From: Jim Fulton [EMAIL PROTECTED]
Initially, I propose to move just the repository heads. Maintenamce
branches (e.g. Zope 2.6 and Zope 2.7) will remain in CVS.
What is the rationale behind not moving it all?
___
Zope-Dev maillist - [EMAIL
--On Montag, 12. April 2004 13:07 Uhr +0200 Lennart Regebro
[EMAIL PROTECTED] wrote:
From: Jim Fulton [EMAIL PROTECTED]
Initially, I propose to move just the repository heads. Maintenamce
branches (e.g. Zope 2.6 and Zope 2.7) will remain in CVS.
What is the rationale behind not moving it all?
Hi Shane and zope-dev,
I think the attached patch (against CookieCrumbler 1.1) makes CookieCrumbler a
little more secure.
It makes CookieCrumbler not store the user's password and username on the
browser side and rotates the token stored on the browser side ever 10 seconds or
time between
On Mon, 12 Apr 2004, Chris Withers wrote:
I think the attached patch (against CookieCrumbler 1.1) makes
CookieCrumbler a little more secure.
Your patch won't work with multiple ZEO app servers. It appears to store
the tokens in a module global. Do not apply it.
PS: To make cookie auth
Chris Withers wrote:
PS: To make cookie auth properly secure, you really need to be working over
SSL only, and in addition, you should tweak CookieCrumbler further so that
it sets the secure session bit, meaning your sessions should only get
returned over a secure connection... mindyou, to
On Mon, Apr 12, 2004 at 08:11:44AM -0400, Tres Seaver wrote:
| Lennart Regebro wrote:
| From: Jim Fulton [EMAIL PROTECTED]
|
| Initially, I propose to move just the repository heads. Maintenamce
| branches (e.g. Zope 2.6 and Zope 2.7) will remain in CVS.
|
| What is the rationale behind not
Shane Hathaway wrote:
I think the attached patch (against CookieCrumbler 1.1) makes
CookieCrumbler a little more secure.
Your patch won't work with multiple ZEO app servers. It appears to store
the tokens in a module global. Do not apply it.
Well, that's a little harsh. The default methods will
Jamie Heilman wrote:
The problem of using cookies for auth creds is a little more complex
than that. The reality is, in a well written application, cookies
should never be used to store auth creds, even if you only send them
over SSL.
The patch means that auth creds are never sent, only an
On Mon, 12 Apr 2004, Chris Withers wrote:
For me, that's worth patching for, it's up to you if you want to include
it in an offical CookieCrumbler release or not ;-)
Making cookie authentication secure is surprisingly difficult, and you've
barely taken one step. I don't want CookieCrumbler to
On Sat, 10 Apr 2004 14:11:56 -0500
[EMAIL PROTECTED] wrote:
I have the following setup (unrelated lines are omitted):
class Deliverer(Folder):
def manage_afterAdd(self, item, container):
if item is self:
self.__ac_local_roles__ = dr_localroles(self)
class
Jamie Heilman wrote:
Jim Fulton wrote:
I propose to move from CVS to subversion for the Zope and ZODB projects;
http://dev.zope.org/Zope3/MovingSCMToSubversion
No complaints from me. I do wonder though... one thing I've noticed
about ZC's CVS usage in the past is that you folks never export
Casey,
Thanks for the clarification.
- Is there an equivalent of sys.getrefcount for ZODB persistent
objects?
This is still a question. Is there any way, to determine how many times
a zodb persistent object is referenced? sys.getrefcount seems to tell me
only those references which are
On Mon, 12 Apr 2004 10:57:43 -0500
[EMAIL PROTECTED] wrote:
Casey,
Thanks for the clarification.
- Is there an equivalent of sys.getrefcount for ZODB persistent
objects?
This is still a question. Is there any way, to determine how many
times a zodb persistent object is
[Sandor]
This is still a question. Is there any way, to determine how many
times a zodb persistent object is referenced?
ZODB itself doesn't keep track of that, although it's possible to write a
storage that does. FileStorage does not. BerkeleyStorage did (past tense
because Zope Corp has
I've posted a distribution for ZConfig 2.1 on the ZConfig page:
http://zope.org/Members/fdrake/zconfig/
This fixes a few bugs and improves the ability to set default values in
schemas. It also adds some helpful schema building blocks, including a
general mapping type and support for
Hi,
Within a python file I do a call to thread.start_new_thread(...).
Before this call, I am the admin user (verified by calling
AccessControl.getSecurityManager().getuser().getUserName()). After the
call, however, in the new thread, the user is now Anonymous User.
Is there any way to
G'Day,
Well, step one is done ... I now have Zope + Ape using Subversion as it's
filesystem !!
This is step one because, as Shawn suggested (Thanks for the pointer, that's
what I needed!), this simply means that Zope uses SVN purely as a
filesystem.
Because of subversion's nature, I want to
Chris Withers wrote:
The patch means that auth creds are never sent, only an auth token that's
valid for 20 mins or so, or you could set it to less.
The token *is* the cred in that scenario, you can't not send some form
credentials.
Can you explain the XSS risk when a client user is not
fwiw, i've been able to get good results at migrating the plone
repository and branches using the refinecvs migration script
http://lev.serebryakov.spb.ru/refinecvs/
the cvs2svn script included with subversion had several issues with
branches, although it was a few months ago (prior to svn 1.0)
On 12/04/2004, at 10:39 PM, Shane Hathaway wrote:
On Mon, 12 Apr 2004, Chris Withers wrote:
I think the attached patch (against CookieCrumbler 1.1) makes
CookieCrumbler a little more secure.
Your patch won't work with multiple ZEO app servers. It appears to
store
the tokens in a module global.
On Mon, 12 Apr 2004 [EMAIL PROTECTED] wrote:
Well, step one is done ... I now have Zope + Ape using Subversion as it's
filesystem !!
That's fantastic!
I'll write a more detailed reply soon. :-)
Shane
___
Zope-Dev maillist - [EMAIL PROTECTED]
On 04/12/04 09:04, Chris Withers wrote:
For me, that's worth patching for, it's up to you if you want to include
it in an offical CookieCrumbler release or not ;-)
BTW, I wouldn't mind if you or Stuart took over maintainership of
CookieCrumbler after the next release. Then you'd be able to
Stuart Bishop wrote:
On 12/04/2004, at 10:39 PM, Shane Hathaway wrote:
On Mon, 12 Apr 2004, Chris Withers wrote:
I think the attached patch (against CookieCrumbler 1.1) makes
CookieCrumbler a little more secure.
Your patch won't work with multiple ZEO app servers. It appears to store
the
Jamie Heilman wrote:
Chris Withers wrote:
The patch means that auth creds are never sent, only an auth token that's
valid for 20 mins or so, or you could set it to less.
The token *is* the cred in that scenario, you can't not send some form
credentials.
Can you explain the XSS risk when a
Toby Gustafson wrote:
Hi,
Within a python file I do a call to thread.start_new_thread(...).
Before this call, I am the admin user (verified by calling
AccessControl.getSecurityManager().getuser().getUserName()). After the
call, however, in the new thread, the user is now Anonymous User.
Is
25 matches
Mail list logo
