Re: [Zope-dev] Security Question
Dieter Maurer schrieb: > > Andre Schubert writes: > > i have a little security problem. > > let me explain. > > > > root/ > > index_html > > foo/ > > acl_users/ > > bar/ > > Image > > > > I have a image which could only be view by users with a role named > > foobar, these users are in acl_users. > > If i access the image through the web a must authenticate myself for the > > first time, after that everything works well. > > But if i want to access the Image via from the > > index_html in the root-folder a got no access. > I expect, you get hit by a (in my view stupid) security feature: > > When you are not authorized to access an object, then you > should not even see that it is there. > > This is achieved by turning "Unauthorized" exceptions into > "KeyError" exceptions under some circumstances. > > The effect is similar to what you describe (at least, if I > interpret "got no access" as a "NameError" or "KeyError" for > "Image"). > > If, however, you keep getting "Unauthorized" exceptions > (i.e. login requests), then the reason may be that your > initial request did not get authenticated by "foo/acl_users" > but by a higher level "acl_users" that does not assign > the correct role to the user. > This is exactly what i want. I want a user wich has to login with foo/acl_users. And this user should be allowed to view the Image trough dtml. Have i missunderstand restrictedTraverse, which says that a object will be accessed by traversing a path and checking permissions for each object. as > Dieter > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] FTP Error Messages again
Richard wrote, some months ago: > I'd also hope that the standard PUT methods in the Zope source would set > the message to something useful. At the moment, we set the message to the > type and value of any exception raised in the PUT method. Hi Richard, How did you do this last step of setting the message to the type and value of any exception raised in the PUT method? cheers, Chris ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Overriding base class method / CatalogAware mixin
I'm having the same problem described in: http://lists.zope.org/pipermail/zope-dev/1999-November/002427.html My class inherits from a few base classes including CatalogAware as a mixin; I'm trying to override a method in my core API superclass (which uses MySQLdb, and thus mx-DateTime), with a similar method that is compatible with Zope's DateTime; I got a TypeError that I think is due to ExtensionClass when trying to call the superclasses method, even with an instance of the subclass passed as the first variable. Since this didn't work, I ended up having to create a temporary instance of the superclass and inside a method of the subclass - not entirely graceful, but it works. Is there a more graceful way to get around this? (I'm using Zope 2.3.3/Python 1.5.2 at the moment). Sean = Sean Upton Senior Programmer/Analyst SignOnSanDiego.com The San Diego Union-Tribune 619.718.5241 [EMAIL PROTECTED] = ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Per restart volatile attributes in Zope?
Morten W. Petersen wrote: > Hello, > > I'm wondering if there's a volatile attribute type in Zope, where the > attribute is deleted each time Zope restarts (or something similar). There's attributes belonging to modules. They will be deleted when Zope restarts. They won't participate in the Zope concurrency protection scheme though -- see how RAM Cache Manager handles that, as it uses data stored in module attributes. You might also look at _v_ attributes of Persistent objects. These will definitely be deleted when Zope restarts. They will almost certainly be deleted at various points before that too. -- Steve Alexander Software Engineer Cat-Box limited ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Per restart volatile attributes in Zope?
Hello, I'm wondering if there's a volatile attribute type in Zope, where the attribute is deleted each time Zope restarts (or something similar). Thanks, Morten ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] SiteAccess improvements
Gary Poster writes: > Hi. My main project right now is actually to build a VHM replacement for > myself to solve some needs I had. > . > * I need the ability to store arbitrary properties for each virtual host. > In particular, the correlary of my current work is to provide a > CMFVirtualHost tool that stores a sub-portal title, sub-portal skin > information, and other items. > * I need the ability to have multiple domains point to the same folder, > while ideally maintaining the arbitrary properties I expect these two requirements are already possible without any modification to VRM. Assume, your destination folder is "I" (for implementation) and you have configuation objects "C1", "C2", ... one for each of your virtual domains "D1", "D2", ... The configuration objects could be any object capable of holding the configuration information and inheriting from "Acquisition.Implicit" Then you rewrite your virtual domain URL for "Di" into VirtualHostBase/Di/Ci/I/VirtualHostRoot Due to the magic of acquisition, your should get the configuration into your implementing "I". Dieter ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] SiteAccess improvements
I like this point. SiteAccess should kick an error if you do something stupid, but not lock you out of the ZMI. Maybe, "authenticated" gets a 'manage' wrapper(header/footer) around the AccessRule ...the AccessRule -Trevor > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf > Of Lennart Regebro > Sent: Saturday, November 24, 2001 7:00 PM > To: [EMAIL PROTECTED]; emf > Subject: Re: [Zope-dev] SiteAccess improvements > > > I haven't been very deep down into site access things, mainly > because I get > confused each time I try to set up a SiteRoot. :-) > So it may be that some of the features I'd like are already > availiable, but > that I just didn't know. :-) > > Anyway, this is what I would like: > > The virtual hosts of Zope is managed from the Control Panel and not from > several objects in several directories. This would mean that if you enter > incorrect information, you don't have to reboot the server with > SUPPRESS_SITEROOT=1 set in the environment to fix the stupid errors you > made, you just go into the Control Panel and fix it.It also means that a > customer of a web hotel can't fiddle around with his own SiteRoot. God eh? > :-) This Control Panel thingy should also have a possibility to > turn on and > off individual virtual host mappings without removing the > settings, as well > as a global on/off. > > Hope these ideas are useful. > > - Original Message - > From: "emf" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Saturday, November 24, 2001 9:13 AM > Subject: [Zope-dev] SiteAccess improvements > > > > Hello, > > > > There's a very nearly "orphaned proposal": > > > http://dev.zope.org/Wikis/DevSite/Proposals/SiteAccessUsuabilityIm provements > > iMeme has already done some work towards these goals with > "SiteAccessEnhanced": > http://www.zope.org/Members/sfm/SiteAccessEnhanced > > I am taking over this effort, and I have some near-term "goals outlined": > http://dev.zope.org/Wikis/DevSite/Proposals/SiteAccessProposedSolutions > > I intend to deliver the VHM improvements before the AccessRule improvements. > > Please give feedback on this proposal, and let me know what I need to do > to move this into the project phase. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] SiteAccess improvements
> What do you want to happen during traversal? Evan's Embedded Session Values is his suggested use of SiteAccess2 http://www.zope.org/Members/4am/SiteAccess2/otheruse I simply need to add a (writing to a database) after a valid SessionID is set. However, 'smallscript' cannot be executed from the AccessRule because security is not set yet. The user gets a Zope login prompt and then a Site Error An error was encountered while publishing this resource. Unauthorized You are not authorized to access the_database "AccessRule" with ***smallscript*** Don't intercept management requests Is the next path segment a positive integer? 0"> Save it and remove it from the path Add it back into the logical path *** *** Invalid Session ID! For example purposes, this is 'smallscript': -Trevor ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
