[Zope-dev] Virtual Hosting in 2.2 - a Bestiary of Buglets
I setup virtual hosting on Zope 2.2.1 with SiteAccess 2. I used Apache with ProxyPass (Apache acting as a reverse HTTP proxy in front of ZServer) instead of FastCGI, since this is much faster (with caching headers apache is about 10 times as fast as ZServer). The setup is as follow - each site has a folder in /websites, so www.example.com is mapped to /websites/example in Zope. In /websites/example I have an Access Rule that tells Zope that the base url is http://www.example.com. Problem 1: HTTP and HTTPS (more of a proxypass issue) === I want to be able to serve both http and https versions of a site from Apache. Problem is, because of the way proxying works, there is no way for Zope to know if it is origially being accessed via http or https. My solution? Add a folder in top level of Zope called "ssl". If we see our path as proxied by Apache is /ssl/websites/example, we know we are being accessed via SSL. Because of the magic of acquisition, this works, but it's still an ugly hack, and slows things down. Here's the SiteAccess rule I used: if REQUEST['PATH_INFO'][:5] == '/ssl/': REQUEST.setVirtualRoot('/') REQUEST.setServerURL(protocol='https', hostname='www.example.com', port='443') else: REQUEST.setVirtualRoot('/') REQUEST.setServerURL(hostname='www.example.com', port='80') Problem 2: ZCatalog = All the objects in /websites/example are being catalogged with paths such as /websites/example/folder/myObject. However, when I gets the objects path using getpath(), it's not adjusted based on the virtual hosting settings - it's still /websites/example/folder/myObject, not /folder/myObject as it should be. Problem 3: Management interface = The breadcrumbs in the folder management screen (e.g. "/ folder1 / folder2"), still show the "/ websites / example", with links, when using the virtual hosting. That is, the managemnt interface shows folders that we are not supposed to be able to access when we are using virtual hosting. Problem 4: Access to other virtual hosts (security issue?) When using virtual hosting, it is still possible to access the /websites folder for example, using acquistion. So I can view the contents of one website from the other: www.example.com/websites/example2, and www.example2.com/websites/example. -- Itamar S.T. [EMAIL PROTECTED] Fingerprint = D365 7BE8 B81E 2B18 6534 025E D0E7 92DB E441 411C ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] PARENTS
From http://www.zope.org/Members/michel/Projects/Interfaces/PublisherRequest: Deprecated attributes: - PARENTS What are we supposed to use instead now? cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Problem 2: ZCatalog
Itamar Shtull-Trauring wrote: All the objects in /websites/example are being catalogged with paths such as /websites/example/folder/myObject. Using getPhysicalPath I hope and pray... However, when I gets the objects path using getpath(), it's not adjusted based on the virtual hosting settings - it's still /websites/example/folder/myObject, not /folder/myObject as it should be. That's as expected. I guess there needs to be some discussion about what 'should' happen here. I reckon there should be a getVirtualPath as well as a getPath. Comments welcome... For now, the workaround getobject().absolute_url() should work, but does mean loading the whole object into memory :-( cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Problem 1: HTTP and HTTPS (more of a proxypass issue)
Chris Withers wrote: What difference does it make if you do REQUEST.setVirtualRoot('/',1)? This might actually solve most of my problems, since it deletes the parents I don't need from PARENTS. However, when I do this I can't view anything - it keeps raising Unauthorized. Setting the permissions to not acquire and be explicitly on does not help. -- Itamar S.T. [EMAIL PROTECTED] Fingerprint = D365 7BE8 B81E 2B18 6534 025E D0E7 92DB E441 411C ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] What should/does REQUEST.setVirtualRoot('/',1) do?
Itamar Shtull-Trauring wrote: What difference does it make if you do REQUEST.setVirtualRoot('/',1)? This might actually solve most of my problems, since it deletes the parents I don't need from PARENTS. However, when I do this I can't view anything - it keeps raising Unauthorized. Setting the permissions to not acquire and be explicitly on does not help. I guess I'd really like to know what the intended difference and uses of hard=0 and hard=1 are. Evan, Help?! cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Problem 4: Access to other virtual hosts (security issue?)
Itamar Shtull-Trauring wrote: When using virtual hosting, it is still possible to access the /websites folder for example, using acquistion. So I can view the contents of one website from the other: www.example.com/websites/example2, and www.example2.com/websites/example. I don't think this is a 2.2 issue. It has always been like this AFAIK... What you really what is a non-acquiring folder for the /example and /example2 folders. This shouldn't be too hard to implement :-S Does this sounds like the right idea? cheers, Chris PS: This shouldn't really be a security issue, it's more of a 'niceness' thing as the security stuff will still work as it should (unless, perhaps, you do domain-based authentication...) Sadly, that sort of thing seems to go right down the priority lists :-( (go see http://www.zope.org/standard_html_footer for another example...) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] LoginManager NT plugins?
anyone doing user authentification with NT + Loginmanager? -- Robin Becker ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PlugIns.py bug.... (was incorrectly ZPatterns: transaction bug)
OK I think I found the actual intent of aq_base() in _checkId of PlugIns.py: if hasattr(aq_base(self), id): # The object is located in this ObjectManager. if not flags REPLACEABLE: raise 'Bad Request', ('The id "%s" is invalid - ' \ 'it is already in use.' % id) # else the object is replaceable even if the UNIQUE # flag is set. elif flags UNIQUE: raise 'Bad Request', \ ('The id "%s" is reserved.' % id) it comes from the ObjectManager _checkId which has basically the same code execpt it ObjectManager.py also has the needed: from Acquisition import aq_base which PlugIns.py does not.. so looking at Acquisition.c it appears that there is no real difference between hasattr(aq_base(self), id) which calls if (WRAPPER(self)-obj) { r=WRAPPER(self)-obj; while (isWrapper(r) WRAPPER(r)-obj) r=WRAPPER(r)-obj; } else r=Py_None; Py_INCREF(r); return r; and hasattr( self.aq_base, id) which calls case 'b': if (strcmp(name,"base")==0) { if (self-obj) { r=self-obj; while (isWrapper(r) WRAPPER(r)-obj) r=WRAPPER(r)-obj; } else r=Py_None; Py_INCREF(r); return r; } break; Anyway.. it looks like either fix is OK... I guess! -steve "Steve" == Steve Spicklemire [EMAIL PROTECTED] writes: Steve ZPatterns 0.4.2a1 PlugIns.py bug? Steve I get a 'Name Error' aq_base when I hit the following code Steve while trying to update the index_html method of one of my Steve Specialists from CVSMixin.. I think that this would get hit Steve anytime you add an object whose id is already in the Steve acquisition path Steve -steve Steve diff -c -r1.1.1.2 PlugIns.py *** PlugIns.py 2000/09/04 Steve 14:17:29 1.1.1.2 --- PlugIns.py 2000/09/04 18:53:17 Steve *** *** 265,271 # An object by the given Steve id exists either in this # ObjectManager or in the Steve acquisition path. flags = getattr(obj, '__replaceable__', Steve NOT_REPLACEABLE) ! if hasattr(aq_base(self), id): # The Steve object is located in this ObjectManager. if not flags Steve REPLACEABLE: raise 'Bad Request', ('The id "%s" is invalid Steve - ' \ --- 265,271 # An object by the given id exists Steve either in this # ObjectManager or in the acquisition path. Steve flags = getattr(obj, '__replaceable__', NOT_REPLACEABLE) ! Steve if hasattr(self.aq_base, id): # The object is located in Steve this ObjectManager. if not flags REPLACEABLE: raise 'Bad Steve Request', ('The id "%s" is invalid - ' \ Steve ___ Zope-Dev Steve maillist - [EMAIL PROTECTED] Steve http://lists.zope.org/mailman/listinfo/zope-dev ** No cross Steve posts or HTML encoding! ** (Related lists - Steve http://lists.zope.org/mailman/listinfo/zope-announce Steve http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] PlugIns.py bug.... (was incorrectly ZPatterns: transaction bug)
At 08:46 AM 9/5/00 -0500, Steve Spicklemire wrote: OK I think I found the actual intent of aq_base() in _checkId of PlugIns.py: ... it comes from the ObjectManager _checkId which has basically the same code execpt it ObjectManager.py also has the needed: from Acquisition import aq_base Fixed in my CVS. Thanks! ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: Virtual Hosting in 2.2 - a Bestiary of Buglets
From: Itamar Shtull-Trauring [EMAIL PROTECTED] Problem 1: HTTP and HTTPS (more of a proxypass issue) === I want to be able to serve both http and https versions of a site from Apache. Problem is, because of the way proxying works, there is no way for Zope to know if it is origially being accessed via http or https. My solution? Add a folder in top level of Zope called "ssl". If we see our path as proxied by Apache is /ssl/websites/example, we know we are being accessed via SSL. Because of the magic of acquisition, this works, but it's still an ugly hack, and slows things down. If you think that's an ugly hack, you'll probably hate what I do ;-) I have Apache RewriteRules that look like these: RewriteRule ^/(.*) http://localhost:8080/_proxy/http/%{HTTP_HOST}/example/$1 [P,L] (with https instead of http in secure virtual hosts, of course) ...and an Access Rule in my root folder (stack is the traversal stack): if stack and stack[-1] == '_proxy': stack.pop() base = "%s://%s" % (stack.pop(), stack.pop()) request.setURL(base=base) request.set('SiteRootPATH', '/') Finally, I have blank SiteRoots in my site folders. Problem 2: ZCatalog = All the objects in /websites/example are being catalogged with paths such as /websites/example/folder/myObject. However, when I gets the objects path using getpath(), it's not adjusted based on the virtual hosting settings - it's still /websites/example/folder/myObject, not /folder/myObject as it should be. This is one of the many ZCatalog problems that Chris P. is now valiantly tackling. Problem 3: Management interface = The breadcrumbs in the folder management screen (e.g. "/ folder1 / folder2"), still show the "/ websites / example", with links, when using the virtual hosting. That is, the managemnt interface shows folders that we are not supposed to be able to access when we are using virtual hosting. As Chris Withers points out, this is due to deprecated data passed in calls to tabs_path_info. I'll see that it gets fixed. Problem 4: Access to other virtual hosts (security issue?) When using virtual hosting, it is still possible to access the /websites folder for example, using acquistion. So I can view the contents of one website from the other: www.example.com/websites/example2, and www.example2.com/websites/example. Unless this is a real security concern for you, and can't be address within the standard Zope security framework, I wouldn't worry about it. As you noticed, the optional 'hard' parameter to setVirtualRoot was a weak stab in this direction, but I never spent enough time on it to really get it working. That would involve (at least) providing some kind of replacement Application instance to root acquisition in. Cheers, Evan @ digicool 4-am ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] BTree folders: opinions?
Steve Alexander wrote: I've been reading the discussions on benchmarks of BTreeFolder verus standard ObjectManager dict based folders. I have a BTreeFolder w/ Customizer support that I'd like to include in the DataSkinAddons package for its next release. I'll probably release a LargeUI Folder w/ Customizer Support, that has the BTreeFolder UI anyway. However, I'm not sure whether to store the folder contents in a dict or a BTree. Are dictionaries or BTrees the way to go for folders with lots of sub-objects? Anyone tried any other benchmarks? I *suppose* it could even be configurable: How about this for an idea: * Management interface uses the standard Folder interface when the number of objects in the contents are less than a certain amount. With more objects, it switches to the BTree Folder UI. This number can be reconfigured as an attribute of the folder. Have you considered a batching UI? The consensus here at DC when we had the meeting about big folders was that folders with lots of objects ought to batch. However, once I saw how fast a simple list is, I lost interest in batching. * You can switch between using a dict and a BTree to store the sub-objects, on an instance-by-instance basis. The switch-over will be slow, but it will be easier than changing the base-class of existing instances. You'll probably get the biggest win just by replacing the custom __getattr__ method with a C version. I understand that switching from C to Python and back to C again is expensive, but a C version would turn the path into C-C-C. It might level the benchmarks. Shane ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] SiteAccess 2 Questions
Hi, Here's a load of questions that have sprung up as a result of trying to get to grips with SiteAccess 2 on Zope 2.2.1: It looks like REQUEST.steps is the replacement for PARENTS? Is that so? Small grumble: REQUEST['TraversalRequestNameStack'] is a bit of a long-winded name :P If an Access Rule is broken, and is preventing normal access, it can be disabled by restarting Zope with environment variable SUPPRESS_ACCESSRULE set. So now you have to restart Zope to undo a screwup? I guess __no_before_traverse__, or whatever it was, was a security whole, or something? Hmm, the example for Multiple Sites isn't very robust :-( http://www.zope.org/Members/4am/SiteAccess2/vhosting You use HTTP_HOST, without ensuring it exists. I remember having problems with this in Zope 2.1.6 as HTTP_HOST doesn't exist when you access things via FTP, so an error gets thrown, effectively preventing you from accessing any objects covered by the access rule through FTP. My solution for this is just to wrap the rule in dtml-if "REQUEST.has_key('HTTP_HOST')" Well, that's all for now... cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: SiteAccess 2 Questions
From: Chris Withers [EMAIL PROTECTED] It looks like REQUEST.steps is the replacement for PARENTS? Is that so? Actually, REQUEST.steps has always been there -- it's the list of *ids* that were traversed. This may or may not correspond to the ids of the PARENTS, depending on whether an object with a __bobo_traverse__ inserted extra objects or replaced itself in PARENTS. Then there is REQUEST._steps, which is new, and which is (as the _ implies) for internal use only. It's a pre-url-quoted list of steps, affected by virtual hosting, which is used to construct URLn and BASEn. Right now, I've working in a CVS branch on new REQUEST variables called URLPATHn and BASEPATHn, which are analagous to URLn and BASEn but only contain the path portion of the URL. Then all SCRIPT_NAME uses should be replaced with BASEPATH1, etc. Small grumble: REQUEST['TraversalRequestNameStack'] is a bit of a long-winded name :P Agreed. Jim pretty much mandated a name that (1) lives in 'other', rather than being an attribute, and therefore (2) is very, very unlikely to clash with other people's REQUEST variable names. So now you have to restart Zope to undo a screwup? I guess __no_before_traverse__, or whatever it was, was a security whole, or something? No, it's just not specific enough. Now that the before-traversal hook is part of Zope, other services may want to use it, and so it shouldn't have a global on/off switch. As of SiteAccess 2.0b3, you can insert "_SUPPRESS_SITEROOT" and/or "_SUPPRESS_ACCESSRULE" into your URL in order to turn off a single SiteAccess object (the one which would have triggered at that point in the URL). Hmm, the example for Multiple Sites isn't very robust :-( http://www.zope.org/Members/4am/SiteAccess2/vhosting I didn't spend a whole lot of time fortifying it. It's just meant to be an example, after all. I wasn't expecting so many people to paste it into their applications without understanding what it does. :-) Cheers, Evan @ digicool 4-am ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] DCOracleStorage: problems running Full.sql
I'm trying to get DCOracleStorage up and running, but I'm getting errors trying to run Full.sql. I know didly about plsql, so I apalogize if this is obvious. When I run Full.sql I get the following errros. Does this mean my oracle installation is missing something? Thanks, ^Roman ... Table created. Table created. Index created. Commit complete. Package created. No errors. Warning: Package Body created with compilation errors. create package body zodb_methods as * ERROR at line 1: ORA-01041: internal error. hostdef extension doesn't exist No errors. ORA-24323: value not allowed Error accessing package DBMS_APPLICATION_INFO ERROR: ORA-03114: not connected to ORACLE ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Folderish objects and multiple inheritance
- Original Message - From: "Andy McKay" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 05, 2000 2:13 PM Subject: [Zope] Re: [Zope-dev] Folderish objects and multiple inheritance Hmmm I can override inheritance in a simple class... I guess theres something in Zope thats annoying this: class A: var = 'A' def test(self): return self.var class B: var = 'B' def test(self): return self.var class C(B, A): var = 'C' def test(self): return A.var c = C() print c.test() OUTPUT A - Original Message - From: "Andy McKay" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 05, 2000 11:35 AM Subject: [Zope-dev] Folderish objects and multiple inheritance Hi there, Ok so I have a class that has multiple inheritance. My main class (A) works fine, but I wanted to add in folderish properties. The problem is the order of multiple inheritance and viewing folder objects. When you view a folder from you call index_html and this gives a content list. By inheriting this way: class B(A, Folder): I have kept all my A methods. However viewing it does not produce the content list since its overwritten by A. Of course inheriting: class B(Folder, A): Does work for that, but breaks all my other methods. Solutions: Well I tried defining a tab - view_folder which was something along the line of: def view_folder(self, client=None, REQUEST={}): ''' doc string ''' return Folder(self, client, REQUEST) But get an attribute error on manage_tabs. Any ideas? Thanks. -- Andy McKay, Developer. ActiveState. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Call for a creation_datetime property!
It is really a painful thing to do without. I realize I can add this capability to factories of my own objects but I don't want to have to create my own versions of dtml-document and everything else just to ensure that a creation date is kept. I've tried using transaction logs but this is very dodgy for the following reasons. 1) An object can be created by many different methods. Its guess work working out which created the object. 2) The odb can be packed and then you've just lost your creation date. Can anyone give a good reason not to include this property as a standard for all ZODB objects? Dylan Jay Tel: +61 2 9886-8961 Avaya Communication FAX: +61 2 9352 9224 Level 5, 15 Talavera Road Mobile:+61 409 606 171 Nth Ryde, NSW, 2113 ICQ: 520341 AUSTRALIA ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )