today.
 I promise that will check all of Zope sources for
 append() incompatibility (without non-standard
 Products of course :).
 Maybe for socket.connect() too.

Great - if you hunt 'em down, I'll make sure the 
fixes get in for 2.2 final.

thanks!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] upgrade to 2.2 zsql authentication problem

[Brian Lloyd]

 I create a zsql method in 2.2b4, using the test tab the zsql 
 method works 
 ok. The problem is when I use a dtml method or document 
 (executable objects) 
 to call the zsql method with a IN statment, a not authorized 
 browser box 
 appears. I'm aware of the ownership changes but on my port 
 I'm having this 
 problems only with zsql methods so I wonder if this is only 
 related with 
 this product before diving into the ownership issues.

Julio - 

I can't reproduce this here (using the Gadfly db connection
and DTML that looks like:

dtml-in getdata
dtml-var item_id, dtml-var item_name, dtml-var item_desc
br
/dtml-in

Can you tell me:

  o What db connection you are using

  o What the dtml of your in statement looks like

  o the permissions on the DTML method, the DB connection
and the SQLMethod you are calling

  o and the ownership settings of each of the above?

Thanks!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] testing for local roles

[Brian Lloyd]

 Well, while we're on the subject of AUTHENTICATED_USER.has_role, I've
 just come upon an error that just popped up all of a sudden in an SQL
 query that was working fine before.  The problematic line is:
 
 dtml-if "AUTHENTICATED_USER.has_role('Manager',this())"
 
 and the error I get when trying to test it is:
 
 Error, exceptions.NameError: AUTHENTICATED_USER

 snip
 
 Another query in the same folder uses the exact same if statement, and
 works fine.  I am running 2.2b4.  Can anyone suggest a solution?

Aaron - 

Are you passing AUTHENTICATED_USER as an argument to the 
query that is working (and not doing so on this one?) 
Remember that SQL methods don't automagically get the 
same namespace that DTML does - the only things it can 
use are attributes that are named in the arguments list
(this is to prevent names that are coincidentally the 
same in a REQUEST form or something from being inserted 
into queries).

One common way of doing what you want is to add REQUEST 
to the arguments list of the SQLMethod and use:

dtml-with REQUEST
dtml-if "AUTHENTICATED_USER.has_role('Manager',this())"
select * from data
/dtml-if
/dtml-with


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope 2.2 final released!

[Brian Lloyd]

Hi all,


  Zope 2.2.0 final has been released - you can download it 
  from Zope.org:

  http://www.zope.org/Products/Zope/2.2.0/


  Many thanks go to all of those who have worked with the 
  alpha and beta releases and helped work through the more 
  than 110 (!) issues that have been closed since Zope 2.1.6 
  came out.

  The Zope 2.2 release includes:

- The new security policy implementation and object ownership 
  that addresses the server-side trojan issue:

  http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan

- The new online help system which provides context-sensitive 
  help for all Zope management screens and includes Zope API 
  documentation

- A built-in Zope tutorial to get new users started with Zope

- Basic internal support for mountable object databases

- A new "history" tab for selected objects that provides access
  to previous revisions through the web

- Better performance on many systems as a result of setting a 
  more appropriate value for the "check interval" of the Python 
  runtime

- Many, many bugfixes!


  For more information on what is new in Zope 2.2, see the 
  CHANGES.txt and HISTORY.txt files for the release:

- http://www.zope.org/Products/Zope/2.2.0/CHANGES.txt

- http://www.zope.org/Products/Zope/2.2.0/HISTORY.txt


  Note that there are important changes to the security model in 
  Zope 2.2 that both site maintainers and Zope product developers 
  need to be aware of. Site maintainers should read the document 
  "Upgrading to Zope 2.2.0" for important information on upgrading 
  their Zope sites:

- http://www.zope.org/Products/Zope/2.2.0/upgrading_to_220

  Product authors should read the "Product author's guide to 
  Zope 2.2+ security" to learn about the changes in 2.2 that 
  may affect their products:

- http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide 


Enjoy!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Hot fix and 2.20

[Brian Lloyd]

 Do I have this right?  I do not have to install the 
 hot fix if I just installed the recently released 
 version 2.2.0 final.  correct?
 
 -mjm

That is correct - the hotfix is only required for sites 
running versions prior to 2.2.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Announcing dev.zope.org

[Brian Lloyd]

Hello all,

For some time now, it has been a goal of ours to open up 
the Zope development process. Some of you may have heard 
me promise this at the Zope track back in January. Well, 
it took a little longer than I had hoped it would, but 
I'm happy to announce an important step in making that 
a reality: http://dev.zope.org.

dev.zope.org is the place for discovering, initiating, 
and contributing to work on the core Zope platform and 
related Zope technologies. You can think of it as the 
rough equivalent of what Mozilla.org is to Mozilla.

Why has it taken so long? Because there is much more to 
"opening the development process" than simply doling out 
CVS access. Evolving a relatively large and complex 
piece of software like Zope is a non-trivial task, and 
doing it in a highly distributed environment is harder 
still. The dev.zope.org site will provide the background 
materials and tools to ensure that work on Zope is 
consistent in organization and execution. It will also 
help those new to Zope development to come up to speed 
and get involved quickly.

There is still plenty to do be done on the site, but it 
is done enough to start using it so I want to start 
learning by doing. If you have questions or comments on 
the dev site, please send them to me at [EMAIL PROTECTED] 
and CC the zope-dev list (which is where I expect traffic 
related to dev.zope.org should go in the near term).


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] upgrade to 2.2 and zsql methods problems

[Brian Lloyd]

 I have the exact same problem.
 
 Júlio
 

Hi guys - 

For those of you (I've mostly heard ODBC adapter users) 
having authorization problems with your SQL methods, heres
the scoop:

Database connections use one of two classes in the 
framework for wrapping up result data returned from 
queries. One of those classes (that understands results 
in RDB format) was missing a required security assertion. 

The results returned by the ODBC adapter were bitten by 
this - probably there are other adapters that could 
be affected.

I've attached a patch file for the file:
lib/python/Shared/DC/ZRDB/RDB.py

...as well as an updated version of the whole file (since 
I know a lot of you will be on Windows w/o patch :) Either 
patch or replace the file and restart Zope to fix the 
problem.

This is also checked in for a 2.2.1 release that will 
probably happen after a few weeks when enough people 
have upgraded to shake out any other problems.




Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 


 RDB.py
 RDB.py.patch

RE: [Zope] SECURITY ROLES and DTML-IN

[Brian Lloyd]

 I am having trouble rendering a DTML IN in ZOPE 2.2.0 to any user
 regardless of roles.
 
 I have allocated the proper rights to all objects used and 
 nothing happens.
 The IN will not let any user view its contents.

Theodore - 

I bet you're running into the same problem as the 
folks using the ODBC adaptor. I've attached the post 
I made addressing this a few minutes ago.

If this fixes your problem, could you send a note to 
the zope-list and let the folks there know that the fix 
works for the Oracle DA too? (I'm going out of town today, 
so I won't be able to forward it if you only reply to me)

Thanks!

 Hi guys - 
 
 For those of you (I've mostly heard ODBC adapter users) 
 having authorization problems with your SQL methods, heres
 the scoop:
 
 Database connections use one of two classes in the 
 framework for wrapping up result data returned from 
 queries. One of those classes (that understands results 
 in RDB format) was missing a required security assertion. 
 
 The results returned by the ODBC adapter were bitten by 
 this - probably there are other adapters that could 
 be affected.
 
 I've attached a patch file for the file:
 lib/python/Shared/DC/ZRDB/RDB.py
 
 ...as well as an updated version of the whole file (since 
 I know a lot of you will be on Windows w/o patch :) Either 
 patch or replace the file and restart Zope to fix the 
 problem.
 
 This is also checked in for a 2.2.1 release that will 
 probably happen after a few weeks when enough people 
 have upgraded to shake out any other problems.
 


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





 RDB.py
 RDB.py.patch

[Zope] Your feedback: what should DateTime strftime() behavior be?

[Brian Lloyd]

Hi all -

There has recently been some confusion over the expected 
behavior of various approaches to DateTime formatting in 
Zope regarding timezone representation. I would like to 
resolve this for the next release by making a proposal 
and asking you to reply to the list with a "vote":

  +1 == agree

  +/-0 == no strong opinion

  -1 == disagree

 
So then, here is the situation. In Zope 2.2 (and earlier), 
formatting a date using either:

  dtml-var theDate fmt="%A, %B %d %Y, %H:%M:%S"

  dtml-var "theDate.strftime('%A, %B %d %Y, %H:%M:%S')"

...would give you the date *formatted based on GMT rather than 
the timezone (usually local) representation of the object*. 
Simply doing:

  dtml-var theDate

...however, would print the date in the current timezone of 
the datetime object.

Many feel that this difference is unintuitive and a pain. The 
proposal is that both:

  dtml-var theDate fmt="%A, %B %d %Y, %H:%M:%S"

  dtml-var "theDate.strftime('%A, %B %d %Y, %H:%M:%S')"

...would be changed to apply the format to the current TZ 
representation of the object rather than convert to GMT. Of 
course, this could be a problem if there are people currently 
counting on the output being GMT, which is why we're putting it 
to a vote. If this change is made for 2.2.1, those who still 
wanted the output in GMT could just call the 'toZone()' method 
of the datetime object to get a GMT version before formatting:

  dtml-var "theDate.toZone('GMT').strftime('%A, %B %d %Y, %H:%M:%S')"


What do you think?


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Your feedback: what should DateTime strftime() behavior be?

[Brian Lloyd]

 |   -1 == disagree
 
 You will only ever see votes from people wanting change... 
 apathy rules
 otherwise. Then when it changes you'll see a whole bunch of 
 bitching about 
 the change, and how there's 1,000 people on the list and only 
 20 people
 voted... etc. d8) Mailling list votes are often a bad idea...

I don't know of a better one though :( We have exactly the same 
problem in the Real World, of course. The alternative is to have 
some arbitrary group trying to guess the right decision, which 
will (of course) always lead to an equal or greater amount of 
bitching :)

I'll be moving off the list to some sort of web-poll, but the 
fact will remain that those who only become opinionated after 
the fact will never be happy :)

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] permission settings do not work like expected

[Brian Lloyd]

 I use zope 2.2.0 and I've got a problem with permission 
 settings. When I try
 to limit the permissions for user to add only on type of 
 objects to a folder
 then I get always two types back:
 - the one, which I like
 - and "Z Gadfly Database Connection"

I just fixed this today - it turned out that all older 
products that don't use the 'initialize' method in 
their __init__ (in other words, that use the old 
implicit way of initialization) weren't correctly 
screened in the add list. The fix will be in the 
next release.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] webdav q

[Brian Lloyd]

 Goliath has locking support, but disables that feature when talking to
 a Zope server. Also I was fiddling with Zope versions, but the webdav
 client seems to slip content underneath the versioning interface in
 Zope.
 
 I was wondering if it would be possible to make Zope version map into
 the webdav concept of locking, or does Zope have a concept of locking?

You have hit on exactly the reason why we didn't implement 
DAV level 2 locking yet :^) It would have been relatively 
simple to do so, but it would have been in a way that only 
DAV clients would respect locks. In an environment where 
people may be changing content via HTTP, FTP, DAV, xml-rpc, 
in versions, etc., it seemed like it would be better to 
think harder about the 'locking problem' and what would make 
the most sense given all the things going on. Unfortunately 
we haven't been able to get back to thinking about that yet. 

I'd love to see someone take up the mantle for this on 
dev.zope.org though :^)


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] AArgh. Zope-2_2-branch and head of CVS breaks SQLMethods.

[Brian Lloyd]

Thanks Anthony - I've checked in a fix to the 2.2 branch and 
the trunk.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




 -Original Message-
 From: Anthony Baxter [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, August 10, 2000 6:40 PM
 To: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Subject: Re: [Zope] AArgh. Zope-2_2-branch and head of CVS breaks
 SQLMethods. 
 
 
 
 Aha! Nailed it. It's the 1.131 version of OFS/Application.py
 
 cvs log entry:
 
 revision 1.131
 date: 2000/08/02 17:31:54;  author: brian;  state: Exp;  
 lines: +71 -46
 branches:  1.131.4;
 Merged fix for products with old-style initialization not 
 being properly
 filtered by permission in the filtered add list.
 
 
 Ok, the problem is that when it sees an initialize() method, it
 stops looking for other stuff. ZSQLMethods has a __methods__ 
 thing, tho. Oops. Patch appended to make it always look for
 __methods__.
 
 Note that it doesn't break ZSQLMethods from working, just 
 from being added
 or edited.
 
 Argh. This would've been much easier to figure out if I 
 hadn't managed 
 to confuse myself (tooo many installations of zope, all 
 slightly different -
 need to make it better :)
 
 Anthony
 
  Anthony Baxter wrote
  
  The current Zope-2_2-branch and head of CVS is busted - you 
 cannot add or
  edit SQLMethods. It appears that 
 Products.ZSQLMethods.__init__.__methods__ 
  doesn't get into the namespace of the product properly, as neither
  the add or edit screens can see SQLConnectionIDs.
  
  Blah. More to come - I'll try to figure out why it's 
 broken, and when.
  
  Anthony
 
 
 

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] SECURITY: Zope security alert and hotfix product...

[Brian Lloyd]

Hi all - 

  We have recently become aware of an important security issue 
  that affects all released Zope versions prior to 2.2.1 beta 1.

  The issue involves the fact that the getRoles method of user objects 
  contained in the default UserFolder implementation returns a mutable 
  Python type. Because the mutable object is still associated with the 
  persistent User object, users with the ability to edit DTML could 
  arrange to give themselves extra roles for the duration of a single 
  request by mutating the roles list as a part of the request
processing. 

  While we know of no instances of this issue being used to exploit a 
  site, we *highly* recommend that any Zope site running versions of 
  Zope prior to 2.2.1 have this hotfix product installed to mitigate 
  the issue if the site is accessible by untrusted users who have DTML 
  editing privileges.

  A hotfix for this issue in the form of an add-on Zope product has been

  made available on zope.org. To install the hotfix, simply download and

  install the package as you would any other Zope add-on product
(extract 
  it in the root of your Zope installation). Remember to restart your
Zope 
  installation for the hotfix to take effect. 
  
 
http://www.zope.org/Products/Zope/Hotfix_08_09_2000/Hotfix_08_09_2000.tg
z

  The hotfix will work for all versions of Zope 2.0 and higher. The 
  forthcoming Zope 2.2.1 beta 1 release will contain the fix for this 
  issue, and you be able to uninstall the hot fix after upgrading 
  to 2.2.1 beta 1 or higher (though nothing bad will happen if you 
  don't uninstall it).


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope 2.2.1 beta 1 released

[Brian Lloyd]

Hi all - 

  Zope 2.2.1 beta 1 has been released - you can download it from
  Zope.org:

  http://www.zope.org/Products/Zope/2.2.1b1/

  This release contains many bug fixes, including the fix for the 
  recently announced security issue. It also includes fixes to the 
  ZODB code for supporting object databases over 2GB (provided your 
  platform supports large files).

  For more information on what is new in this release, see the 
  CHANGES.txt and HISTORY.txt files for the release:

  http://www.zope.org/Products/Zope/2.2.1b1/CHANGES.txt

  http://www.zope.org/Products/Zope/2.2.1b1/HISTORY.txt

  Note that we have also posted "diff" updates as .tgz files 
  that will let you easily upgrade an existing 2.2.x site. 
  These updates are available for those currently using the 
  2.2.x source release or the 2.2.x binary releases for either 
  solaris or linux.

  To apply a differential update to your site:

  - download the appropriate .tgz file from zope.org
  - shutdown your Zope process
  - copy the .tgz to your Zope directory and extract it
  - run w_pcgi or wo_pcgi *if you are not using a binary release*
  - restart your process


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Hotfixes: serious suggestion

[Brian Lloyd]

 I already wrote it to DC but got no response, so I will try 
 to get some feedback here.

Who did you send it to? I don't recall seeing it...


 At the moment DC uses the north american way of expressing dates and 
 assigns them in this form to the names of the Hotfixes. I 
 propose another 
 naming scheme and will explain the reasons below.
 
 The current format is Hotfix_08_09_2000, my proposed format is
  Hotfix_2000-08-09.
 This is the ISO 8601 format (abbreviated form).

That sounds reasonable. We'll move to this for 
future hotfix releases.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope is very slow!

[Brian Lloyd]

 I am pretty sure (61%) that in the original release of 2.2.0 there was
 something about a speed increase. One talked about on single processor
 (20-40%) and the other was dual processor (60-80%). It partly 
 has to do with
 that "one line of magic code" in the z2.py.
 
 Ethan? Paul? DC? Care to shed some light?

The speedup involves changing sys.checkinterval, which 
controls the interval (# of bytecodes) at which the 
Python runtime performs certain housekeeping chores. 
For multithreaded programs, upping this interval can 
cause a significant performance improvement (more about
this on python.org in the sys module docs).

2.2 sets the interval to 120, a value that seemed to 
provide a general speedup across a number of systems 
I tested. Granted, this is not very scientific, which 
is why there is an '-i' option to z2.py that allows you 
to pass your own values for the interval to experiment 
and find a sweet spot for your given environment (see 
the z2.py docstring / command help).

  else changed I didnt see? I noticed that 2.1.6 wasnt 
 making the best use of
  dual processors.
  
  I thought only ZEO would make good use fo dual processors?

Note that effective use of multiple processors is mostly a 
function of the Python runtime (specifically the global 
interpreter lock) rather than an issue that Zope can 
address directly. So yes, ZEO is the best way to make 
effective use of MP.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: updated Hotfix release for recent mutable object issue

[Brian Lloyd]

Hi all -

We recently made a Hotfix release to address an issue 
dealing with Zope APIs returning mutable objects that 
could be changed inappropriately from DTML 
(Hotfix_08_09_2000). After further investigation, there 
was another aspect to the problem that was not addressed 
in the recent hotfix.

I've uploaded a new hotfix release (Hotfix_2000-08-17) 
that supercedes the one from the 9th and includes the 
extra fix required.

http://www.zope.org/Products/Zope/Hotfix_2000-08-17/

If you run a Zope site and allow untrusted users to edit 
DTML on your site, you should install this updated hotfix. 
There is no need to uninstall the prior hotfix release.
These fixes will also be in the 2.2.1 release, expected 
next week.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] review waiting for 3 days!!!

[Brian Lloyd]

 Yellow ppl at DC,
 
 Is everybody on holyday at DC? :-)
 I've a some reviews waiting for 3 days now to be validated on zope.org
 
 Maybe there's a lot more reviews waiting from other guys.
 

We've been offline since sometime Monday due to network 
problems :( We're back on now.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] QSurvey 0.23 and Zope 2.2.1b

[Brian Lloyd]

  Error Type: Permission mapping error
  Error Value: Attempted to map a permission to a permission, Add
  QSurveyResultsItems, that is not valid. This should never 
 happen. (Waaa). 
  
 
 I believe I saw a message that said that this bug would be fixed
 in 2.2.1 final (which presumably means you can get the fix by
 checking out the CVS version of Zope).  Search the archives...
 

That's right - or you can wait 'til tomorrow when I hope to make 
2.2.1 final :)

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] RE: [ZOPE Collector] Zope Bug entry: An alt attribute of img element inserted by Image objectsent inserted by Image objects

[Brian Lloyd]

  It's not required, actually, just recommended, and a 
 filename is better than
  NOTHING, which is what he proposed.  I'd definately be -3 
 on this one.
  Actually, I'd rather see BORDER=0 be the default.  I've yet 
 to find a single
  person who wants a border on their images...
  
  Chris
  
 
 1.
 'alt' IS required, look at DTD:
 !ATTLIST IMG
 
 src %URI; #REQUIRED -- URI of image to embed --
 alt %Text;#REQUIRED -- short description --
 
  
 
 2.
 The way you want every single image will leave some garbage on the 
 screen when you browse with Lynx, even if it has only meaning for GUI 
 browsers.

Ok - I propose that image.tag() and .__str__ will:

  o use the content of the 'title' property if defined

  o otherwise generate alt=""

  o include border="0" by default

Unless people complain loudly, I'll put on the benevolent 
dictator hat and have this is 2.2.1 (should be out tomorrow) :)


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope 2.2.1 released

[Brian Lloyd]

Hi all,

Zope 2.2.1 has been released - you can download it from
Zope.org:

  http://www.zope.org/Products/Zope/2.2.1/

This release contains many bug fixes, including the fixes 
covered by all Hotfixes to date. Special thanks go to 
Dieter Maurer, Adam Karpierz, Jeff Sasmor and others who 
have been prolific patch submitters over the last few weeks.

For more information on what is new in this release, see the 
CHANGES.txt and HISTORY.txt files for the release:

  http://www.zope.org/Products/Zope/2.2.1/CHANGES.txt

  http://www.zope.org/Products/Zope/2.2.1/HISTORY.txt

Note that we have also posted "diff" updates as .tgz files 
that will let you easily upgrade an existing 2.2.x site. 
These updates are available for those currently using the 
2.2.x source release or the 2.2.x binary releases for either 
solaris or linux.

To apply a differential update to your site:

 - download the appropriate .tgz file from zope.org
 - shutdown your Zope process
 - copy the .tgz to your Zope directory and extract it
 - run w_pcgi or wo_pcgi *if you are not using a binary release*
 - restart your process


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] problem on newly installed Zope2.2.0: I have lost a folder

[Brian Lloyd]

 does this error means something for you:
 
 2000-08-31T14:06:05 ERROR(200) ZODB Couldn't load state for
 '\000\000\000\000\000\000\014\021'
 Traceback (innermost last):
   File /home/sms/Zope_220/lib/python/ZODB/Connection.py, line 447, in
 setstate
 SystemError: Failed to import class MEM from module __main__
 

It means that the object can't be unpickled because the 
module that the objects class is defined in cannot be 
imported. Whatever product / python code defines the MEM 
class is probably installed in your old instance but not 
in your new instance...

Hope this helps!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Python, persistent objects and caching

[Brian Lloyd]

 I'm developing a Python-based product that uses persistent objects in
 ZODB to store its configuration. No surprises there, but my product is
 also using volatile attributes to do a bit of caching of its own. The
 thing is, when ZODB takes a sweep every 60 seconds to flush it's own
 cache it will quite often flush my product as well, essentially
 rendering my 15 minute caching ineffective.
 
 If there a way I can prevent this from happening?
 
 References:
 http://www.zope.org/Members/MikeP/volatile
 http://www.zope.org/Members/Zen/tips/VolatileAttributes
 
 Soren Roug

One approach would be to cache your data in the module's 
namespace. For ex:

mycache={}

class MyClassThatKeepsGoingAway:
  ...
  def get_data(self, id):
if mycache.has_key(id):
  return mycache[id]
else:
  ...

Note that my example is a little contrived, since using a module 
variable means that you will have to implement this in a way that 
is safe for a multi-threaded environment. You will also want to 
make sure that your module-level cache doesn't grow forever and 
take up a lot of memory.

Hope this helps!

Brian Lloyd ([EMAIL PROTECTED])

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope 2.2.1 Solaris 8 dumps core

[Brian Lloyd]

 I've downloaded the src of Zope 2.2.1 on my UltraSparc running Solaris
 8, built it ok, but when I try run ./start it it dumps core with a
 segmentation fault.
 Is this problem known? Anything I can do?
 I am completely new to both Python and Zope ...

I don't know of any problems inherent to running on Sol8. 
It seems like maybe it could have something to do with 
your Python installation. One way you could test that is 
to cd to the lib/python dir of your Zope installation, 
start your local Python interpreter and try:

import ExtensionClass



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  www.digicool.com

___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] how to change the 'Zope' realm/resource??

[Brian Lloyd]

 Steve Drees wrote:
  WHat if we want to change the realm dependent on the folder?
  
  I.e. Is there a way to change this at run-time?
 
 I'd love to know the answer to this one too :-)
 
 Chris

The realm is currently an attribute of the RESPONSE object. 
There is a 'realm' class attribute which provides the 
default realm - you could either somehow change this as 
needed (which may be sort of hard, especially since 
unauthorized usually gets raised before user code ever 
gets run), or change the default class attribute.

You could change the default class attribute by either:

  - hacking the code (bleah)

  - or maybe better, create a "product" in your lib/python/Products
(say RealmHack). The product dir would only have an __init__.py 
file that looked like:

import ZPublisher.HTTPResponse

ZPublisher.HTTPResponse.HTTPResponse.realm='whatever'

...which would allow you change the default class attr 
without hacking the code itself. When your product gets 
imported (at startup time), your realm would be used.

Note that wouldn't help with "per folder" realm changing. 
I'm open to suggestions on that. One way I suppose would 
be to subclass Folder and implement an extended version 
of __bobo_traverse__ that changed the realm upon traversal.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] zope 2.2.1 and python 1.6

[Brian Lloyd]

 i couldn't find anything in the list archives or the docs about python
 1.6  from python's site, it looks like there are a lot of changes that
 could break code.  can i run zope 2.2.1 on python 1.6 or should i
 stick with 1.5.2?
 
 thanks,
 
 -jon

Hi Jon,

I've seen some people report using 1.6 successfully with Zope - 
at this point I can't recommend doing that for a *production* 
site, since while it may *work* we still need to assess some 
things regarding their impact on security.

For example in 1.6 strings have methods, which may or may not 
have an impact on DTML safety. This is also the case for 
Python 2.0.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Clean Zope source patch

[Brian Lloyd]

 I need to patch Zope source code to make an I18N module of my own work.
 The function I need to patch is Publish.py in lib/python/ZPublisher
 (only the publish function).
 
 I'd like to to it a 'clean' way, that is, without modifying the actual
 source code. To achieve this, I can copy the publish function into
 MyPublish.py, patch it, and, somewhere in the Zope source file
 hierarchy, put something the following statement :
 ZPublisher.publish = MyPublish

 Well, huh... This is theory. It doesn't work because I don't know where
 ZPublisher is actually imported into Zope, and, thus, where my
 affectation will really take effect.
 
 
 Does anyone knows how to do this ? Or perhaps someone knows a better way
 to "cleanly" patch Zope source ?.

An ideal way to do "guerilla patching" like this is with a 
Product. This is in fact how HotFix products work.

At Zope startup time, the Zope machinery tries to import 
each package in lib/python/Products. So you can create 
your own "product" which is nothing more than a package 
with an "__init__.py" that performs the replacement.

For example, create a directory "I18NHack" in your 
lib/python/Products and a file therein "__init__.py"
(along with your MyPublish module). The __init__.py
would look something like:

from MyPublish import publish
import ZPublisher.Publish

# replace the original publish function...
ZPublisher.Publish.publish=publish

This way you don't modify any Zope source and  can pretty
easily manage and distribute your patch.

Hope this helps!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] FYI: Python product tutorial updated

[Brian Lloyd]

 This tutorial looks great...it explained a lot of things to me 
 that I wasn't
 able to put together before.
 
 But...on looking at it, a nagging thought keep recurring...this 
 is a really
 quite long and complicated process for a Poll product. As much as I like
 Zope and thing it is a great platform on which to develop web 
 applications,
 I often wonder about the complexity and obscurity of some of the 
 procedures
 that need to executed while making what are, on the face of it, 
 often quite
 simple web objects or applications. Consequently I have honestly 
 had quite a
 hard time convincing PHP-savvy colleagues that the path to Zope Zen is
 something worth starting on. Does anyone else experience these nagging
 doubtful thoughts occasionally ?

I think yours is a valid criticism. Zope provides the 
infrastructure to do a lot of powerful and complex things, 
with the downside that (currently) as a developer a lot of 
the details are "in your face". One major goal I have for 
Zope going forward is to strive for "optional complexity" - 
not only for day-to-day use of Zope but also for component 
developers.

I'd be very interested to hear any ideas you folks have 
on ways to help "make simple things simple" for development 
and to allow people to deal with complexity only as they 
begin to need it...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] status of SOAP for Zope?

[Brian Lloyd]

 MS has released ROPE for client-side SOAP development (finally).
 
 I can't seem to find anything in Zope for doing SOAP, but it was 
 announced in Dec 1999 as "upcoming".
 
 What is the status of SOAP on Zope, I need to know if I can use ROPE..

Hi Brad - 

SOAP is still something we want to do, but it is on hold right 
now (we just don't have the resources at the moment). I've been 
hoping that someone might take the lead and start a project on 
dev.zope.org, but so far that hasn't happened :(


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] status of SOAP for Zope?

[Brian Lloyd]

 Okay, has anything been done at all?
 
 Where would I start? What's left to do?


Petru Paler contributed some preliminary work:

http://classic.zope.org:8080/Collector/1360/view

While I think that this is a good thing and I'm glad he did it, 
I think that experience has shown that just suddenly making 
*everything* available via a new protocol (xml-rpc, SOAP) is 
not really the right approach. There are a number of people 
who have recently voiced their (legitimate) concern that by 
default *practically everything* on their site is xml-rpc 
enabled - and they have no easy way to turn it off or make 
things selectively available.

This is a very important point - I think people would rather 
be able to implement SOAP services selectively rather than 
by One Big Switch that may expose just about anything. I would 
very much like to see a project started on dev.zope.org that 
starts off by drafting a "user manual" that describes how SOAP 
services would be implemented from the standpoint of a Zope 
developer. This would give us a good way to come to agreement 
without worrying about code just yet. 

Some attention should be given to how SOAP services get exposed by 
other systems at this point (they do *not* just suddenly expose 
every in-memory object to SOAP). We should also anticipate some 
of the work being done in "discoverability" of SOAP services in 
our draft (which I think will affect how you go about "defining"
a Web service. 


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope in Windows is faster than Linux ???

[Brian Lloyd]

 Concurrency Level:  25
 Time taken for tests:   1.807 seconds
 Complete requests:  1000
 Failed requests:137
(Connect: 0, Length: 137, Exceptions: 0)
 Non-2xx responses:  864
 Total transferred:  660974 bytes
 HTML transferred:   473471 bytes
 Requests per second:553.40
 Transfer rate:  365.79 kb/s received
 
 Linux
 
 Concurrency Level:  25
 Time taken for tests:   7.688 seconds
 Complete requests:  1000
 Failed requests:0
 Total transferred:  595000 bytes
 HTML transferred:   396000 bytes
 Requests per second:130.07
 Transfer rate:  77.39 kb/s received
 
 There's a big difference in the number of requests per second, 
 four times more in the  Windows machine. Anyone knows why? Does 
 it mean that Zope running in Windows is better than in Linux?

No - look at your results. Every request failed on the win32
box (and they all succeeded on linux). You have some sort of 
problem in your windows setup, and you'll always get higher
throughput for errors than you can for completed requests...


Brian Lloyd[EMAIL PROTECTED] 
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] GET requests in Medusa web server

[Brian Lloyd]

 Why does the Medusa server in Zope not handle GET requests which specify
 a full URI? For example, if I have a web server running on 
 web.mydomain.com,
 and I want to get a file called "file.html", doing a GET request 
 of the form
 
   GET http://web.mydomain.com/file.html HTTP/1.1
 
 gives me a 404. Doing a GET of the form
 
   GET /file.html HTTP/1.1
 
 works fine. If I understand RFC 2068 correctly, a HTTP 1.1 
 compliant server
 is expected to handle both cases (5.1.12 of RFC 2068)
 ...

Hi Sean - 

What version of Zope are you seeing this with? I seem to 
remember fixing something along these lines fairly recently. 
Is it still the case in Zope 2.2.2?


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Re: [Zope-dev] Task, Job or Operation?

[Brian Lloyd]

 
 Unsafe has also been proposed. I do not like this either because it is
 not accurate. Simply because something dangerous, foolish or stupid can
 be done using this method type does not mean it will be. Are we to label
 all objects "unsafe" simply because of the capacity of harm? Safety is
 in the hands of the programer.

I agree with this vehemently :) Would you want to use "unsafe C++" 
or "unsafe Java"? I think "restricted" and "unrestricted" are 
clear and concise. This is not about "safety" per se, but about 
capabilities.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Verify Watermark.

[Brian Lloyd]

 In Zope2.1.6 there was a function called 'verify watermark' in module 
 Accesscontrol.User. 
 
 This function seems to have gone in the 2.2.2 release.
 My question: Is there any direct replacement for this method ? 
 Or at least a  some kind of equivalent code ?

verify_watermark was an interim step in dealing with 
some security things that have since been superceded 
by the new SecurityPolicy architecture (see: 

http://www.zope.org/Members/michel/Projects/Interfaces/SecurityPolicies

You shouldn't need verify_watermark in post-2.1.6 code.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] XML Document DTML's tree, HiperDOM

[Brian Lloyd]

  The answer to these questions and more can be found at dev.zope.org.
  The fishbowl keeps better track of projects than any human.
 
 The tempation to say "and the fishbowl confuses more humans than any
 project can keep track of" was to great ;-)
 
 It's not actually true, I guess, except for me. I went and had a look at
 the HiperDOM project and couldn't make heads or tails of what the status
 was. That put me off even looking for session tracking...

Note that the Fishbowl is still somewhat immature - the specific 
problem of finding out the status of things is something I'm 
working on (albeit slowly, unfortunately). Very Soon Now there 
will be some built-in support to help this. 

In the meantime, project leaders will need to go the extra mile 
to try to make it clear to readers where things stand. There is, 
after all, a "CurrentStatus" page dedicated to this. If the 
CurrentStatus is empty or clearly out of date, readers of the 
project should prod the project leader about that (their contact 
email should be in the project).


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope 2.2.3 released...

[Brian Lloyd]

Hello all - 

  Zope 2.2.3 has been released - you can download it from
  Zope.org:

  http://www.zope.org/Products/Zope/2.2.3/

  This bug-fix release contains the fixes for all released 
  Hotfixes to date, as well as fixes for a memory leak in 
  the Acquisition module, various ZCatalog fixes and a fix 
  for the infamous "__call__" bug (and there was much 
  rejoicing!).

  For more information on what is new in this release, see the 
  CHANGES.txt and HISTORY.txt files for the release:

 http://www.zope.org/Products/Zope/2.2.3/CHANGES.txt

 http://www.zope.org/Products/Zope/2.2.3/HISTORY.txt

  Note that we have also posted "diff" updates as .tgz files 
  that will let you easily upgrade an existing 2.2.x site. 
  These updates are available for those currently using the 
  2.2.x source release or the 2.2.x binary releases.

  To apply a differential update to your site:

  - download the appropriate .tgz file from zope.org

  - shutdown your Zope process

  - copy the .tgz to your Zope directory and extract it

  - run w_pcgi or wo_pcgi *if you are not using a binary release*

  - restart your process


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] RE: ANNOUNCE Zope 2.2.3 release...

[Brian Lloyd]

FYI - someone has noticed a problem with the posted 
2.2.3 release that needs looking into, so I've unlisted 
it for the time being. I'll send out a note and re-list 
it after we dig into this a bit...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] RE: ANNOUNCE Zope 2.2.3 release...

[Brian Lloyd]

 Oh no, not this one again ...
 
 How good that I learned my lesson from the infamous 2.1.x 
 series, when you always replaced or withdrew the latest 
 bugfix release due to "some errors" right after we had 
 updated all our servers ...

I think "always" is a bit strong...

 
 What about having a "beta" phase for every release, even 
 the x.x.x ones?

I think that is reasonable - in practice I have found that 
many people tend not to upgrade until something is declared 
"final", but your point is taken and a little feedback is 
better than none. I'll make Monday's release 2.2.4 b1.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] RE: ANNOUNCE Zope 2.2.3 release...

[Brian Lloyd]

 How long before we end up with 2.2.4 a3 and 2.2.4 b1 with no-one really
 knowing what's going on?
 Taking what is effectively another point onto the version number doesn't
 really help. I can only think of 2.1.7 that was withdrawn, and as long
 as 2.2.4 comes along pretty swiftly, there shouldn't really be a
 problem, should there?

Well, some people perceive it to be problem (and I can't 
really blame them). What we _really_ need is some regression 
testing infrastructure. We have started taking some baby steps 
in that direction with the inclusion of PyUnit, but it will 
take some time and resources to get a meaningful amount of 
tests. Hopefully the recent Good Things happening here at DC 
will mean that the necessary resources will become available 
to make that happen.

In the meantime, since Brian is a poor regression test rig, I 
plan to have a (generally very short - like a week) beta period 
for third-dot releases. One beta should usually do it, and it 
will allow at least for more coverage than I can easily contrive
from my desktop as a sanity check. When the test infrastructure 
is more mature we could revisit this though.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] ANNOUNCE: Zope 2.2.4 beta 1 released...

[Brian Lloyd]

 I'm not quite sure wether it's me, my system or this beta, but a 
 fresh installation of 2.2.4 beta 1 says:
exceptions.AttributeError
...
line 140, in index_html
(Object: zope_button.jpg)
AttributeError: _p_mtime
 
 Actually, none of the images in p_ is accessible

Thanks - that is fixed for final. Let me know if you see 
anything else...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Speaking of Python Methods....

[Brian Lloyd]

 What's the PythonMethod equivalent of:
 dtml-with callTypes
 dtml-var "_.getitem(_.str(2)).Name"
 /dtml-with

I should guess:

callTypes['2'].Name


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope 2.2.4 (final) released...

[Brian Lloyd]

Hello all,
  
  Zope 2.2.4 has been released - you can download it from
  Zope.org:

  http://www.zope.org/Products/Zope/2.2.4/

  This release supercedes the 2.2.3 release, which 
  had an error that prevented permissions from being acquired 
  correctly. Until the testing infrastructure that has been 
  started in the 2.3 CVS is more mature and there is a useful 
  regression test rig, we'll be planning for at least one (short) 
  beta period for third-dot releases.

  This bug-fix release contains the fixes for all released 
  Hotfixes to date, as well as fixes for a memory leak in 
  the Acquisition module, various ZCatalog fixes and a fix 
  for the infamous "__call__" bug. It also contains a fix 
  for a problem in header parsing in the dtml sendmail tag 
  that has affected some users recently. The problem with 
  caching of ImageFile objects (mainly icons in the 
  Zope management interface) in the 2.2.4 beta is also 
  fixed (and verified using the Cacheability Engine 
  (http://www.web-caching.com/cacheability.html).

  For more information on what is new in this release, see the 
  CHANGES.txt and HISTORY.txt files for the release:

  - http://www.zope.org/Products/Zope/2.2.4/CHANGES.txt

  - http://www.zope.org/Products/Zope/2.2.4/HISTORY.txt

  Note that we have also posted "diff" updates as .tgz files 
  that will let you easily upgrade an existing 2.2.x site. 
  These updates are available for those currently using the 
  2.2.x source release or the 2.2.x binary releases.

  To apply a differential update to your site:

  - download the appropriate .tgz file from zope.org
  - shutdown your Zope process
  - copy the .tgz to your Zope directory and extract it
  - run w_pcgi or wo_pcgi *if you are not using a binary release*
  - restart your process


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] 2.2.4 upgrade query

[Brian Lloyd]

 Further to my paniced posting earlier, I reinstalled 2.2.0, copied over my
 data.fs* and various products and everything fired up fine but i did one
 experiment (following on from Chris) - i didnt install zdiscussions. This
 resulted in major oids errors and my broken zclass as before/ install
 zdiscussions and bingo i am back in business. so. two questios:
 
 1. why does my zclass appear to require zdiscussions when it is not
 based on it?

Not sure on that...

 
 2. does 2.2.4 contain some parts of what was previously the standalone
 zdiscussions product?

No. The only thing I could think of is maybe some change in 
the way products are registered or something that affects 
ZDiscussions badly. I'm just guessing here. Have you tried 
going from 2.2.0 - 2.2.1 or 2.2.2? If you see the same thing 
on one of them, that would narrow it down and we could look at 
the diffs between those releases and see if anything looks 
suspicious...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] The not-very-Super user

[Brian Lloyd]

 I notice there were some CVS checkins about renaming it to the
 'emergency user'. Cool, does this mean you're going to be able to define
 a manager at install-time?

Yes - the whole lame login-as-superuser-create-a-manager-and-relogin 
process will be gone in 2.3. At install time you'll create a first 
manager and just use that. A "superuser" will not even exist, unless 
and until you need it and explicitly create it.

 Hmmm, if so, what is it that the emergency/super user can do that a
 normal manager can't?

He can un-screw permissions or users if you ever manage to 
get totally locked out of your site. Think of it as a user mounted 
in a box on the wall labeled "in case of emergency, break glass". 

In practice, few should ever have to break the glass.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] The not-very-Super user

[Brian Lloyd]

   I notice there were some CVS checkins about renaming it to the
   'emergency user'. Cool, does this mean you're going to be 
 able to define
   a manager at install-time?
  
  Yes - the whole lame login-as-superuser-create-a-manager-and-relogin
  process will be gone in 2.3. At install time you'll create a first
  manager and just use that. 
 
 Yay!
 
 As Max asked, any 2.3 timeframe? Python Scripts and no Super User alone
 make it _very_ enticing :-))

I would reaaally like to see a beta by the end of 
Dec. - but don't quote me yet. Part of what I'm doing 
today is figuring what the resource situation looks like.


  He can un-screw permissions or users if you ever manage to
  get totally locked out of your site. Think of it as a user mounted
  in a box on the wall labeled "in case of emergency, break glass".
 
 How does this differ from a normal manager and how would you 'create a
 super user' as you descriebd in the bit I snipped?

An example might be: if somehow someone took all permissions
away from all of your managers, they'd be out of luck. The 
superuser could still log in and fix that though.

I don't know the exact details of how a superuser is created 
yet - I expect that you will run zpasswd.py with a special 
option though (and restart). The relevant install docs will 
be updated to outline this when that branch is merged.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 





___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Zope 2.3 plan updated...

[Brian Lloyd]

Hi all - 

We're gearing up for getting a new feature release out so 
for those interested I've updated the Zope 2.3 plan at:

http://dev.zope.org/Resources/zope_230_plan.html


The main changes from the prior version are that it is much 
more detailed, some items have been added and the item for 
updating ZDOM to DOM level 2 has been dropped (until there 
is a clearer justification for it).

I hope to make an alpha 1 release on Monday the 11th with 
the new Python Scripts and fixed user bootstrapping, among 
other things (see the plan for details).


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Zope's default icons not displayed

[Brian Lloyd]

 Yikes, can someone help me out?  My browser isn't rendering 
 Zope's default 
 icons on its management screens.  I'm running
 
 Zope version: Zope 2.2.4b1

This is fixed in 2.2.4 final...

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] SECURITY alert and hotfix release

[Brian Lloyd]

Hi all,

  Aleksander Salwa has brought a security issue to our attention
  that affects all Zope versions up to and including Zope 2.2.4.
  We have released a Hotfix product to address the issue that can
  be downloaded from zope.org. (Thanks to Aleksander for finding
  this and to Shane Hathaway for his quick response in resolving
  it!)

  The issue involves security registration of "legacy" names for
  certain object constructors such as the constructors for DTML
  Method objects. Security was not being applied correctly for the
  legacy names, making it possible to call those constructors without
  the permissions that should have been required. This issue could allow
  anonymous users with enough internal knowledge of Zope to instantiate
  new DTML Method instances through the Web.

  The hotfix for this issue is available on the zope.org web site:

o
http://www.zope.org/Products/Zope/Hotfix_2000-12-08/Hotfix_2000-12-08.tgz

  We *highly* recommend that any Zope site running versions of
  Zope up to and including 2.2.4  have this hotfix product installed
  to mitigate the issue.

  The hotfix will work for all versions of Zope 2.2.0 and higher. A
  future version of Zope will contain the fix for this
  issue, and you will be able to uninstall the hot fix after upgrading.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] regex vs ts_regex

[Brian Lloyd]

 Apropos http://www.zope.org/Documentation/How-To/ThreadSafety
 
 Am I missing something here? 
 There seem to be a number of places in the current 2.2.4 source where
 the python regex module is used - not ts_regex, thus apparently
 violating your advice on thread safety? 
 
 For example, I was just spelunking through
 /lib/python/AccessControl/User.py, App/Product.py so I started greping a
 few subdirectories.
 
 DateTime.py uses ts_regex as does OFS/ObjectManager.py but NOT
 OFS/SimpleItem.py ...
 
 Is there some reason why it's ok for some modules to use regex rather
 than ts_regex ???

It is safe to use it in certain cases where the thread 
safety problems of the regex internals are not an issue. 

I think Jim and some others who have used regex purposefully 
have added a #TS comment to indicate that they have thought 
through the threading issues before using it.

This will be moot in the future - one of the things 
we'll _have_ to do to move to Python2.0 is become 
SRE compliant.

Hope this helps!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope 2.3.0 alpha 1 released...

[Brian Lloyd]

Hello all,

  As promised, Zope 2.3.0 alpha 1 is now available. You can 
  download it from Zope.org:

  http://www.zope.org/Products/Zope/2.3.0a1/

  This release contains a number of important new usability 
  features, and also marks the first release where a 
  substantial amount of the work done happened in the Fishbowl 
  on dev.zope.org. Some highlights of this release:

- Python Scripts are now part of the Zope core. Big whopping 
  kudos to Evan Simpson for all of the work he has put into 
  this! Having Python Scripts in the core will allow people 
  to much more easily separate logic and presentation (and 
  get that logic out of DTML!) More information and prototype 
  documentation for Python Scripts can be found in the 
  dev.zope.org project:

  http://dev.zope.org/Wikis/DevSite/Projects/PythonMethods


- The process of creating an initial user at install time 
  has finally been fixed. Before you had to create a superuser, 
  login as the superuser, create a normal manager, logout, then 
  log back in as the normal manager. This was obtuse and caused 
  big problems for newbies who would log in as the superuser and 
  start trying to work immediately (leading to errors since the 
  superuser cannot own objects). 

  This process is now much more sane. Now, at install time a 
  default initial manager (not a superuser) is created. The 
  superuser has been renamed to the "emergency user" and is 
  not even created by default. If you ever have a need to log 
  in as the emergency user, you can use zpasswd.py to create it.


- The new security assertion support has been checked in. For 
  more information and an updated version of the "Zope security 
  for developers" guide see the project on dev.zope.org:

  http://dev.zope.org/Wikis/DevSite/Projects/DeclarativeSecurity


- Added new getId() method to SimpleItem.Item. This should 
  now be used instead of referencing 'object.id' directly, 
  as it is guaranteed to always be a method and to always 
  return the right thing regardless of how the id of the 
  object is stored internally. This relieves DTML writers of
  the contortions they previously had to go through to handle 
  varying cases of 'id' being a method or an attribute.

- Improved Ownership controls. Now you simply choose whether
  or not to take ownership of sub-objects when taking
  ownership. Implementation details about whether ownership 
  is implicit or explicit are no longer forced on the user.

- Unit testing infrastructure for the Zope core. PyUnit has been 
  checked in, and a utility has been added that will allow us to 
  incrementally begin accumulating (and running) test suites. The 
  new testrunner.py in the utilities directory is a basic utility 
  for running PyUnit based unit tests. It can 
  be used to run all tests found in the Zope tree, all test suites
  in a given directory or in specific files. The testrunner will 
  be used to ensure that all checked in tests pass before releases 
  are made. For more information, see the docstring of the actual
  testrunner.py module.

  For more information on what is new in this release, see the 
  CHANGES.txt and HISTORY.txt files for the release:

   http://www.zope.org/Products/Zope/2.3.0a1/CHANGES.txt

   http://www.zope.org/Products/Zope/2.3.0a1/HISTORY.txt


  *Please note* that we do not build binary distributions for alpha 
  releases - the alpha is available as a source release only. When we 
  move into the beta period for 2.3, we will build and distribute 
  binary releases.



Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] Re: ANNOUNCE: Zope security alert and hotfix release

[Brian Lloyd]

The hotfix will work for all versions of Zope 2.2.0 and higher. A
future version of Zope will contain the fix for this
issue, and you will be able to uninstall the hot fix after upgrading.

 This seems to imply that 2.1.6 is vulnerable as well, but that this Hotfix
 won't work, and that no fix exists. Is that correct, or is the fix simply
 not tested with 2.1.6 ?

 Gregor

Sorry - 2.1.6 _is_ vulnerable, and the Hotfix will work for
2.1.6. I'll update that README.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] new 2.2.4 security/role bug ?? (ZCatalog related ??)

[Brian Lloyd]

 The second weird thing (should help for a diagnostic) is :
 
 While i have  "manager" role (i can do whatever i want on the manage 
 interface), i tried to give a proxy role to my test method, to 
 see if i could 
 investigate further. 
 And trying to change the proxy role raised an execption, despite 
 the fact i 
 have manager role with full autorisations.

Didier - 

Note that 'Manager' does not automatically give you "full 
authorization". It is only a convention that Manager often 
has all permissions. 

This is important, because in Zope 2.2, you can't give a 
proxy role unless you have *that role* yourself. For example, 
you can't give the proxy role "Editor" to a DTMLMethod unless 
you have it yourself (this is true even if you have the "Manager"
role). The quick fix here is that you need to give yourself
the roles you want to set as proxy roles, and then you will be 
allowed to set them.

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

[Zope] ANNOUNCE: Zope security alert and hotfix release

[Brian Lloyd]

Hi all -

  Tis the season for hot - fix - es, fa la la la la,
   waa waa waa waa...

  Peter Kelly has brought another potential security issue to
  our attention that is important enough to make a Hotfix
  available for those who allow untrusted users to edit DTML
  on their sites.

  The issue involves incorrect protection of a data updating method
  on Image and File objects. Because the method was not correctly
  protected, it was possible for users with DTML editing priveleges
  to update the raw data of a File or Image object via DTML though
  they did not have editing priveleges on the objects themselves.

  We recommend that any Zope site running versions of Zope up to and
  including 2.2.4 have this hotfix product installed to mitigate the
  issue if the site is accessible by untrusted users who have DTML
  editing privileges.

  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/README.txt

  http://www.zope.org/Products/Zope/Hotfix_2000-12-18/Hotfix_2000-12-18.tgz

  The hotfix will work for all versions of Zope 2.1.x and higher. A
  Zope 2.2.5 release later this week will contain the fix for this
  issue (as well as all hot fixes to date) and you will be able to
  uninstall the hot fix after upgrading.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Editing Property Sheet HTML

[Brian Lloyd]

 The question is ... how do I do it?  I'd like to make the default
 textarea field quite a bit bigger -- but I wasn't able to explore my
 way to success in the interface, and about 20 mins of seaching has
 yielded no answers.

You could edit lib/python/OFS/properties.dtml, which renders
the property management screen. The DTML in there has gotten
pretty scary over time though :^)


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] Editing Property Sheet HTML

[Brian Lloyd]

 If I want to make a custom Properties view for a specific ZClass, how
 do I proceed?  Just create an additional method for the class and add it
 under Views?

That's what I'd do.

  And if I do this, is there any kind of DTML templete
 (sort of like the default add and addForm methods) that I can work
 from?  And do I need to go this far if I (for example) simply want to
 change the display order for existing properties?

Yes - if you don't like the existing property form, you
need to make your own. You should be able to start with
the stock properties.dtml source for the new view and 
make your changes starting from there...


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] [BUG] Background processes interfere with Zope's HTTP responses

[Brian Lloyd]

 How to fix the problem:
 
   There should be a (file) control "CloseOnExec", that tells
   Unix to automatically close the file like object upon
   an exec.
   ZServer should probably use it on each of its sockets.
   I can not see a serious application that should have
   direct access to ZServer's HTTP request socket.
 I will soon file a bug report into the Collector.
 Dieter

 I'm on the win32 platform and thought that the problem was with my
 proxy software.  Now I'm not so sure.

Note that what Dieter is talking about would only affect 
you if you were spawning an external process that inherited 
the filehandles of the zope process. 

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

RE: [Zope] read_raw() not allowed below root ?

[Brian Lloyd]

Didier -

read_raw() is an internal api that should never have
been exposed in the first place (as you've noticed,
that hole has since been closed up).

You probably want to use the 'document_src()' method,
which does what you want and is protected by the
'View management screens' permission.

Hope this helps!


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909
Digital Creations  http://www.digicool.com




 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Didier Georgieff
 Sent: Wednesday, December 20, 2000 10:25 AM
 To: [EMAIL PROTECTED]
 Subject: [Zope] read_raw() not allowed below root ?


 Hello,

 I have a new problem wich i suspect is related with the weird
 things i didn't solved yet. I
 still don't found if it's a misunderstanding about new 2.2
 security (like setting a local
 role ONLY if you have this local role) or a real problem.

 I have a view_code method (stolen from Yihaw) wich basically look
 at code, properties,
 folders and print it.

 It was working like a charm under 2.1.6.

 Now on 2.2.4 (with the 12-08, 12-15a and 12-18 hotfix) and
 TransparentFolder 0.3:

 * I don't have access to read-raw() (Unauthorized traceback
 below) , even if i'm
 manager (and even on folders without local roles) and even with
 manager as proxy role
 for this method.
 * ownership is implicit
 * and i deleted the remaining "superuser" having a local role on
 this method.

 Until i understand what is going on (a bug or a
 misunderstanding), i guess i'll (gently ;-)
 flood the list.
 I'm deeply sorry to post again, but i found no information on the
 archive (read_raw), the
 explanations on the new security model didn't ring a bell, so 

 Thanks for any help or tip.

 Unauthorized
 You are not authorized to access read_raw.
 Traceback (innermost last):
   File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 222,
 in publish_module
   File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 187,
 in publish
   File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 171,
 in publish
   File /zope/2-2-2/lib/python/ZPublisher/mapply.py, line 160,
 in mapply
 (Object: view_code)
   File /zope/2-2-2/lib/python/ZPublisher/Publish.py, line 112,
 in call_object
 (Object: view_code)
   File /zope/2-2-2/lib/python/OFS/DTMLMethod.py, line 172, in
 __call__
 (Object: view_code)
   File /zope/2-2-2/lib/python/DocumentTemplate/DT_String.py,
 line 528, in __call__
 (Object: view_code)
   File /zope/2-2-2/lib/python/DocumentTemplate/DT_In.py, line
 691, in renderwob
 (Object: objectItems('DTML Method'))
   File /zope/2-2-2/lib/python/DocumentTemplate/DT_Var.py, line
 278, in render
 (Object: read_raw())
   File /zope/2-2-2/lib/python/DocumentTemplate/DT_Util.py,
 line 331, in eval
 (Object: read_raw())
 (Info: read_raw)
   File /zope/2-2-2/lib/python/OFS/DTMLMethod.py, line 194, in
 validate
 (Object: view_code)
   File /zope/2-2-
 2/lib/python/AccessControl/SecurityManager.py, line 139, in
 validate
   File /zope/2-2-
 2/lib/python/AccessControl/ZopeSecurityPolicy.py, line 183, in
 validate
 Unauthorized: (see above)


 --
 Didier Georgieff
 DDAF du Bas-Rhin - Cellule SIG
 2, rue des Mineurs 67070 Strasbourg Cedex
 tél : 03.88.25.20.33 - fax : 03.88.25.20.01
 email : [EMAIL PROTECTED]
 SIT du Bas-Rhin : http://www.bas-rhin.sit.gouv.fr
 GéoWeb http://sertit10.u-strasbg.fr

 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )