Re: [Zope-dev] REQUEST.AUTHENTICATED_USER question
All the user folders can be confusing, but I think in the long run,
you'd be better off if you grabbed one and figured out how it worked.
I've used LoginManager, and basically, I create a folder for my project,
don't put the standard acl_users in it, because you want to create an
object called acl_users, of type "Login Manager".
There's a method in there called "userAuthenticate". When the security
mechanism kicks in (on every web page hit), if this returns a 1, then
all is well, if it returns a 0, then LoginManager will cause the
"loginForm" method to be run, which is where you would put your custom
login page. (see the loginForm method that comes with Login Manager).
Here's what the userAuthenticate method would look like for your scenario:
Of course that's too easy, and you'd probably want to check the
username/password against stored data. I generally use a relational
database... but that's another story. You can store the user data any
way you like and just use these methods to validate it.
You will probably also need to look at the userRoles method.
The security mechanism will give you much more control over access to
your objects.
-Paul
vio wrote:
>First, thanks for your time on this thread, everybody!
>
>* Leonardo Rochael Almeida <[EMAIL PROTECTED]> [020123 19:42]:
>
>>Hi Vio,
>>
>>By the contents of your message, you seem to be a little off track
>>w.r.t. the way authentication works between the browser and Zope.
>>
>>By now you seem to have discovered that the browser sends the user
>>credentials whenever it fetches a page. If you aren't using a custom
>>user folder that uses cookies, then you're most likely using basic
>>authentication (which is likely since you don't want the overhead of a
>>product). To know for sure answer this question: when you are anonymous
>>and you want to access a forbiden area, does the
>>browser-standard-login-popup-window shows up?
>>
>
>yes.
>
>>If yes, then there simply is no way you can use "a few placed calls to
>>the Zope machinery" to convince the browser that it needs to switch
>>identities because you're talking to Zope, not to the browser. Zope
>>cannot tell the browser "stop pretending you are anonymous and start
>>pretending you're John". The only thing Zope can tell the browser is
>>"This user you are using is not authorized", in which case the browser
>>will ask the user for another login/password combo, using it's own
>>standard login popup window.
>>
>
>Ok, maybe I didn't express myself very clearly in my past messages.
>Imagine the following simple scenario, which makes heavy use of
>'CoreSessionTracking', by the way:
>
>1. In my 'standard_html_header' I put a dtml routine who checks for a
>specific session variable, let's call it 'user_id'. If it isn't there, or
>there is no session running, it redirects user to my custom 'loginForm'.
>
> get the beef
>
> redirect to loginForm
>
>2. The manage_login() who processes the 'loginForm' data, validates user
>credentials against some internal list. Actually, for now I'm using a
>standard Users_folder object, but I am tempted to swich to something even
>simpler, like a dictionary or a list. I hope you follow me up to now.
>
>In that list, each user_id has also associated with it a list of roles.
>So here we have a central list of 'authorised' users (or a UsersFolder):
> clean_users.append([user_id, password, list_of_roles])
> or
> Users_folder._addUser(name,password,confirm,roles,domains)
>
>Session-storing the credentials: manage_login() stores this related data
>as session variables:
> sessionData.set('user_id',user_id)
> sessionData.set('user_roles', list_of_roles)
>
>3. Make all user-visible objects in my product 'Public', knowing that
>they are not 'really' public: any user without a 'user_id' session variable
>will get redirected to my custom login page 'no matter what'. But Zope's
>own security machinery is out of the loop on this one (simply by-passed).
>
>4. The little routine in 'standard_html_header' will take care of all dtml.
>But I will need to call a similar validating method (or specialized instance)
>before running any 'executable' code:
>by 'executable' I mean code who Creates, Destroys, Modifies restricted objects,
>or modifies my custom security settings. This code simply compares content of
>'user_roles' session variable with 'my_object_permissions' object attribute
>(which can be acquired).
>
>Only if there's a match, the 'executable' python code is allowed to run.
>An alternative here would have been to protect all objects with a
>Zope permission (instead of declaring everything public),
>then switch to a user with that permission for the duration of this
>transaction with:
>SecurityManagement.newSecurityManager(None, UserWithPermission)
>
>This is what I ment with "a few well placed calls to the Zope machinery".
>Of course I know I'm not t
Re: [Zope-dev] IE and Zope MIME type handling
I agree with solution #2. When I upload a .xls file from Mozilla on Linux, it also says that it is application/octet-stream. Even more annoying: Netscape 4.7.x says that it is "application/vnd.ms-excel", while Konqueror says "application/ms-excel" for the same file. For sites that want to enforce, it makes me think that it might be better to do #2 even for non octet mime types. -Paul Casey Duncan wrote: >Problem: Getting Zope to properly detect MIME types of posted files > >The current solution is to try the following methods: > >1. See if the browser specified a type and if so, use it. >2. See if the file extension can be recognized and derive a mime-type from it >3. Do some inspection of the file data (limited to text files at present) > >Obviously #1 is preferred, and anytime the browser supplies the mime type, >method #2 and #3 are never used. However, I have found a problem with this. >Sometimes, IE reports a mime-type of "application/octet-stream" on files that >is doesn't know better about. > >This specifically happens on WordPerfect files. Now, I am as shocked as you >are that a competitor's file format would not be recognized by IE, however, >difficult as this may be to believe, it appears to be true. > >My proposed solution and change in behavior is to ignore the browser supplied >type if it is "application/octet-stream" and use #2 and perhaps #3 in that >case to delve in further. Obviously this may pose a problem for applications >that rely on the mime-type for files with extensions that might otherwise >indicate something else. But since this behavior seems restricted to IE >(amongst the browsers I tested), I doubt it would cause harm or breakage. > >Thoughts? > >I will supply the necessary patches if there is no objection. > >/---\ > Casey Duncan, Sr. Web Developer > National Legal Aid and Defender Association > [EMAIL PROTECTED] >\---/ > >___ >Zope-Dev maillist - [EMAIL PROTECTED] >http://lists.zope.org/mailman/listinfo/zope-dev >** No cross posts or HTML encoding! ** >(Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) > ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] ZSQL and Normalized databases (or why ZSQL sucks)
The Doctor What wrote: > > * The Doctor What ([EMAIL PROTECTED]) [010419 11:57]: > > Does any one have an example of ZSQL being used witha normalized > > database? Or is ZSQL just useless? > > > > Near as I can tell, between: > > * Broken type marshalling > > * Loosing the variable between the form and dtml-if I don't understand this. I'm assuming that you are losing values that are not in your argument list. All you have to do is add the arguments. > > * Inability to handle table.field names for variables > > * And enough flexibility to work around the above problems > > > > This makes ZSQL extreamely nasty, and impossible to use with a > > normalized database. Database normalization isn't really an issue. It sounds like you're really just having problems with the syntax of joins. > > > > What's the point? ZSQL sucks, how do I talk to the DB directly? Grab the Python database adapter and write some python classes or external methods to do what you need. > > > > Yeah, I keep almost getting this to be useful. But damn it if I > > don't keep hitting a brick wall. And there are no complete examples > > or demos that I can find to load up. > > > > Irritatedly yours, > > DocWhat > > I would like to apologize for being particularly pissy. Things are > quite as bad as I say up there... > > My third point is only half true. I can have SQLTEST specify a > column name (aka a field): > > > This makes things work MUCH better. So there are work arounds. This isn't a work-around, it is the way that it is intended to be used. But > this doesn't excuse this not working: > SELECT table.field1, table.field2 FROM > > and then: > <--doesn't work > <-- does work > > I know that the '.' has a special meaning, but there should be ways > around this if the use wants. Again, I think that it's a matter of understanding how ZSQL works, rather than a limitation of ZSQL. If you have column name conflicts, you can always use something like: SELECT a.field as a_field, b.field as b_field FROM ... Then refer to them in dtml like &dtml-a_field; or > > I still would love some examples. Do people end up with 4 ZSQL > objects per thing they manipulate in their database?: > UPDATE, SELECT, INSERT and DELETE? Or do they mix them somehow? I typically wind up with a ZSQL method for each of the CRUD operations. Sometimes I have separate selects methods for more complex joins, if the DTML code gets too ugly when I try to combine them into a single method. Example of a fairly typical join statement (for MySQL database): Arguments- begin_date:date end_date:date="2037-01-01" SELECT search_string, search_result, search_date, result_category, legal_category.name FROM search_log LEFT JOIN legal_category ON search_log.result_category=legal_category.code Good Luck -Paul ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RE: objectIds accessiblilty & and a proposal
If it is an issue for XML-RPC users, maybe there should be a "Traversable" permission on Folder objects that could default to not allowing web-traversal, but allowing it to be enabled if desired. Would this affect FTP access to folders? -Paul Brian Lloyd wrote: > > This is something that has come up before. I propose > that the real problem here is that 'objectIds' should > not be web-traversable. > > I have, in fact, proposed this before. It caused a bit > of grumbling among people using xml-rpc, who were using > objectIds remotely, so we never came to closure on it. > > This comes up often enough that I'm inclined to do > something about it for 2.3. I propose that objectIds > (and objectValues) will not be directly accessible > via the Web in 2.3. For xml-rpc applications, it should > be a simple enough task to create a Python Script (or > even a DTML Method) that *is* Web accessible to relay > that information if it is needed. > > Thoughts? > > Brian Lloyd[EMAIL PROTECTED] > Software Engineer 540.371.6909 > Digital Creations http://www.digicool.com > -- Paul Erickson | [EMAIL PROTECTED] Kaivo, Inc. | www.kaivo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] DTML processing variable
If this is your exact code, it looks like you should be using "sequence-item", instead of "sequence_item". You should also be able to do it without the external method like this: (100% untested) "David W. Damon" wrote: > > Hey all, > > I'm having difficulty getting dtml-in to iterate over a list of strings > returned from an external python method. > > Essentially, I have a string that is comprised of the contents of an HTML text > area. I need to split the string into a list of words and iterate over this > list. > > My external python method is this: > > def stringSplit( self, theString ): > return string.split( theString ) > > Heres the pertinent DTML. > > --- > > > > > > > > --- > > If I comment out the dtml-in block, i have a userList variable in the REQUEST > object that is something like: ['name1', 'name2', 'name3'] > > Any ideas? > > -- dave > > ___ > Zope-Dev maillist - [EMAIL PROTECTED] > http://lists.zope.org/mailman/listinfo/zope-dev > ** No cross posts or HTML encoding! ** > (Related lists - > http://lists.zope.org/mailman/listinfo/zope-announce > http://lists.zope.org/mailman/listinfo/zope ) -- Paul Erickson | [EMAIL PROTECTED] Kaivo, Inc. | www.kaivo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Tag DTML
I think that all you have to do is get your property out of md.
ie:
some_prop=md['some_prop']
>
> Hello, I have coded my own DTML tag and i want to catch a property of the=
> folder where the DTML-Coded is.
>
> How can i do this???
>
>
> from DocumentTemplate.DT_Util import * # useful parsing methods you'll need=
>
> from DocumentTemplate.DT_String import String # explained later
>
> class FuenteTag:
>
> name =3D 'fuente'blockContinuations=3D()
> expand=3DNone
>
> def __init__(self, blocks):
> tname, args, section =3D blocks[0]
> self.tname=3Dtname
> self.section=3Dsection
> args=3Dparse_params(args, font=3D'Verdana', size=3D'2')
> self.args=3Dargs
> self.font =3D args.get('font','Verdana')
> self.size =3D args.get('size','2')
>
> def render(self, md):
> cadena =3D ' '">' +self.section(md)+''
>
> return cadena
>
>
> __call__ =3D render
>
> String.commands['fuente'] =3D FuenteTag
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>
> Aitor Grajal Crespo
> Director General
> e-mail: [EMAIL PROTECTED]
>
> INETSYS, S.L.
> ETSI Inform=E1tica
> Ctra. Colmenar, km. 15,500
> 28049 MADRID
> SPAIN
> Tfno : (34) 91 348 22 66 - Fax : (34) 91 348 22 66
> http://www.inetsysonline.com
>
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>
>
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Is this a ZClass/Propertysheet bug?
If I delete a property from a ZClass, the property still exists for each instance of the class (I can do a dtml-var to show it), but it doesn't show up on the management screens for either the class or the instance. I cannot add it back with the Properties tab - zope tells me that it is in use. New instances of the class do not have the removed property. I'm using Zope 2.2.2 on Linux. Is this behavior correct? -Paul ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] date formatting / extracting substrings
If you've already done some validation and can guarantee that there are 6 characters in the string, you can slice the month out of the string like this: or, if you just want to display the month, use this: -Paul Jeff Nielsen / Ugo Fast wrote: > > Hello out there in Zope world! > > Again, I'm completely baffled by Zope and the docs are no help either. I'm > trying to take an input of a date in the form MM as the variable MonthID > and create a string in the form Month, as a variable named MonthName. > For instance, a MonthID of 29 should return a MonthName of "September, > 2000". > > I've been looking in the docs and the emails, but I can't figure out how to > extract substrings. I think something like this should work to seperate the > month value from the MonthID, but it doesn't: > > > > Any guidance would be appreciated. > > ------- > Jeff Nielsen > http://www.UgoFast.com/ > "Where U Go Fast" > -- Paul Erickson | [EMAIL PROTECTED] Kaivo, Inc. | www.kaivo.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
