Re: [Zope-dev] Re: Unsecure design of ExternalFile
On Fri, 8 Nov 2002, Craeg K Strong wrote: OK How about this for the TODO list for ExternalFile: Hope it isn't too late discussing this issue. I have tested this product and gave up because of security considerations. And now I have to use it for large files. There is another aspect that this discussion so far has not reached, multi-users, regardless of what mechanism is going to be used. Say my Zope system provides virtual hosting for webmasters (or users in my point of view) of different websites. Not all webmasters want their ExternalFile-linked file be freely accessed to the public. So how if a webmaster links a file belonging to another website? I have an idea, but don't know whether it is possible: set uid. If there is a way Zope server can change uid to a predefined one before accessing an externally linked file, each webmaster will have permission to their own home directory plus some shared directories to which all webmasters have permission. Then I can create system accounts for each webmaster, and map them to the Zope users using a product like SystemUserFolder (is there one?) And if also add the 'jail' option (or chroot to the the webmasters home directory), it will be perfect. Back one step, even there is no way to actually change the uid, we can at least check again it before adding an external file. I'm talking about Unix, I think their are eqivalent way on Windows NT. BTW, I think a similar product, ZFS, is facing the same securiy issue. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] User Module
On Thu, 7 Nov 2002, Karthikeyan wrote: Hi All, I am pretty new to zope. I have been asked to implement a project done by me in zope. I had user modules, group modules and some content management in my project(php). Now i need to do all in zope, which i not aware of. Please tell me what to do and where to start. PLease give me code for user module if possible. I should be able to create users and they should login thru the login page to enter the site and view the contents. I am running out of time to give my first module. Please help me out. I think many people on this list don't agree with me, but I'll give you such an advise, according to my experience: Give up. I have been an experienced programmer for 10+ years. And 5 months has passed since I start to learn Zope, I haven't start a single line of code to migrate my project from PHP to Zope, besides doing some small projects for testing. Not because I don't know how to start, it is because Zope isn't such a tool that you can expect to KNOW about it in a very short time. To me, it is a complete different concept. I think I can understand your situation when you even post the message to the zope-dev list. So my advice is, if there is any alternative choices, finish the project asap and sit down to learn Zope without any pressure. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Taking over PHParser
Hi, I've seen you announcement. Too bad you quit. :) But to me, the mission integrating PHP and Zope never seems to finish. Especially when Zend 2's coming out. I would expect to see someday a product like Script(PHP) to appear. Anyway, I would like to take over PHParser under the same name. And publish the patches I sent you over the past few days. Can you or someone give me some ideas, according to previous like instances, how to do that: Create a new member/product space or just simply use your existing one? Thanks for your product again. Best, Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Last-modified and bobobase_modification_time
On Tue, 18 Jun 2002, Dieter Maurer wrote: Wei He writes: ... 2. From the website developers' point of view, there are already many guidlines on how to create a good webpage. Among them are using the HTTP Last-modification header to take the advantages of client cache. I think you overestimate the importance of accurate Last-Modified headers. Perhaps. But I think Etag, If-Modified-Since or whatever headers only make sense to a cache server that is designed to use these values, not for a generic one or the end users browser clients. And the last one is the real place caching-related headers making sence to. If I understand correctly, the Expires header can only give the client an impression how ofter a page is updated. I would use Expires and Cache-Control for cache control. Only when you want to disable the cache function, can these two headers be useful. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Last-modified and bobobase_modification_time
On Sun, 16 Jun 2002, Chris Withers wrote: BTW: This list if for development *of* Zope, the [EMAIL PROTECTED] list is better for questions bout developing *with* Zope. Thanks for your codes indeed. I posted it here because I thought only people have high developing skill care about whether their web pages are up-to-date to their readers and so care the HTTP Last-modified header. Why do you think that? Surely all zope users will care about this? ;-) Besides, that's not the point, re-read Casey's email more carefully... I don't think so. There are quite ofter a user should click CTRL and the refresh button to get the up-do-date page. This is because the Last-modified header not properly set. If DTML doesn't care about the modification time of it's code segments, it will definitely returns the template's modification time although the contents are keep on changing. My conclution is that if DTML doesn't do this or dosen't provide a simple way to do that, Zope may not care about the header at all. So dynamic webpage authors with basic skill could never control it. Only people have developing skill may do. Am I right? Here is Casey's email: There is no automatic way in which DTML can do this for you. This is simply because dtml-var foo doesn't tell Zope what foo is. Is it a No mater what foo is, there is surely a last modification time of foo. If it is a document. that's easy. If it is a script, there should be a method like self.setLastModificationTime(scriptTime). This method should decide if scriptTime is newer than DTML document's own update time and set it if so. Then it's up to the script writer to call the method with the current time if he/she want to disable browser's caching function. document or a script that returns something different every time it is called or something else? In fact foo might different things at different times, if you aquire the template into different contexts. What stops the main DTML document from knowing the last modification time of foo? In fact, Casey's script is just a walk-around. Script writers should manually create a list containing all code segments he/she dtml-vared. (Sorry for using this phrase to express my disagreement on choosing dtml-var against dtml-include). It's a boring task if there are many nested code segments included. I'm a PHP user for several years and I'm try to migrate part of my projects to Zope. Changing from PHP to DTML/Python is not a big deal. But I'm so used to the easy environment PHP provides coders. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Last-modified and bobobase_modification_time
On 14 Jun 2002, Casey Duncan wrote: BTW: This list if for development *of* Zope, the [EMAIL PROTECTED] list is better for questions bout developing *with* Zope. Thanks for your codes indeed. I posted it here because I thought only people have high developing skill care about whether their web pages are up-to-date to their readers and so care the HTTP Last-modified header. And why don't you think this issue is not for Zope developers? Dosen't Zope care about readers getting the accurate information? Although I'm new to Zope, I'm not new to mailing list. I know the mailing list rule but I just don't agree with your classification of my question. I'll post the next develope-with-zope issue to that list. There is no automatic way in which DTML can do this for you. This is simply because dtml-var foo doesn't tell Zope what foo is. Is it a document or a script that returns something different every time it is called or something else? In fact foo might different things at different times, if you aquire the template into different contexts. I think it isn't a bad thing DTML doing this for me. At least the Last-modified header can refelect the template modification time. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Last-modified and bobobase_modification_time
Hi all, Say you have 1_html with only one line: dtml-var 2_html When you HEAD http://xxx/1_html, you get Last-Modified refelecting only the last modification time of 1_html, while most people is expecting it to be newer one of 1_html and 2_html. Does anyone know of a walk-around like using the max() of bobobase_modification_time().timeTime() on the document itself and all the componets it dtml-vared? Forgive my using of non-Zope terms, for I'm new to Zope/Python. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Zope logic
On Thu, 30 May 2002, Chris Withers wrote: People will be really confused to see such results: http://www.zope.org/Documentation/ZopeBook/Documentation http://www.zope.org/Images Why would they see such URLs? Normally would not. But if I know such a site is managed by Zope, I can easily find such a URL with dead loops. I don't know how search engines like Google handles this situation, at least it will cause unnecessary traffic to the site once a bad guy just simply publish the URL on their own page. I'm a little bit new to Zope. I don't yet have a lot of my own objects created under Zope. But I think there might be some objects like methods or scripts that is URL-sensitive. It will adds lots of tasks to the script itself to filter off unexpected request URLs to avoid generating errors that may turn into security holes. Is there a way to setup an object to be uninheritable or as private to avoid this logic? Or maybe we should workout a way to do so. If you're interested, take a look at Zope 3. However, in your case, you probably need to worry more about why you're generating URLs like the ones above rather than the fact that it is possible to do so. Hackers everywhere. :) Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Re: Zope logic
On Thu, 30 May 2002, Andy McKay wrote: gt; Looking at the zope.org logs, I once saw GoogleBot generate URLs like gt; this to zope.org of 1000 characters or more. Teehee, Googlebot once hit ZopeZen for about 3 days in a continuous loop. Just use absolute_urls. Always. Its one of Zope's golden rules. Mind you I've abused acquistion a few times, it comes in useful to be able to have a different / shorter url point to the same object... I just wonder whether it's possible to add an attribute, say 'inheritable', so that everyone will be happy. I think only then it can be called a 'feature'. Otherwise an obtrusion. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Zope logic
Hi all, I have tried Zope for a week and found a logic problem. An object (say index_html) is inherited by child objects of the site say Document to make http://www.domain.com/Document share the upper level index_html. This sounds good but acutally not I think. People will be really confused to see such results: http://www.zope.org/Documentation/ZopeBook/Documentation http://www.zope.org/Images Is there a way to setup an object to be uninheritable or as private to avoid this logic? Or maybe we should workout a way to do so. Wei He ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
