Re: [Zope-dev] Turning off product installation in zope.conf on all zeo clients?

2005-04-20 Thread Chris Withers
Jens Vagelpohl wrote:
 From what I understand it prevents the installation/writing of a 
product into the ZODB (the products management part of the 
Control_Panel) and thus prevents conflict errors. If the product is 
already installed (e.g. by a client who is allowed to do so) then you 
can instantiate instances of your new product. 
So if not clients do the installation, I would not be able to 
instantiate objects?

cheers,
Chris
--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] To ZCML or not ;-)

2005-04-20 Thread Chris Withers
Martijn Faassen wrote:
Anyway, while I have my criticisms of ZCML, too much typing is really 
not very important in my list. You can get it somewhat shorter, I'm 
sure, but not *that* much shorter. I'd worry more about the reading part 
than the writing.
More typing = more reading in my books, so I guess we're in agreement ;-)
cheers,
Chris
--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] To ZCML or not ;-)

2005-04-20 Thread Chris Withers
Stephan Richter wrote:
Can you be more specific? I think ZCML is very compact.
Well, I'm hoping to take a proper look at the latest Z3 some time 
soon, so I'll let you know after that and shut up on the subject in the 
meantime ;-)

cheers,
Chris
--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Re: [Zope-Coders] Unauthorized results in 401, shouldn't it result in 403?

2005-04-20 Thread Chris Withers
Sidnei da Silva wrote:
| Now, 5.2 is where I have the problem, since raising unauthorized 
| anywhere in Zope traditionally pops up a basic auth box rather than 
| returning standard_error_message with a 403 response which, as time goes 
| by, I'm starting to think is what should really happen.

Yes! That too.
| 1. Should things change to work as I describe?
I would think so.
OK, but I would prefer more opinions on this, so moving to 
[EMAIL PROTECTED]

| 2. Is the above behaviour pluggable at all?
Not at all.
Should it be? Can it be without impacting on performance?
| 3. How does PAS handle failover from one authentication plugin to the next?
/me leaves slot for PAS experts to fill
...
| 4. What kicks off the authentication process in Zope? Something being 
| anonymously viewable or credentials being found in the request?

I've been looking at BaseRequest.traverse(). Basically, it tries to
validate REQUEST._auth, 
What does? And what does validate mean in this context?
being it set or not *wink* (when using
Right, and that was the source of the other thread?
CookieCrumbler it's this variable is set from the cookie value) and
that may result in a valid user or 'Anonymous User'.
Yeah, but how does CookieCrumbler stop a basic auth box being popped to 
the user when things aren't authorized?

| PS: I suspect the answer to 4 varies depending on the type of auth :-(
I don't think so.
CookieCrumbler vs Everything Else: I think it does...
Chris
--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Turning off product installation in zope.conf on all zeo clients?

2005-04-20 Thread Paul Winkler
On Wed, Apr 20, 2005 at 02:50:21PM +0100, Chris Withers wrote:
 Jens Vagelpohl wrote:
  From what I understand it prevents the installation/writing of a 
 product into the ZODB (the products management part of the 
 Control_Panel) and thus prevents conflict errors. If the product is 
 already installed (e.g. by a client who is allowed to do so) then you 
 can instantiate instances of your new product. 
 
 So if not clients do the installation, I would not be able to 
 instantiate objects?

AFAIK: At minimum, you need one client to do the installation once.
After that, you can turn it off forever on all clients
(until you install more products).

-- 

Paul Winkler
http://www.slinkp.com
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Re: [Zope-Coders] Unauthorized results in 401, shouldn't it result in 403?

2005-04-20 Thread Sidnei da Silva
On Wed, Apr 20, 2005 at 04:20:26PM +0100, Chris Withers wrote:
| | 2. Is the above behaviour pluggable at all?
| 
| Not at all.
| 
| Should it be? Can it be without impacting on performance?

I don't think so. I would expect there's only one sane way to do it.

| | 4. What kicks off the authentication process in Zope? Something being 
| | anonymously viewable or credentials being found in the request?
| 
| I've been looking at BaseRequest.traverse(). Basically, it tries to
| validate REQUEST._auth, 
| 
| What does? And what does validate mean in this context?

Did you read what I type? It's in BaseRequest.traverse(). Read the
source, I can't summarize 100 lines of python in one sentence.

| being it set or not *wink* (when using
| 
| Right, and that was the source of the other thread?

The source of the other thread is that falling back to unauthorized
smells wrong, but I can see at least one case where changing this
might break existing apps.

| CookieCrumbler it's this variable is set from the cookie value) and
| that may result in a valid user or 'Anonymous User'.
| 
| Yeah, but how does CookieCrumbler stop a basic auth box being popped to 
| the user when things aren't authorized?

Basically it monkeypatches RESPONSE.unauthorized() and
RESPONSE._unauthorized().

if not req.get('disable_cookie_login__', 0):
if attempt == ATTEMPT_LOGIN or attempt == ATTEMPT_NONE \
   or attempt == ATTEMPT_RESUME:
# Modify the unauthorized response.   
   
req._hold(ResponseCleanup(resp))
resp.unauthorized = self.unauthorized
resp._unauthorized = self._unauthorized

-- 
Sidnei da Silva [EMAIL PROTECTED]
http://awkly.org - dreamcatching :: making your dreams come true
http://www.enfoldsystems.com
http://plone.org/about/team#dreamcatcher

Mais sujo que pau de galinheiro.
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Turning off product installation in zope.conf on all zeo clients?

2005-04-20 Thread Jens Vagelpohl
On Apr 20, 2005, at 15:50, Chris Withers wrote:
Jens Vagelpohl wrote:
 From what I understand it prevents the installation/writing of a 
product into the ZODB (the products management part of the 
Control_Panel) and thus prevents conflict errors. If the product is 
already installed (e.g. by a client who is allowed to do so) then you 
can instantiate instances of your new product.
So if not clients do the installation, I would not be able to 
instantiate objects?
Yes, and the new product will not show up under Control_Panel/Products, 
that's my understanding. Should be easy to test, though.

jens
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Re: [Zope-Coders] Unauthorized results in 401, shouldn't it result in 403?

2005-04-20 Thread Zachery Bir
On 2005-04-20 11:20:26 -0400, Chris Withers 
[EMAIL PROTECTED] said:

Sidnei da Silva wrote:
| 3. How does PAS handle failover from one authentication plugin to the next?
/me leaves slot for PAS experts to fill
Each attempt at authenticating a particular set of credentials gets a 
crack, and either stands up for the creds, or returns None.

CookieCrumbler it's this variable is set from the cookie value) and
that may result in a valid user or 'Anonymous User'.
Yeah, but how does CookieCrumbler stop a basic auth box being popped to 
the user when things aren't authorized?
By intercepting the RESPONSE's unauthorized() method. It's pretty 
plainly there in the code. FWIW, this is how PAS insinuates itself into 
the process as well, but to allow for any of the challenge plugins to 
fire this way.

| PS: I suspect the answer to 4 varies depending on the type of auth :-(
I don't think so.
CookieCrumbler vs Everything Else: I think it does...
Well, not in PAS ;^)
Zac
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )