RE: [Zope] Your feedback: what should DateTime strftime() behavior be?
> | -1 == disagree > > You will only ever see votes from people wanting change... > apathy rules > otherwise. Then when it changes you'll see a whole bunch of > bitching about > the change, and how there's 1,000 people on the list and only > 20 people > voted... etc. d8) Mailling list votes are often a bad idea... I don't know of a better one though :( We have exactly the same problem in the Real World, of course. The alternative is to have some arbitrary group trying to guess the right decision, which will (of course) always lead to an equal or greater amount of bitching :) I'll be moving off the list to some sort of web-poll, but the fact will remain that those who only become opinionated after the fact will never be happy :) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Where should votes be posted? (was: Your feedback on datetime)
> Do we *have* to clutter this [EMAIL PROTECTED] list up with loads > of votes? > > It is high enough traffic as it is! That is a good point. My initial reaction is to say that maybe voting should only be done on zope-dev, but I worry a bit that there may be quite a few people on the zope list (and not on zope-dev) who would have a stake in an issue and end up not seeing (or voting) on it. Ideally I'll have a web-based voting thing on dev.zope.org so that only one pointer to it has to go to the list(s), but until then I propose that votes happen on zope-dev for the time being... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Your feedback: what should DateTime strftime() behavior be?
Hi all - There has recently been some confusion over the expected behavior of various approaches to DateTime formatting in Zope regarding timezone representation. I would like to resolve this for the next release by making a proposal and asking you to reply to the list with a "vote": +1 == agree +/-0 == no strong opinion -1 == disagree So then, here is the situation. In Zope 2.2 (and earlier), formatting a date using either: ...would give you the date *formatted based on GMT rather than the timezone (usually local) representation of the object*. Simply doing: ...however, would print the date in the current timezone of the datetime object. Many feel that this difference is unintuitive and a pain. The proposal is that both: ...would be changed to apply the format to the current TZ representation of the object rather than convert to GMT. Of course, this could be a problem if there are people currently counting on the output being GMT, which is why we're putting it to a vote. If this change is made for 2.2.1, those who still wanted the output in GMT could just call the 'toZone()' method of the datetime object to get a GMT version before formatting: What do you think? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] SECURITY ROLES and < DTML-IN>
> I am having trouble rendering a in ZOPE 2.2.0 to any user > regardless of roles. > > I have allocated the proper rights to all objects used and > nothing happens. > The will not let any user view its contents. Theodore - I bet you're running into the same problem as the folks using the ODBC adaptor. I've attached the post I made addressing this a few minutes ago. If this fixes your problem, could you send a note to the zope-list and let the folks there know that the fix works for the Oracle DA too? (I'm going out of town today, so I won't be able to forward it if you only reply to me) Thanks! > Hi guys - > > For those of you (I've mostly heard ODBC adapter users) > having authorization problems with your SQL methods, heres > the scoop: > > Database connections use one of two classes in the > framework for wrapping up result data returned from > queries. One of those classes (that understands results > in RDB format) was missing a required security assertion. > > The results returned by the ODBC adapter were bitten by > this - probably there are other adapters that could > be affected. > > I've attached a patch file for the file: > lib/python/Shared/DC/ZRDB/RDB.py > > ...as well as an updated version of the whole file (since > I know a lot of you will be on Windows w/o patch :) Either > patch or replace the file and restart Zope to fix the > problem. > > This is also checked in for a 2.2.1 release that will > probably happen after a few weeks when enough people > have upgraded to shake out any other problems. > Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com RDB.py RDB.py.patch
RE: [Zope] upgrade to 2.2 and zsql methods problems
> I have the exact same problem. > > JĂșlio > Hi guys - For those of you (I've mostly heard ODBC adapter users) having authorization problems with your SQL methods, heres the scoop: Database connections use one of two classes in the framework for wrapping up result data returned from queries. One of those classes (that understands results in RDB format) was missing a required security assertion. The results returned by the ODBC adapter were bitten by this - probably there are other adapters that could be affected. I've attached a patch file for the file: lib/python/Shared/DC/ZRDB/RDB.py ...as well as an updated version of the whole file (since I know a lot of you will be on Windows w/o patch :) Either patch or replace the file and restart Zope to fix the problem. This is also checked in for a 2.2.1 release that will probably happen after a few weeks when enough people have upgraded to shake out any other problems. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com RDB.py RDB.py.patch
RE: [Zope] Hot fix and 2.20
> Do I have this right? I do not have to install the > hot fix if I just installed the recently released > version 2.2.0 final. correct? > > -mjm That is correct - the hotfix is only required for sites running versions prior to 2.2. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Announcing dev.zope.org
Hello all, For some time now, it has been a goal of ours to open up the Zope development process. Some of you may have heard me promise this at the Zope track back in January. Well, it took a little longer than I had hoped it would, but I'm happy to announce an important step in making that a reality: http://dev.zope.org. dev.zope.org is the place for discovering, initiating, and contributing to work on the core Zope platform and related Zope technologies. You can think of it as the rough equivalent of what Mozilla.org is to Mozilla. Why has it taken so long? Because there is much more to "opening the development process" than simply doling out CVS access. Evolving a relatively large and complex piece of software like Zope is a non-trivial task, and doing it in a highly distributed environment is harder still. The dev.zope.org site will provide the background materials and tools to ensure that work on Zope is consistent in organization and execution. It will also help those new to Zope development to come up to speed and get involved quickly. There is still plenty to do be done on the site, but it is done enough to start using it so I want to start learning by doing. If you have questions or comments on the dev site, please send them to me at [EMAIL PROTECTED] and CC the zope-dev list (which is where I expect traffic related to dev.zope.org should go in the near term). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2 final released!
Hi all, Zope 2.2.0 final has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0/ Many thanks go to all of those who have worked with the alpha and beta releases and helped work through the more than 110 (!) issues that have been closed since Zope 2.1.6 came out. The Zope 2.2 release includes: - The new security policy implementation and object ownership that addresses the server-side trojan issue: http://www.zope.org/Members/jim/ZopeSecurity/ServerSideTrojan - The new online help system which provides context-sensitive help for all Zope management screens and includes Zope API documentation - A built-in Zope tutorial to get new users started with Zope - Basic internal support for mountable object databases - A new "history" tab for selected objects that provides access to previous revisions through the web - Better performance on many systems as a result of setting a more appropriate value for the "check interval" of the Python runtime - Many, many bugfixes! For more information on what is new in Zope 2.2, see the CHANGES.txt and HISTORY.txt files for the release: - http://www.zope.org/Products/Zope/2.2.0/CHANGES.txt - http://www.zope.org/Products/Zope/2.2.0/HISTORY.txt Note that there are important changes to the security model in Zope 2.2 that both site maintainers and Zope product developers need to be aware of. Site maintainers should read the document "Upgrading to Zope 2.2.0" for important information on upgrading their Zope sites: - http://www.zope.org/Products/Zope/2.2.0/upgrading_to_220 Product authors should read the "Product author's guide to Zope 2.2+ security" to learn about the changes in 2.2 that may affect their products: - http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide Enjoy! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] testing for local roles
> Well, while we're on the subject of AUTHENTICATED_USER.has_role, I've > just come upon an error that just popped up all of a sudden in an SQL > query that was working fine before. The problematic line is: > > > > and the error I get when trying to test it is: > > Error, exceptions.NameError: AUTHENTICATED_USER > > > > Another query in the same folder uses the exact same if statement, and > works fine. I am running 2.2b4. Can anyone suggest a solution? Aaron - Are you passing AUTHENTICATED_USER as an argument to the query that is working (and not doing so on this one?) Remember that SQL methods don't automagically get the same namespace that DTML does - the only things it can use are attributes that are named in the arguments list (this is to prevent names that are coincidentally the same in a REQUEST form or something from being inserted into queries). One common way of doing what you want is to add REQUEST to the arguments list of the SQLMethod and use: select * from data Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] upgrade to 2.2 zsql authentication problem
> I create a zsql method in 2.2b4, using the test tab the zsql > method works > ok. The problem is when I use a dtml method or document > (executable objects) > to call the zsql method with a IN statment, a not authorized > browser box > appears. I'm aware of the ownership changes but on my port > I'm having this > problems only with zsql methods so I wonder if this is only > related with > this product before diving into the ownership issues. Julio - I can't reproduce this here (using the Gadfly db connection and DTML that looks like: , , Can you tell me: o What db connection you are using o What the dtml of your statement looks like o the permissions on the DTML method, the DB connection and the SQLMethod you are calling o and the ownership settings of each of the above? Thanks! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] testing for local roles
> Is > > > > valid for local roles? siteManager is a local role. > It seems that if I use this and there is a user with a local > role present > nothing is displayed. > I'm wondering if there is a has_localrole() method of > AUTH..._USER but > I haven't been able to find it. Aaron, The has_role method of User objects can take an optional second argument, which is the object to use as context (to take local roles into account). Note also that you need to pass the list of roles in as sequence. The following should do what you expect: ... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope patches or update for Python 2.0?
> >I would suggest trying 2.2 beta 4. I think that all of > >the multi-arg append()'s are out of that > > Not quite. I currently found 3 events. > I will send apropriate patches to Collector today. > I promise that will check all of Zope sources for > append() incompatibility (without non-standard > Products of course :). > Maybe for socket.connect() too. Great - if you hunt 'em down, I'll make sure the fixes get in for 2.2 final. thanks! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope patches or update for Python 2.0?
> Does anyone have a patch for Zope (any version >= 2.0) to > enable it to run > reliably under the latest versions of CVS in the SourceForge > repository? > The decision was made to tighten up both the multi-arg append > and multi-arg > connect items. I was hoping someone else had already gone > through the code > and fixed all these items, saving me the time. Hi Skip - I would suggest trying 2.2 beta 4. I think that all of the multi-arg append()'s are out of that (not so sure about connect()'s, but I think some enterprising folks are using it with the new stuff). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Beta -problem
> while starting Zope this morning I got this > message.Yestersday I installed > the newest beta. > ->Traceback (innermost last): > > import sys, ExtensionClass, TimeStamp, cPersistence, Persistence > ImportError: No module named ExtensionClass Are you using a source or binary release? If you are using a source release you need to follow the installation instructions to build the binaries... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] data record exceeds transaction record
> > It's not a server or a hardware problem because I tested my > data.fs on another hardware,machine. As well as it's not a > another file in zope, because I tested that data.fs on zope > linux, and zope windows. So it's really inside data.fs > > The data file is definiately corrupted. That's what the error > tracsbeack says. > It's a "FileStorage.CorruptedTransactionError". The question > is how the file > got that way. Johnathan, A few days ago R. David Murray posted this to you: > This may not be of any help, but I got this kind of error when > I was trying to build a Zope site on a computer that had > one of the bad Intel motherboards. I banged my head agaist > the wall hard before I finally figured out that it was a > hardware problem... Have you verified that you're not running into the same problem (or same sort of problem)? Its easy enough to fix a corrupted database, but it will do you no good if you actually have a hardware problem because it will just happen again eventually. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ANNOUNCE: Zope 2.2.0 beta 4 released
Hi all, Zope 2.2.0 beta 4 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b4/ This release includes fixes for a number of bugs found in the beta cycle, including a fix for the recent database packing issue. It also contains updated online help and API documentation. I expect this to be the last beta before 2.2 final. For more information, see the CHANGES.txt file for the release: http://www.zope.org/Products/Zope/2.2.0b4/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document upgrading to Zope 2.2: http://www.zope.org/Products/Zope/2.2.0b4/upgrading_to_220 for information on the recent changes to the Zope security model and other upgrade information. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Problem with database packing (major data loss)
> On Zope 2.1.6 if you you pack the database with '0' in the days box > and then pack it again with '1' in the days box bad things happen. In > our case the first pack resulted in a Data.fs of 17MBytes (not bad > from a started point of nearly 2GBytes) the second pack (which I > assumed would do nothing) resulted in a Data.fs of 3MBytes. Great I > thought, however it also broke most of my site. Some of the symptoms > are: > > Accessing existing folders gives KeyError > Many of my ZClasses are turned into DTML Methods (that is the icon > next to them in the folder view is a DTML Method icon) > All the instances of the broken classes are broken. > > > Thankfully I kept backups before performing the packs. Richard - A notice was sent out to the list a week or so ago on this - there is a bug in the packing machinery that (as you found) doesn't correctly handle things when you pack to certain time and then subsequently pack to an earlier time. The fix for this is already checked in for 2.2. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Patch to DateTime.py
> The people who want this site want the local time, not > UTC+0 that strftime > enforces. > > So, I created a tiny patch which adds > _.DateTime().strfltime(), which works > identically, except it passes LOCALTIME instead of GMTIME. > > It's tiny, it's simple, but it's REALLY HANDY! > Curtis - Please submit this to the Collector http://classic.zope.org:8080/Collector/ ...as a feature request w/patch. Patches posted via email tend to get lost in the rushing current of the lists :) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] wierdness with 2.2, Security, and manage_addProduct[' ']..
> Why won't this work in Zope 2.2? Make a DTML method containing: > > > > > > I cannot find a way to make the security system let this > through. > > > > I've pretty much convinced myself it's a bug in the 2.2 > security system... > > Anyone? Brian? It is (or rather was). The fix is in beta 4, out late today/ early tomorrow. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] NOTICE: issue with database packing in current Zope releases
> > Jim found a problem with the algorithm for packing the Zope > > database that we wanted to announce so that folks can avoid > > being bitten by it until the fix is out (in b4). > > I think this is a candidate for a Hotfix. > > 2.2 upgrades could be problematic and I think we might continue > to see large numbers of 2.1.6 users until all the products run > happily on it. Hm - the goal I had for Hotfixes was to address imperative problems that couldn't really be addressed any other way. I'm not sure that this _quite_ makes the grade in my opinion (but I could probably be convinced). For example, a security problem _demands_ a hotfix-type solution because you can't tell the crackers out there "dont do that!". In this case, there is a clear way to avoid the problem that *is* under your control and a clear way to recover in case you forget :) I also want to make sure that Hotfix releases instill a sense of urgency in people - while there are lots of things that *could* be packaged that way, I worry that doing this when its not absolutely necessary can cause "hotfix fatigue" where people might stop paying attention to them over time. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Database Adaptors and security and query()
> Couple of things came up trying to use the current PostgreSQL da > and zope 2.2b3. I am working on a ZClass that lets you define > and create tables in a database, so I needed to execute some > generated sql [1]. > > 1) I couldn't access the query() method of the connection unless >I added our friend > >__allow_access_to_unprotected_subobjects__=1 > > to the DB class defined in ZPyGreSQLDA/db.py > >Is this ok? No - at least I highly doubt that your DBA will think so :) By adding that assertion, you have now made the query() method accessible to anyone who can write DTML on your site and they can now run arbitrary SQL on your database. You may also have made it possible for random joes to call the query method of the connection through the web with whatever query they want :( > > 2) Re calling query(). The query method only returns a tuple used >to create a Results object (which dtml-in would like). So I >added a method to return a real live Results object > >def query_result(self,query_string, max_rows=999): > return Results(self.query(query_string, max_rows)) > >Which does what I want. Is this ok? Is this a good idea? No, for the same reason as 1 > > 3) I went down several wrong paths until I realized that it seems >as if dtml-methods can't return anything but strings. Is this >right? If you are calling the dtml method, you will get a string (the rendered document) unless you use something like the 'return' tag: . If you are going to this much trouble, you probably want to use an external method or something more suited to the task. > > > 4) Grumble. I had a lot of trouble with the interaction between >Results returning data as tuples, and dtml-in handling tuples >of 2 differently than everything else. Create a table with >3 columns, everything works. Create a table with two columns, >things dont work. Is there access to list() anywhere? Not in DTML. > [1] I know, I can hear you saying "Use ZSQLMethods" but 1) > You can't subclass > them, and b) You can't put one inside a ZClass without a dummy > connection. "Use ZSQLMethods" :^) Seriously, it would be better to deal with the two problems above directly than to use workarounds that put security at risk. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Authentication, Anonymous and Public
> > A user that does not log in, i.e. a user you know nothing of,
> > gets the "Anonymous" role automatically (at least with "acl_users").
> > A logged in user may not get the "Anonymous" role.
> >
> > This does not provide additional security, because this
> > user may simply shut down his browser and access the page again
> > as anonymous user.
> > On the other hand, it may result in surprises: suddenly (after
> > a log on) I can no longer do things that I was able to do
> > before the log on.
> >
> > I think, this should be changed.
>
> I agree, and I've said so, many times before ;-)
>
> Chris
Guys -
I'm looking at the security code, and the intent is
that if 'Anonymous' is in the roles required to access
an object, the user is allowed (even though he may not
have been given the 'Anonymous' role explicitly).
This appears to be the case both in 2.1.x and the new
2.2.x security policy - I've been trying to replicate
the problem you are referring to but I must be missing
something. My test case was:
o create a user 'test', giving him only 'test_role'
o create a dtml document object with default security
(anonymous has 'View' permission)
o give users with 'test_role' 'View mgmt screens' on
the dtml document.
o in a new browser, visit doc/manage to force login
as 'test' with 'test_role'
o try to view the doc normally ('View' is only given
to anonymous), which works as expected
Can you give me a scenario that shows the problem so
that I can reproduce it? (walk me through what objects
to create, what permissions to give, how to try to
access them). This should be done with standard built-in
User/UserFolders if possible.
Thanks!
Brian Lloyd[EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] How do say wiki?
> What would be an acceptible plural form of wiki, > wikies > wikis > what? wikii? :) -Brian ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] 2.2b3 hangs a lot
> been running 2.2.0b3 for a few days now. > config > redhat6.1 > postgres > ZPygreSql > kmnetnews > > after some time, zope just hangs. when i do top, there's no > processor usage at > all on all python processes. after a few minutes, zopes wake > up and continue > to serve. the cycle continues after some time. the hangup > is very sporadic. > If you look at the server logs when it hangs, do you see any pattern as to what was requested when this happens? I haven't been hearing of any hanging issues with the 2.2 betas, which makes me suspect that something specific to this site may be in play here. The fact that it comes back to life on its own after a while makes me think that this is either a very strange system issue or tied up with something that has a timeout (for ex. is it possible that a query is trying to run, timing out against the postgres database?) If the PygresSql DA is not fully thread-safe then I could imagine this as a possiblity. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Kid clicking and Zope thread deadlock
> "Kid clicking" is a technical term used in multimedia game programs, > referring to firing multiple click events quickly. The most > scary part is > that under intense clicking, a multi-threaded program would go into > dead-lock. > > I have a Zope application running. When I kid-click on one button, it > actually locks Zope up. This error does not happen when I run Zope in > single-thread mode. So, for the bug seems to come from Zope thread > dead-locking. > > > > My Zope is 2.1.6. More info: it happens both with Netscape > and IE. More > info: when kid clicking on the webpage, actual requests are > sent to the Zope > server, I see from the terminal 4 lines about > > 2000-06-30T00:29:43 PROBLEM(100) ZSybaseDA Changed database > context to > 'master'. > Changed database context to 'mydatabase'. > > and it then goes into deadlock. Not sure whether it's Sybase or Zope > problem. The quick way to determine this: install a fresh Zope without SybaseDA installed and see if you can reproduce the kid-clicking behavior. Another thing potentially to look at: there is problem with Sybase connections that I have run into before where if you have a request that runs a transactional query, then a non- transactional query, then trys another transactional query you get a hang :( I don't know if this could be the case here, but if so you might want to look here for more info: http://classic.zope.org:8080/Collector/1059/view Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] DTML Document class Id bug, somewhat fixed. But now setName ...
> And indeed the problem was with the fact that I was > subclassing the > DTML Document, which as explained in > http://www.zope.org/Members/AlexR/ZClassIDBug > somewhat mangles the Id property. Public thanks to Rik > Hoekstra <[EMAIL PROTECTED]> > for suggesting that. > I added this fix (from the page I mention above) to the > constructor method, > > > > > > And when I try creating a new object, it blows up in my face with this > error: Walter - this is sort of a tricky one :( The problem is that the ZClass id bug is a legitimate bug (fixed in the 2.2 series), but your fix uses a method that should never have been accessible in the first place (and in fact the hotfix makes it inaccessible, as it should have been all along). So there are two things you could do here to get along until you can upgrade to 2.2. One, you could edit the __init__.py in the Hotfix product's directory and comment out the line: DocumentTemplate.DT_String.String.setName__roles__=[] ...and restart Zope. That will make the setName method unprotected again though, so don't do this lightly. By unprotected I mean that other people could call setName on _your_ objects and screw things up if they wanted to. An alternative would be to create an external method like the following in your class: def temporary_hack(self, id): self._setId(id) ...and try using: That should let you solve it without reopening a security hole. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] RE: Zope Question entry: Security changes
> Description: (I posted this to zope-dev, but havent seen an > answer yet. Im adding it here so it doesnt get forgotten) > > some questions raised by > http://www.zope.org/Documentation/How-To/ProductAuthorUpdateGuide > > > Firstly, how does the presence of > __allow_access_to_unprotected_subobjects__=1 in a class > affect access to attributes in derived classes? Does it > affect the whole instance, or just attributes of the class > that includes it. In the following example I know subobject_2 > is accessible, but what about the others? > Toby, (sorry not to get back to you earlier on this) The security assertion is generally tested on instances, so if an instance has the assertion in its class (or any of its base classes) then it is effective for all of the base classes of that object. > Secondly, I am confused that there have not been any security > changes in ObjectManager.py and PropertyManager.py. As I > understand it, the subobjects that they manage (ie properties > and folder items) now fall into the inaccessible-by-default > category. What am I missing? Actually there has been a change: the security assertion is in SimpleItem.Item (which acts as a base class for most, but not all, Zope objects). This is why "dynamic" attributes such as properties continue to work as before. Your first reaction might be (as mine was) "well, doesn't that just put us right back where we were before?". Not quite. What has been done is a first step to changing the policy to deny- by-default rather than allow-by-default. Having the assertion in the Item class has the effect of: o allowing access to properties and some other kinds of attributes that are not currently explicitly protected, needed for backward compatibility o DISallowing access to certain other things that the old security rules would have allowed - for example under the old rules alone it was possible to get to the func_globals and other attributes of methods that you really shouldn't have access to. We had to handle that with special cases, which was painful and error prone (and only worked for problems that you knew about). The new policy with the security assertion allows us to keep access to properties and things we _need_ access to for backward compatibility, but also has the effect of protecting things like method attributes and other (possibly unknown) bits that should be off limits (a method would need a security assertion of its own for those things to be accessible). While this is not totally perfect and still requires you to be careful about protecting attributes of base classes, it is better than it was before and a first step on the road to where we want to be that shouldn't cause too much angst among users and product developers. Hope this helps - I'm going to reformat this a little and add it to the Product author guide. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] NOTICE: issue with database packing in current Zope releases
Hi all, Jim found a problem with the algorithm for packing the Zope database that we wanted to announce so that folks can avoid being bitten by it until the fix is out (in b4). The gist of it is that you should not pack your database to a given time and then subsequently pack the database to an *earlier* time. For example, do not pack to "older than 0 days" and then pack to "older than 10 days". The algorithm in the current Zope releases doesn't handle this correctly and depending on the exact circumstances can end up getting rid of objects that it shouldn't in the packed version of the database. Note that if you _are_ inadvertantly bitten by this, you can recover by using the Data.fs.old in the /var directory that is created at pack time. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Creating PythonMethod from ZClass constructor/method.
> > Using Zope 2.2b3, I am trying to create a PythonMethod from the > constructor of my ZClass and keep getting an authorization > dialog. In my > MyZClass_add method, I have: > > > > > this(), > 'testMethod', > 'Test Method', > 'self', > 'pass' > )"> > > > > Every pemutation I have tried gives the same result: an Unauthorized > exception. Hi Jeff - Thanks for reporting this. It turns out that there was a missing security assertion in the product dispatcher (manage_addProduct) that was causing this. The fix will be in b4. If you want to patch your install in the meantime, edit lib/python/App/FactoryDispatcher.py and change: class ProductDispatcher(Acquisition.Implicit): " " def __getitem__(self, name): ... to: class ProductDispatcher(Acquisition.Implicit): " " # Allow access to factory dispatchers __allow_access_to_unprotected_subobjects__=1 def __getitem__(self, name): ... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Can not add Zope Tutorial with 2.2: Solved
> the last updates for DA.py and/or TutorialTopic.py have solved the > problem for me. good! :) > One "aesthetic" problem i see now: The order of the Tutorial > lessons in > the "menu" frame is wrong. Yes, I noticed that too. I don't know if Amos will get to this by 2.2 final - I'll forward this to him though. Thanks! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2.0 beta 3 released...
Hi all, Zope 2.2.0 beta 3 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b3/ This release resolves the "len of unsized object" error some folks were seeing with their SQL methods as well as an issue with broken installed products causing a recursion problem instead of appearing as normal "broken" objects. I'm hopeful that this will be the last 2.2 beta, assuming that no other real problems arise that need fixes tested before final. For more information, see the CHANGES.txt file for the release: http://www.zope.org/Products/Zope/2.2.0b3/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document upgrading to Zope 2.2: http://www.zope.org/Products/Zope/2.2.0b3/upgrading_to_220 for information on the recent changes to the Zope security model and other upgrade information. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2.0b2 - PythonMethods
>I remember DC submitted PythonMethods into CVS, but I cannot find > PythonMethod in 2.2.0b2. Are PythonMethods for later > versions? Or it will > be separated Product forever? > >I have downloaded latest PythonMethods and successfully > installed the > component, but shouldn't it be in distribution? Or I just > don't understand > something? Oleg, There is still some work that we want to do on PythonMethods to get them where we want them for inclusion in Zope -- we need to get them well integrated with the Zope security policies and roll in some other work that will make all method-like objects behave in more consistent manner. I'm hoping that this will happen relatively soon (though I can't give you a date). Until then, there's no problem using the latest distribution. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Moving Z Classes around
> Having discovered that [my] Z Class is in the wrong product, > I'd like to > move it elsewhere. The obvious thing to do is to use Cut + Paste; > unfortunately, I get: > > The item does not support this operation. > > (The function manage_copyObjects is not happy!) > > I can't think of another way to move my classes without > rebuilding them -- > any advice? Michael, I agree that this is a pain, but it is a fact of life for now in ZClass development. ZClasses have a different relationship with other Zope objects than normal, in that other instances in the object space refer to them as their class. That makes picking them up and moving them something not to be done lightly. In the Python world, this would be equivalent to pickling a bunch of objects and then moving the class for those objects to a different package. Without some explicit action, all of the pickled objects would break because they would be referencing a class that is no longer there. It's the same deal with ZClasses. It may be possible in the future to move ZClasses around, but something will still need to be done about existing instances created from a class that moves. So far we have avoided the hard thinking required to solve that :^) This would be a good candidate for a proposal in the forthcoming ZopeDev area on Zope.org. More on that later... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Please test this Zope 2.2 beta 1 ZSQLMethods fix...
> > I think that you have hit it on the head - we're trying *hard* to > > make Zope harder to fool :^) Try adding the following to your > > class statement, for example: > > > > class MyClass: > > > > __allow_access_to_unprotected_subobjects__=1 > > Just a question: Is this documented somewhere.. I've seen some more > of these things here and wonder if there's some explanation > what exactly > has changed in 2.2 and which constants can be used to control these > things.. I plan to publish a guide for Product authors Monday that captures the essence of what has changed about the security policy and what product objects need to do to play nicely within it. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] 2.2.0b2 dies in Windows NT4
> I've tried this again. When I access the manage page, an > Import/Export > tab at folder / comes up, and then Python.exe dies with an NT > exception > which is a stack overflow :-( > > Same thing happened with 2.2.0b1. Graham, Do you have another (clean, preferably SP4) NT machine available to you to test with? I cannot reproduce on any of a fair number of NT boxes available to me, which leads me to believe that either: 1 the problem is a difference in our Zope installations (i.e. installed products) or 2 we each have a different set of gremlins active in our NT installations (1) should be fairly simple to diagnose. If you install a fresh, clean b2 on your NT box and start it with the *default* database and _no_ third party products installed, do you get these odd crashes? If not, then the next step is to determine which product is activating the problem. If you still crash with a totally clean install and using the default object database, then I don't know what else to do but assume (2) :(. > Also, if I try to access any pages that use SQLSession ( an older > version ), I get authentication challenges from ZopeSecurityPolicy.py > when I use the getName() method of the session object. Hopefully this > will go away if I upgrade to the latest version. Hopefully, but there is a possibility that some products may need to be updated to behave correctly in the tighter security policies in 2.2. I have as action for me to post a guide for product developers on monday that advise product authors on how to update their products if they are affected. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Can not add Zope Tutorial with 2.2
> in preparation for the LinuxTag 2000 i tried to add the Zope
> Tutorial to
> Zope 2.2.0b2 (and fresh CVS versions of the last three days) but i get
> the following error (i think it's the same error as Oleg mentioned):
>
> Error Type: TypeError
> Error Value: ('len() of unsized object', Shared.DC.ZRDB.DA.SQL at
> 85fb7e0>, None)
Jochen,
Did you try to _import_ the tutorial or add it from the "add list"
in the management interface? It is intended that you should add it
from the add list (this should be better documented though...)
Brian Lloyd[EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Short urls? SHORT URLS???
> Geeez, > I thought that one of Zope's promises was nice short URLS. > Wutts up with > this? > http://xanadu.unk.edu:8080/QuickStart/index_html?tree-e=eJyLVn > eEASdPW3UdBSR-JCrf1cRWPRYAGNELbA#AE4 They _are_ nice and short - if you don't use the Tree tag :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Please test this Zope 2.2 beta 1 ZSQLMethods fix...
> BUT, the BIG problem I'm having is still with the external method in
> courseList.py.
>
>
>
> Any ideas? Now, it could just be my programming. With the
> new 2.2 version
> I may need to add security information to each object (which
> I don't know
> how to do). Right now I'm just starting with a blank class
> and adding a few
> properties to it. Zope may be looking at it and thinking,
> "What the heck is
> this thing?" The idea was to trick Zope into thinking it was
> a Z SQL query;
> perhaps 2.2 isn't so easily fooled...?
I think that you have hit it on the head - we're trying *hard* to
make Zope harder to fool :^) Try adding the following to your
class statement, for example:
class MyClass:
__allow_access_to_unprotected_subobjects__=1
def __init(self, foo):
...
...You'll need to restart Zope for this to take effect.
Hope this helps!
Brian Lloyd[EMAIL PROTECTED]
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com
___
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope2.2.0b2 - cannot import tutorial
>I started to do experiments with 2.2.0b2 (I skipped b1). > Looks good. > >I lpayed a little and found tutorial.zexp in directory > import. I tried > to import, but Zope complains. That import file is used by Amos' new Zope Tutorial object (you add that via the normal add list). It probably shouldn't blow up if you try to import it normally though - I'll forward this to Amos. >I remember DC promises to add a screen to configure the number of > threads instead of default 7, but I didn't found the screen. > Will it be > added later? Who promised you that? :^) I hadn't heard of this... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] RE: Zope2.2.0b2 not workink on win98
> On my Win box Zope dont allow add _no one_ objects (eg. Folder), > dont allow enter Control Panel if product incorect installed, etc.. > Zope 2.1.6 and 2.1.7 (with apropriate patches) works very well. > > What I am doing wrong or eventually how can I help to avoid > this problems ? > > platform: Win98, Zope2.2.0b2 from official installer, empty > (default) Data.fs > > Eg. if i try to add a Folder that is happend: > > Error Type: SuperCannotOwn > Error Value: Objects cannot be owned by the > superuser > > Adam, In Zope 2.2 and above, the superuser should *only* be used to bootstrap your system and create management users. The superuser can not own objects in Zope now for security reasons. Please see the "upgrading to Zope 2.2.0" document on Zope.org for more information on this. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2 beta 2 released
Hi all, Zope 2.2.0 beta 2 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b2/ This release resolves the outstanding issues from beta 1 as well as the integrated fix for the recent security issue and further refinements of the help system. For more information, see the CHANGES.txt file for the release: http://www.zope.org/Products/Zope/2.2.0b2/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document "Upgrading to Zope 2.2" for information on the recent changes to the Zope security model and other upgrade information. http://www.zope.org/Products/Zope/2.2.0b2/upgrading_to_220 Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Quickstart problems...
> > Do I have something misconfigured, or is Quickstart broken with latest > beta? > > > Darren Addy Darren - The QuickStart was broken in beta 1. Its fixed in beta 2 (out late today or early tomorrow). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Please test this Zope 2.2 beta 1 ZSQLMethods fix...
Hi all, Several folks have reported problems in beta 1 with SQLMethods having authentication problems when trying to call other SQL Methods. I'd like a few intrepid volunteers to try something for me to see if it fixes the problem. I'd like to make a 2.2 beta 2 release tomorrow but I want to make sure this issue is resolved first. Make a backup of the file: lib/python/Shared/DC/ZRDB/DA.py in your current (beta 1) installation and replace it with the DA.py attached to this email, restart and let me know if the problem goes away. Thanks! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com DA.py
RE: [Zope] Does work with 2.1.7?
> Just thought I'd rephrase the question after doing more > troubleshooting. > Does anyone have this tag working for them when using Zope > 2.1.6??? > Mark - A number of fixes have been made to dtml-sendmail for 2.2. The version in 2.1.7 is hosed due to some configuration management issues that let some (but not all) of those fixes get into the 2.1.7 release :( You really would be better off sticking with 2.1.6 for another day or so until 2.2 beta 2 comes out. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Beta Zope Error
> I get the same problem. A SQL method of mine is apparrently > accessible from > within a DTML method but not from within another SQL method. > (I do this to > determine if a record exists before overwriting it). I also have an > external method that augments query objects with special > grouping records. > > Here's one of my tracebacks (hey, I get a different one every > time I click > REFRESH): I've been trying to reproduce this with a Gadfly connection and I haven't been able to make this happen - have you checked to make sure that all of the sql methods in question have the same ownership and permission settings? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Comfirming Hotfix is installed.
> Is there any way to confirm that the hotfix has been installed? > > I extracted the files and restarted Zope but it would be nice > if there was > a way to confirm that it is installed. Yes - that is one of the nice side-benefits of doing it this way: look in the Control_Panel/Products and you will see the hotfix product in the listing. Click on it and click the "README" tab to view the readme file that describes the hotfix. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Updated security alert
Hi all - I've updated the security alert (below). Short story: a new "hotfix product" is available on zope.org that will work for all 2.0+ Zopes and has no side effects or upgrade implications for Zope installations. This feels like a much better model for things like this, especially for production sites. We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A hotfix for this issue in the form of an add-on Zope product has been made available on zope.org. To install the hotfix, simply download and install the package as you would any other Zope add-on product (extract it in the root of your Zope installation). Remember to restart your Zope installation for the hotfix to take effect. http://www.zope.org/Products/Zope/Hotfix_06_16_2000/Hotfix_06_16_2000.tg z The hotfix will work for all versions of Zope 2.0 and higher, including the recent 2.2 alpha and beta releases. The forthcoming Zope 2.2 beta 2 release will contain a fix for this issue, and you be able to uninstall the hot fix after upgrading to 2.2. (though nothing bad will happen if you don't uninstall it). Note that the 2.1.7 release that was initially made to address this issue has been pulled in favor of this hotfix product, which will allow managers of Zope sites to address this issue without worrying about other implications of upgrading their installations. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients install the 06/16/2000 hotfix product immediately. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: Zope 2.1.5/6/7 upgrading issues
Hi guys, First of all, I'd like to apologize for the pain factor here - there has been some CM process changes around here and the 2.1.x branch is suffering as a result :( I have a proposal, however, that I hope will make this much easier. How about if we: o release a "Product" today that, if you install it and restart your Zope (no matter what version), patches the hole at runtime (in memory change only). o retract the 2.1.7 release in favor of getting 2.2 beta 2 out on Monday, which doesn't have the cruft problem of the 2.1.x branch and contains all fixes to date (and which will fix SQLMethod problems and support the SiteAccess release that Evan is making today). I can have the new "hotfix" product ready by 12:00pm EST today. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope security alert and 2.1.7 update [*important*]
Hello all, We have recently become aware of an important security issue that affects all released Zope versions including the recent 2.2 beta 1 release. The issue involves an inadequately protected method in one of the base classes in the DocumentTemplate package that could allow the contents of DTMLDocuments or DTMLMethods to be changed remotely or through DTML code without forcing proper user authorization. A Zope 2.1.7 release has been made that resolves this issue for Zope 2.1.x users. This release is available from Zope.org: http://www.zope.org/Products/Zope/2.1.7/ A patch is also available if it is not feasible to update your Zope installation at this time (the patch is based on 2.1.6): http://www.zope.org/Products/Zope/2.1.7/DT_String.diff If you are evaluating any of the recent 2.2 alpha or beta releases, you should apply the patch noted above if your site is accessible by untrusted clients. A forthcoming 2.2 beta 2 release will contain the fix for this issue. While we know of no instances of this issue being used to exploit a site, we *highly* recommend that any Zope site that is accessible by untrusted clients take the appropriate mitigation steps immediately. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] getSize()? was [Zope] Zope 2.2 beta 1 released
> > After noticing that ZWiki throws an Attribute Error / getSize in > > RecentChanges, I tried a simple > > > > > > > > This works in 2.1.6, but throws the aforementioned exception in > > 2.2b1, too. Is this a bug or a feature? > > It's been changed to "get_size()". I don't know whether that would be > a bug or a feature. ;-) getSize is deprecated, but since folks are still using it I have added the alias back in for final. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] upgrade from zope-2.1.6 to zope-2.2.0b1
> Zope starts ok, but i can't get view or manage the site. > here's the traceback > --- > > Traceback (innermost last): > File > /home/kdie/Zope-2.2.0b1-src/lib/python/ZPublisher/Publish.py, > line 222, in publish_module > > File > /home/kdie/Zope-2.2.0b1-src/lib/python/ZPublisher/BaseRequest. > py, line 501, in old_validation > (Object: broken) > AttributeError: (see above) > > - > > i use UserDb for authentication, got a few ZClass of my own, > SiteSummary, and a > few other zope products. > > can anyone shed some light ? It _looks_ like you have a "broken" object in your top-level Folder. "Broken" objects are created when Zope has a problem unpickling an object (usually because the add-on product that defines the class of the object is missing). Are you sure that you got all of your add-on products installed (and any other dependencies like external methods) copied to the beta install? Alternatively, it is possible that one of your add-on products is incompatible somehow with the beta (if it can't import correctly, for example, then objects created from the product would be broken). One way you could probably test this theory: o shut down your beta installation o cd to your lib/python directory and crank up a Python prompt o do 'import Zope'. Look for any tracebacks (though the product import process will likely consume exceptions when trying to import products). o for each 3rd party product in lib/python/Products, try to do: 'import Products.xxx' where xxx is the product package name. If a product cant be imported, you should get a traceback for it (please post it if you get one). Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2 beta 1 released
> On Mon, 12 Jun 2000, Brian Lloyd wrote: > > Zope 2.2.0 beta 1 has been released - you can download it from > > Zope.org: > > http://www.zope.org/Products/Zope/2.2.0b1/ > > Either the -src file name is wrong, or the file is wrong, because it > still says 2.2.0a1. I think it's the file, 'cause the > control panel still says 2.2.0a1... > > --RDM Ack - damned autocomplete :^) The right one is there now... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2 beta 1 released
> Trying to run the b1 on Windows, I get the following: > > C:\Program Files\Z220b1>"C:\Program > Files\Z220b1\bin\python.exe" "C:\Program > Fil > es\Z220b1\z2.py" -D > Traceback (innermost last): > File "C:\Program Files\Z220b1\z2.py", line 524, in ? > import ZServer > File "C:\Program Files\Z220b1\ZServer\__init__.py", line 87, in ? > from medusa import max_sockets, asyncore > ImportError: No module named medusa > > > Throwing an empty __init__.py file into $Zope/ZServer/medusa > solved the > problem for me. Ack - apparently something in the win installer thinks that empty files are not worth preserving :( Note that I've tweaked this and re-uploaded the win32 beta. If you've already downloaded it, the above solution is fine (just create an empty file named __init__.py in your ZServer/medusa directory). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope 2.2 beta 1 released
Zope 2.2.0 beta 1 has been released - you can download it from Zope.org: http://www.zope.org/Products/Zope/2.2.0b1/ This release contains refinements to the new ownership model as well as better undo management and many bug fixes. For more information, see: http://www.zope.org/Products/Zope/2.2.0b1/CHANGES.txt If you are still using a 2.1.x version of Zope, be sure to see the document http://www.zope.org/Products/Zope/2.2.0b1/upgrading_to_220 for information on the recent changes to the Zope security model and other upgrade information. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Wrong mime type sent by Zope on every page
> Brian Lloyd wrote: > > What if we change this to: > > > > if a 'content_type' attribute exists, it is used > > > > else if the object's id seems to have a file extension > > (. in the id), try to use guess_content_type > > > > > else if there is a 'default_content_type' attribute, use that > > > > > else fall back to the hated application/octet-stream > >(or, I've seen x-unknown-content-type used before, > > but I don't know if this is really any better). > > FYI, for those interested I've checked this and another fix for HEAD handling on collections into CVS... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] SOAP status?
> I know you hate questions like this, but does anyone know > what's happening > w/ SOAP support? Any guesses as to when there will be a > SOAP-capable Zope > release? SOAP is not yet a really active project, so I can't say when it will happen. It is on the (soon to be published) development roadmap. We have some things to do to open up the dev. process and enable the community to really participate - once we have some of those key things out of the way it will be much easier for things like SOAP to get the needed resources... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Wrong mime type sent by Zope on every page
> -Original Message- > From: Dan L. Pierson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 08, 2000 3:47 PM > To: Brian Lloyd > Cc: 'Chris Withers'; Martijn Pieters; Andrew Diller; [EMAIL PROTECTED] > Subject: RE: [Zope] Wrong mime type sent by Zope on every page > > Brian Lloyd writes: > > What if we change this to: > > > > if a 'content_type' attribute exists, it is used > > > > else if the object's id seems to have a file extension > > (. in the id), try to use guess_content_type > > > > > else if there is a 'default_content_type' attribute, use that > > > > else fall back to the hated application/octet-stream > >(or, I've seen x-unknown-content-type used before, > > but I don't know if this is really any better). > > > > Then we could put a 'default_content_type' attribute in the > > class of dtml documents and methods, which would take care of > > the most common case. Thoughts? > > Sounds pretty good. Setting 'default_content_type' can then be > another item in the unwritten Guide to Writing a Zope Product. That's right - I expect that it could be useful for a few products. I can see XMLDocuments having a default of 'text/xml', but I suspect that a lot of products won't really have to care. Things that have no real similarity to conventional "pages" (like database connection objects, etc.) are probably useless to a robot that works with "pages" anyway, so they are better off sending a default non-committal response like "application/octet-stream". Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Wrong mime type sent by Zope on every page
> > But what if there are side effects to calling the document? > What should > > happen? I don't want a counter to go up or anything just > because a HEAD was > > called on the object. > > > > This is not as black-and-white and simple an issue. > > The web is an imperfect medium, but returning a junk content > type isn't > good. I'll throw out a proposal on this. It also is not perfect, but seems to strike a happier balance. When HEAD is called on an object, what currently happens is: if a 'content_type' attribute exists, it is used else if the object's id seems to have a file extension (. in the id), try to use guess_content_type else fall back to the hated application/octet-stream (or, I've seen x-unknown-content-type used before, but I don't know if this is really any better). What if we change this to: if a 'content_type' attribute exists, it is used else if the object's id seems to have a file extension (. in the id), try to use guess_content_type > else if there is a 'default_content_type' attribute, use that else fall back to the hated application/octet-stream (or, I've seen x-unknown-content-type used before, but I don't know if this is really any better). Then we could put a 'default_content_type' attribute in the class of dtml documents and methods, which would take care of the most common case. Thoughts? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Plea: sequence-item and sequence_item in 2.2?
> >Hi all, > >Can I make a plea that the .diff patch that Jonothan Farr posted a > >while back be included into the 2.2 release? > >http://www.zope.org/Members/jfarr/Patches/dtml-in-sv > > I have yet to hear a downside to this patch. I second that motion. > The patch has allowed me to clean up my code signifigantly. While I understand your wanting this, the problem is a little deeper than just naming consistency. The sequence-* names were done that way intentionally to avoid consuming possible names and avoid clashes in the standard namespace, and changing the convention could cause clashes to become effective. Have you looked at the "named dtml in loop" proposal on the DTML wiki on Zope.org? http://www.zope.org/Members/4am/DTMLWiki/NamedDTMLInLoop I think that this proposal would go a long way toward easing the spelling issue as well as solving some other pains involving using nested dtml-in loops... Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Re: [Zope-dev] possible security flaw? - and, request for a phone conference. conference.
> > Basically, if a user with manager privileges to a folder changes > > their > > password to be empty, then anyone (from permitted domains) > can access the > > management screen for that folder Without Logging On... > Zope assumes that > > you are the user without the password and treats you as if > you have those > > rights. > > This is a feature, but I don't know if or where it is > documented besides > the source code (which is a bug if it isn't I guess). You're right - it is a feature. You are also right that it isn't documented anywhere that I can find :( I would suggest adding this to the Collector (as a 'Documentation Request'). Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] is WebDAV a security hole?
> Thanx for an informative response! > > Btw I tried WebDAV vs. www.zope.org and that site refused the > connection > attempt. > Is there some obvious setting that I can use to disable > WebDAV, since I > don't need it (as far as I know;) DAV won't work for zope.org because it runs behind apache and we've never done the incantation apache requires to let cgi-ish processes handle their own DAV requests. As far as disabling DAV support, there's no real way to do that (except for running behind apache or another server that interferes with DAV requests by default). This really shouldn't be a problem - the extended HTTP methods that provide DAV support all basically have Zope api corollaries, so the DAV methods are protected by the analogous permissions. For example: PROPFIND -> manage properties PROPPATCH -> manage properties DELETE-> delete objects MKCOL -> Add folders ...and so on. GET, POST and PUT are used by DAV exactly as in the HTTP spec, so if you can "download" something via DAV then you could also have gotten it with your normal non-DAV aware browser. Hope this helps! Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] is WebDAV a security hole?
> Been playing around with WebDAV from IE5 connecting to a RedHat 6.1 > +Zope 2.1.6 > > And it seems that quite a bit of the stuff that propably shouldn't be > visible can be seen, > for example acl_users What other things are you referring to? (see answer for acl_users below) > > Without being logged in I can start a download of it, eventually IE5 > fails, but I get this uncomfortable feeling that this is more > due to IE5 > not handling this document type than anything else... > > If I used some other WebDAV client, could I then download > acl_users, and > if so, would this expose usernames/passwords? It would not expose passwords - I believe that what you are seeing is a sort of non-obvious but basically harmless thing. User folders (acl_users) do not have an index_html method (by design). When a DAV client tries to "download" acl_users, it is actually acquiring the closest index_html from above and downloading that :^) One could argue that this is lame and that attempting to GET .../acl_users/ should raise an error (404?). I'm interested in other viewpoints on this - if there is some consensus, a proposed change should be put in the Collector. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] WebDAV, Web Folders and collaborative work
> I am happily dragging and dropping documents between my Zope > server and my desktop using the 'Open as Web Folder' facility > of IE5. This seems to save me from writing an upload page but > not much else. > > What I am looking for is a way to prevent others from editing > the document whilst I have it. I thought WebDAV helped with > this. Maybe I need to do something with a Version? > > have I missed the point? No - the current incarnation of WebFolders (Microsoft's product) does not deal with locking. Office 2K does (it locks a document while editing it). Zope currently "fakes" locking support as an unofficial measure to allow folks to open O2K docs stored in Zope. We faked it partly because there was (even fairly recently) some disagreement in the DAV group about how locking ultimately should work, and partly because DAV clients haven't exactly taken the world by storm at this point and that has to be reflected in our priorities. Note that even if locking were supported on the Zope side, I don't think that this would help your situation since WF will not lock an object just because you dragged it to your local desktop. AFAIK, O2K will only lock something if you open it directly with O2K. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] ANN: Perl For Zope
> > Stunned. Totally and utterly stunned. I would have thought there > > would be Java floating around in Zope's bowl before Perl! Perl? > > Jeeze... what a great but very scary thing. I trust that DC will do > > it right. > > I'd agree with the scary part. Scaaary. I hope DC will do it > right indeed, > and that I can't *see* the Perl if I don't want to see it. Our goal is to extend Zope's appeal and allow people _more_ flexibility to work in a language that is comfortable to them. You certainly wouldn't have to worry about Perl unless you choose to. This is a Good Thing - and nothing to be scared about, I promise :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] 2.1.4 to 2.1.6 nightmare
> > Finally it works. Thanks. > > > > Do you know why DigitalCreations haven't release a patch? > > Dunno :S > > > I guess i'm not the first one getting mad with 2.1.6. > > Had us fooled for about a week :( > > I think it's all fixed in 2.2 anyway, which may be why no patch was > released... That's basically right - it boils down to that releasing a patch for every bug/feature just doesn't scale. We have made some internal adjustments to allow our release schedule to be much more flexible and frequent than it was, which should address this. Of course, if having every latest bug fix is of burning importance to you, you can run from the public CVS - though you are also, of course, going to get every latest bug as well :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Collector status on password change bug?
> I see that the "Can't change User Roles without their Password" > bug mentioned in: > > http://classic.zope.org:8080/Collector/1102/view > http://classic.zope.org:8080/Collector/1134/view > http://classic.zope.org:8080/Collector/1138/view > (etc) > > is still in 2.1.6 > > http://classic.zope.org:8080/Collector/1138/view provides a patch. > What is the recommended way to solve this long-standing problem? Kent - the fix for this is in the forthcoming 2.2. Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Zope 2.2.0a1 permission problems
> > >>I just installed release 2.2.0a1 on a glibc Linux box, but I keep > > >>getting a permission problem when accessing a database query. > > ... > > > After beating on this over the last day or so trying to > > understand what was happening at the Web interface level > > (thinking that I must have just screwed up a permissions > > setting somewhere), I finally looked at the code and > > simply commented out line 602 in > > > /data/www/Zope/Zope-2.2.0a1-src/lib/python/DocumentTemplate/DT_In.py > > > > # raise ValidationError, index > > > > Ta da! It works...for now. This little patch will get > > me up and going. I trust that someone will fix whatever > > problem necessitated this in a future release and I > > won't need this awful kludge, but it sure is nice to be > > able to use it now. > > > > Anyone know what the real fix is? I don't _know_ yet, but I suspect :^) I think that something is running afoul of the new security checking inside the __call__ method of SQLMethod objects. If someone wants to use the Zope debugger (the debugger is your friend!) to sniff into this, that is where you should start. Under the debugger, set a breakpoint in the __call__ of the DA class in lib/python/Shared/DC/ZRDB/DA.py. Stepping through should point out what object is failing authorization. If anyone is so inclined, Michel P. has a very good debugger how-to: http://www.zope.org/Members/michel/HowTos/TheDebuggerIsYourFriend ...and let me know what you find out. I won't be around Friday, but I was planning to put on the sherlock hat and work this out Monday - of course I hope someone beats me to it :^) Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
