Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
All the user folders can be confusing, but I think in the long run,
you'd be better off if you grabbed one and figured out how it worked.
I've used LoginManager, and basically, I create a folder for my project,
don't put the standard acl_users in it, because you want to create an
object called acl_users, of type Login Manager.
There's a method in there called userAuthenticate. When the security
mechanism kicks in (on every web page hit), if this returns a 1, then
all is well, if it returns a 0, then LoginManager will cause the
loginForm method to be run, which is where you would put your custom
login page. (see the loginForm method that comes with Login Manager).
Here's what the userAuthenticate method would look like for your scenario:
dtml-if REQUEST.cookies.has_key('user_id')
dtml-return _.int('1')
/dtml-if
dtml-return _.int('0')
Of course that's too easy, and you'd probably want to check the
username/password against stored data. I generally use a relational
database... but that's another story. You can store the user data any
way you like and just use these methods to validate it.
You will probably also need to look at the userRoles method.
The security mechanism will give you much more control over access to
your objects.
-Paul
vio wrote:
First, thanks for your time on this thread, everybody!
* Leonardo Rochael Almeida [EMAIL PROTECTED] [020123 19:42]:
Hi Vio,
By the contents of your message, you seem to be a little off track
w.r.t. the way authentication works between the browser and Zope.
By now you seem to have discovered that the browser sends the user
credentials whenever it fetches a page. If you aren't using a custom
user folder that uses cookies, then you're most likely using basic
authentication (which is likely since you don't want the overhead of a
product). To know for sure answer this question: when you are anonymous
and you want to access a forbiden area, does the
browser-standard-login-popup-window shows up?
yes.
If yes, then there simply is no way you can use a few placed calls to
the Zope machinery to convince the browser that it needs to switch
identities because you're talking to Zope, not to the browser. Zope
cannot tell the browser stop pretending you are anonymous and start
pretending you're John. The only thing Zope can tell the browser is
This user you are using is not authorized, in which case the browser
will ask the user for another login/password combo, using it's own
standard login popup window.
Ok, maybe I didn't express myself very clearly in my past messages.
Imagine the following simple scenario, which makes heavy use of
'CoreSessionTracking', by the way:
1. In my 'standard_html_header' I put a dtml routine who checks for a
specific session variable, let's call it 'user_id'. If it isn't there, or
there is no session running, it redirects user to my custom 'loginForm'.
dtml-if sessionData.get('user_id')
get the beef
dtml-else
redirect to loginForm
2. The manage_login() who processes the 'loginForm' data, validates user
credentials against some internal list. Actually, for now I'm using a
standard Users_folder object, but I am tempted to swich to something even
simpler, like a dictionary or a list. I hope you follow me up to now.
In that list, each user_id has also associated with it a list of roles.
So here we have a central list of 'authorised' users (or a UsersFolder):
clean_users.append([user_id, password, list_of_roles])
or
Users_folder._addUser(name,password,confirm,roles,domains)
Session-storing the credentials: manage_login() stores this related data
as session variables:
sessionData.set('user_id',user_id)
sessionData.set('user_roles', list_of_roles)
3. Make all user-visible objects in my product 'Public', knowing that
they are not 'really' public: any user without a 'user_id' session variable
will get redirected to my custom login page 'no matter what'. But Zope's
own security machinery is out of the loop on this one (simply by-passed).
4. The little routine in 'standard_html_header' will take care of all dtml.
But I will need to call a similar validating method (or specialized instance)
before running any 'executable' code:
by 'executable' I mean code who Creates, Destroys, Modifies restricted objects,
or modifies my custom security settings. This code simply compares content of
'user_roles' session variable with 'my_object_permissions' object attribute
(which can be acquired).
Only if there's a match, the 'executable' python code is allowed to run.
An alternative here would have been to protect all objects with a
Zope permission (instead of declaring everything public),
then switch to a user with that permission for the duration of this
transaction with:
SecurityManagement.newSecurityManager(None, UserWithPermission)
This is what I ment with a few well placed calls to the Zope machinery.
Of
Re: [Zope-dev] IE and Zope MIME type handling
I agree with solution #2. When I upload a .xls file from Mozilla on Linux, it also says that it is application/octet-stream. Even more annoying: Netscape 4.7.x says that it is application/vnd.ms-excel, while Konqueror says application/ms-excel for the same file. For sites that want to enforce, it makes me think that it might be better to do #2 even for non octet mime types. -Paul Casey Duncan wrote: Problem: Getting Zope to properly detect MIME types of posted files The current solution is to try the following methods: 1. See if the browser specified a type and if so, use it. 2. See if the file extension can be recognized and derive a mime-type from it 3. Do some inspection of the file data (limited to text files at present) Obviously #1 is preferred, and anytime the browser supplies the mime type, method #2 and #3 are never used. However, I have found a problem with this. Sometimes, IE reports a mime-type of application/octet-stream on files that is doesn't know better about. This specifically happens on WordPerfect files. Now, I am as shocked as you are that a competitor's file format would not be recognized by IE, however, difficult as this may be to believe, it appears to be true. My proposed solution and change in behavior is to ignore the browser supplied type if it is application/octet-stream and use #2 and perhaps #3 in that case to delve in further. Obviously this may pose a problem for applications that rely on the mime-type for files with extensions that might otherwise indicate something else. But since this behavior seems restricted to IE (amongst the browsers I tested), I doubt it would cause harm or breakage. Thoughts? I will supply the necessary patches if there is no objection. /---\ Casey Duncan, Sr. Web Developer National Legal Aid and Defender Association [EMAIL PROTECTED] \---/ ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZSQL and Normalized databases (or why ZSQL sucks)
The Doctor What wrote: * The Doctor What ([EMAIL PROTECTED]) [010419 11:57]: Does any one have an example of ZSQL being used witha normalized database? Or is ZSQL just useless? Near as I can tell, between: * Broken type marshalling * Loosing the variable between the form and dtml-if I don't understand this. I'm assuming that you are losing values that are not in your argument list. All you have to do is add the arguments. * Inability to handle table.field names for variables * And enough flexibility to work around the above problems This makes ZSQL extreamely nasty, and impossible to use with a normalized database. Database normalization isn't really an issue. It sounds like you're really just having problems with the syntax of joins. What's the point? ZSQL sucks, how do I talk to the DB directly? Grab the Python database adapter and write some python classes or external methods to do what you need. Yeah, I keep almost getting this to be useful. But damn it if I don't keep hitting a brick wall. And there are no complete examples or demos that I can find to load up. Irritatedly yours, DocWhat I would like to apologize for being particularly pissy. Things are quite as bad as I say up there... My third point is only half true. I can have SQLTEST specify a column name (aka a field): dtml-sqltest somevarname column="SQLTABLE.sqlfield" type... This makes things work MUCH better. So there are work arounds. This isn't a work-around, it is the way that it is intended to be used. But this doesn't excuse this not working: SELECT table.field1, table.field2 FROM and then: dtml-var name="table.field1" --doesn't work dtml-var name="field1" -- does work I know that the '.' has a special meaning, but there should be ways around this if the use wants. Again, I think that it's a matter of understanding how ZSQL works, rather than a limitation of ZSQL. If you have column name conflicts, you can always use something like: SELECT a.field as a_field, b.field as b_field FROM ... Then refer to them in dtml like dtml-a_field; or dtml-var name="a_field" I still would love some examples. Do people end up with 4 ZSQL objects per thing they manipulate in their database?: UPDATE, SELECT, INSERT and DELETE? Or do they mix them somehow? I typically wind up with a ZSQL method for each of the CRUD operations. Sometimes I have separate selects methods for more complex joins, if the DTML code gets too ugly when I try to combine them into a single method. Example of a fairly typical join statement (for MySQL database): Arguments- begin_date:date end_date:date="2037-01-01" SELECT search_string, search_result, search_date, result_category, legal_category.name FROM search_log LEFT JOIN legal_category ON search_log.result_category=legal_category.code dtml-sqlgroup required where dtml-sqltest name="begin_date" op="gt" type="nb" column="search_date" dtml-and dtml-sqltest name="end_date" type="nb" op="lt" column="search_date" optional /dtml-sqlgroup Good Luck -Paul ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RE: objectIds accessiblilty and a proposal
If it is an issue for XML-RPC users, maybe there should be a "Traversable" permission on Folder objects that could default to not allowing web-traversal, but allowing it to be enabled if desired. Would this affect FTP access to folders? -Paul Brian Lloyd wrote: This is something that has come up before. I propose that the real problem here is that 'objectIds' should not be web-traversable. I have, in fact, proposed this before. It caused a bit of grumbling among people using xml-rpc, who were using objectIds remotely, so we never came to closure on it. This comes up often enough that I'm inclined to do something about it for 2.3. I propose that objectIds (and objectValues) will not be directly accessible via the Web in 2.3. For xml-rpc applications, it should be a simple enough task to create a Python Script (or even a DTML Method) that *is* Web accessible to relay that information if it is needed. Thoughts? Brian Lloyd[EMAIL PROTECTED] Software Engineer 540.371.6909 Digital Creations http://www.digicool.com -- Paul Erickson | [EMAIL PROTECTED] Kaivo, Inc. | www.kaivo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML processing variable
If this is your exact code, it looks like you should be using "sequence-item", instead of "sequence_item". You should also be able to do it without the external method like this: (100% untested) dtml-in expr="_.string.split(acctUsersEmail)" dtml-var name="sequence-item" /dtml-in "David W. Damon" wrote: Hey all, I'm having difficulty getting dtml-in to iterate over a list of strings returned from an external python method. Essentially, I have a string that is comprised of the contents of an HTML text area. I need to split the string into a list of words and iterate over this list. My external python method is this: def stringSplit( self, theString ): return string.split( theString ) Heres the pertinent DTML. --- dtml-call expr="REQUEST.set( 'userList', stringSplit(acctUsersEmail))" dtml-in userList dtml-var sequence_item /dtml-in dtml-var REQUEST --- If I comment out the dtml-in block, i have a userList variable in the REQUEST object that is something like: ['name1', 'name2', 'name3'] Any ideas? -- dave ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) -- Paul Erickson | [EMAIL PROTECTED] Kaivo, Inc. | www.kaivo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Tag DTML
I think that all you have to do is get your property out of md.
ie:
some_prop=md['some_prop']
Hello, I have coded my own DTML tag and i want to catch a property of the=
folder where the DTML-Coded is.
How can i do this???
from DocumentTemplate.DT_Util import * # useful parsing methods you'll need=
from DocumentTemplate.DT_String import String # explained later
class FuenteTag:
name =3D 'fuente'blockContinuations=3D()
expand=3DNone
def __init__(self, blocks):
tname, args, section =3D blocks[0]
self.tname=3Dtname
self.section=3Dsection
args=3Dparse_params(args, font=3D'Verdana', size=3D'2')
self.args=3Dargs
self.font =3D args.get('font','Verdana')
self.size =3D args.get('size','2')
def render(self, md):
cadena =3D 'FONT FACE=3D"'+self.font+'" SIZE=3D"' + self.size +=
'"' +self.section(md)+'/FONT'
return cadena
__call__ =3D render
String.commands['fuente'] =3D FuenteTag
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Aitor Grajal Crespo
Director General
e-mail: [EMAIL PROTECTED]
INETSYS, S.L.
ETSI Inform=E1tica
Ctra. Colmenar, km. 15,500
28049 MADRID
SPAIN
Tfno : (34) 91 348 22 66 - Fax : (34) 91 348 22 66
http://www.inetsysonline.com
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] date formatting / extracting substrings
If you've already done some validation and can guarantee that there are
6 characters in the string, you can slice the month out of the string
like this:
dtml-call "REQUEST.set('MonthValue', MonthID[4:6])"
or, if you just want to display the month, use this:
dtml-var expr="MonthID[4:6]"
-Paul
Jeff Nielsen / Ugo Fast wrote:
Hello out there in Zope world!
Again, I'm completely baffled by Zope and the docs are no help either. I'm
trying to take an input of a date in the form MM as the variable MonthID
and create a string in the form Month, as a variable named MonthName.
For instance, a MonthID of 29 should return a MonthName of "September,
2000".
I've been looking in the docs and the emails, but I can't figure out how to
extract substrings. I think something like this should work to seperate the
month value from the MonthID, but it doesn't:
dtml-call "REQUEST.set('MonthValue', _.substring(MonthID,5,2))"
Any guidance would be appreciated.
---
Jeff Nielsen
http://www.UgoFast.com/
"Where U Go Fast"
--
Paul Erickson | [EMAIL PROTECTED]
Kaivo, Inc. | www.kaivo.com
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
