Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: cookie based. Now going with Zope/Plone auth over SSL alone with cookies set to expire. I hope you're making sure the "secure" bit is set on those cookies ;-) My aim is security with a good level of usability and I'll achieve that :-) Considering you can't even quote a response correctly, I somehow doubt that... I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache. using iptables in the box is probably a better idea... thanks for the advice but I'll probably go with router level Fine, don't take our advice, but don't expect help either... works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera. Sheesh, sorry, but I've come to the conclusion you're just trolling and so won't be wasting my time with any more of your posts... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
I agree. A little bit of a problem is that both Zope 2 Book and the ZMI do not seem to agree. I guess was/is not the practice that Zope 2 developers endorsed/followed. But "Zope2 is beyond help" (C) Chris M., (taken out of context by me :-)) Florent Guillaume wrote: Michael Vartanyan wrote: I guess changing the form method to GET is not going to be liked by browsers that put additional restrictions on URL length. So I would propose to introduce a basic request sanity check in the manage_changePermissions itself. I cannot think of any use for resetting all permissions and acquisition for everyone, so the easiest way to do that is to simply check that at least something exists in the form: Actually the proper way to do it, and for exactly the reasons you outlined above, is to always do a redirect to a "result page" url after a POST that has side effects. It's even mandated by the HTTP/HTML specs. Florent ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
Michael Vartanyan wrote: In the very beginning of my Zope career, I once "shot myself in the foot" with a very stupid thing... I kept it to myself then but if we are talking about Zope security settings and usability of the ZMI at the same time, perhaps it is an ideal place to raise this issue. If you use the famous manage_access page with all the checkboxes to set permissions on an object, it then calls manage_changePermissions to using POST method to apply your settings. The result is that http://your_object_url/manage_changePermissions (without any parameters) stays in your browser visited url history. Now imagine what happens if you click this url by mistake being logged as someone with "Change permissions" permission. I guess changing the form method to GET is not going to be liked by browsers that put additional restrictions on URL length. So I would propose to introduce a basic request sanity check in the manage_changePermissions itself. I cannot think of any use for resetting all permissions and acquisition for everyone, so the easiest way to do that is to simply check that at least something exists in the form: ... def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen. """ >>if len(REQUEST.form)<2: raise ... self._isBeingUsedAsAMethod(REQUEST, 0) valid_roles=self.valid_roles() indexes=range(len(valid_roles)) have=REQUEST.has_key permissions=self.ac_inherited_permissions(1) fails = [] ... or something like that. Actually the proper way to do it, and for exactly the reasons you outlined above, is to always do a redirect to a "result page" url after a POST that has side effects. It's even mandated by the HTTP/HTML specs. Florent -- Florent Guillaume, Nuxeo (Paris, France) Director of R&D +33 1 40 33 71 59 http://nuxeo.com [EMAIL PROTECTED] ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
>>I am sure you know this, but since we have learned very little (or atleast I have - maybe I am not paying attention well enough :-): >>Have you modified that rule to take advantage of the SSL -server?Perhaps the SiteAccess rule is triggering adn trying to redirect you toan address/port where there is no service listeing? No I haven't modified anything apart from upgrading Apache, installing and configuring SSL, doing VirtualHost rules and then locking down Plone using the 'private site' documentation. Why would Firefox 1.5.1 work perfectly and be able to edit pages and upload images? As I've said I know of more issues with IE and posting attachments through a private contact on this list. Doesn'ts seem like a coincidence to me. At least you've learned that :-) On 2/14/06, Dario Lopez-Kästen <[EMAIL PROTECTED]> wrote: Alexander Limi said the following on 2006-02-14 14:05:>>> On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen > <[EMAIL PROTECTED]> wrote:>>> *HOWEVER*, IIRC, plone, especially on windows (if installed with the >> windows installer) uses a trick, which is not documented at all, as>> far as I know, uses a Site Access rule.>>> http://plone.org/documentation/faq/multiple-sites-installers>> What part is not documented at all? :)>ähh... woopsy-daisy! my mistake. Sorry! 8^)/dario - crawls back under a rock... ;) ---Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech.Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley___Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists -http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
Alexander Limi said the following on 2006-02-14 14:05: On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen <[EMAIL PROTECTED]> wrote: *HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule. http://plone.org/documentation/faq/multiple-sites-installers What part is not documented at all? :) ähh... woopsy-daisy! my mistake. Sorry! 8^) /dario - crawls back under a rock... ;) -- -- --- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne said the following on 2006-02-14 12:30: As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now. >>I doubt it, my guess would still be that you're doing something wrong somewhere... >>>Sorry but I don't agree on this one. I haven't altered any of the Plone 'edit page' functionality. It's out of the box. Works fine without SSL but on SSL trying to edit a page causes 'can't find server'. Firefox though works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera. This part is *only* about setting up the servers, apache and zope in this context, properly. There is nothing in Zope that works differently when serving over ssl or not. SSL is just a transport layer, so it does *not* affect zope-capabilities in any way. I am sure you know this, but since we have learned very little (or at least I have - maybe I am not paying attention well enough :-): *HOWEVER*, IIRC, plone, especially on windows (if installed with the windows installer) uses a trick, which is not documented at all, as far as I know, uses a Site Access rule. Have you modified that rule to take advantage of the SSL -server? Perhaps the SiteAccess rule is triggering adn trying to redirect you to an address/port where there is no service listeing? /dario -- -- --- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
> Yes, I do realise that it's hard. Regarding the cookie comment that> was the reason I wanted to use Apache based login.>>Huh? I'm sure some people would love to know how those two things relate in your head... >>>I wanted to use an Apache served login box before the Zope/Plone site is served but I've decided against that now as authentication should be closely linked to the application. Also Apache based authentication isn't cookie based. Now going with Zope/Plone auth over SSL alone with cookies set to expire. > I do> realise that leaving a logon cookie is insecure and that comment was> perhaps misguided. I started to think about usability etc.>>If you're lucky, you might get a system that's both insecure _and_ unusable ;-) >>>My aim is security with a good level of usability and I'll achieve that :-)> I'm going to block 8080 at the router/firewall level as Zope obviously> needs to keep serving through 8080 to Apache. >>using iptables in the box is probably a better idea... >>>thanks for the advice but I'll probably go with router level> As for the issue with IE6 and editing pages over SSL it all works fine> in Firefox 1.5, so it's a browser issue which I just can't quite > fathom just now.>>I doubt it, my guess would still be that you're doing something wrongsomewhere... >>>Sorry but I don't agree on this one. I haven't altered any of the Plone 'edit page' functionality. It's out of the box. Works fine without SSL but on SSL trying to edit a page causes 'can't find server'. Firefox though works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera. On 2/14/06, Igor Stroh <[EMAIL PROTECTED]> wrote: michael nt milne wrote:> Yes, I do realise that it's hard. Regarding the cookie comment that> was the reason I wanted to use Apache based login. I do > realise that leaving a logon cookie is insecure and that comment was> perhaps misguided. I started to think about usability etc.>> I'm going to block 8080 at the router/firewall level as Zope obviously > needs to keep serving through 8080 to Apache.No need to do that, just configure your zope (etc/zope.conf) tolisten only on your loopback interface:address 127.0.0.1:8080An btw, Zope doesn't *need* to serve on 8080...HTH,Igor___Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announcehttp://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: > Yes, I do realise that it's hard. Regarding the cookie comment that > was the reason I wanted to use Apache based login. I do > realise that leaving a logon cookie is insecure and that comment was > perhaps misguided. I started to think about usability etc. > > I'm going to block 8080 at the router/firewall level as Zope obviously > needs to keep serving through 8080 to Apache. No need to do that, just configure your zope (etc/zope.conf) to listen only on your loopback interface: address 127.0.0.1:8080 An btw, Zope doesn't *need* to serve on 8080... HTH, Igor ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Dario Lopez-Kästen wrote: Nevertheless, it is not simple to implement proper security with cookie-based logins. I had to make my own hacked version of SinmpleUserFodler with seesioning on the zeo server to get it secure enough (it is actually a trade off from what I would have liked to have in the first place, but it works ok). I know from personal experience that using sessions for this kind of information doesn't necessarilly scale very well... check for conflict errors in your event log ;-) cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache based login. Huh? I'm sure some people would love to know how those two things relate in your head... I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc. If you're lucky, you might get a system that's both insecure _and_ unusable ;-) I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache. using iptables in the box is probably a better idea... As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now. I doubt it, my guess would still be that you're doing something wrong somewhere... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Chris Withers said the following on 2006-02-12 15:27: Given your earlier paranoia about security uh, us security nerds^H^H^H^H^H^H folks-who-have-an-strong-interest-in-security, actually prefer to call it "eagerness". "Paranoia" has such negative timbre, don't you think? :-) Nevertheless, it is not simple to implement proper security with cookie-based logins. I had to make my own hacked version of SinmpleUserFodler with seesioning on the zeo server to get it secure enough (it is actually a trade off from what I would have liked to have in the first place, but it works ok). Cheers, /dario -- -- --- Dario Lopez-Kästen, IT Systems & Services Chalmers University of Tech. Lyrics applied to programming & application design: "emancipate yourself from mental slavery" - redemption song, b. marley ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache based login. I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc. I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache. As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite fathom just now. Annoying as all the users are on IE. Unless I use that as an excuse for them all to get a better browser.. Thanks for the comments Michael On 2/12/06, Chris Withers <[EMAIL PROTECTED]> wrote: > michael nt milne wrote: > > Yes, I've got the whole site going over SSL and the :8080 port re-directing > > to SSL. > > Anything not over SSL should be blocked, not redirected, given your > earlier paranoia... > > > However on my main server where I have other sites I was thinking about > > implementing SSL for the login areas to make them fully secure. From what > > you are saying though you'd basically need to make a whole site go over SSL > > and just implementing that on the login areas isn't worth it? > > Correct. Also, don't turn SSL into a panacea. Security is hard. Very > hard. I'm not sure you understand that yet... > > > I still have an issue with IE6 over SSL where trying to create new pages or > > edit content, produces a server not found and the padlock dissapears. > > Look at where the form action points to, I suspect you haven't correctly > configured your virtual hosting stuff in Apache and/or Zope. > > cheers, > > Chris > > -- > Simplistix - Content Management, Zope & Python Consulting > - http://www.simplistix.co.uk > -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL. Anything not over SSL should be blocked, not redirected, given your earlier paranoia... However on my main server where I have other sites I was thinking about implementing SSL for the login areas to make them fully secure. From what you are saying though you'd basically need to make a whole site go over SSL and just implementing that on the login areas isn't worth it? Correct. Also, don't turn SSL into a panacea. Security is hard. Very hard. I'm not sure you understand that yet... I still have an issue with IE6 over SSL where trying to create new pages or edit content, produces a server not found and the padlock dissapears. Look at where the form action points to, I suspect you haven't correctly configured your virtual hosting stuff in Apache and/or Zope. cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant. Given your earlier paranoia about security, this a truly bizarre paragraph; you're so worried about basic auth that you didn't want to use it, and yet you're quite happy to have a cookie living on a user's machine long term, and still leave port 8080 exposed? wow... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Thanks"It's worth bearing in mind that those credentials are passed over thewire with every page, so you need your sessions to /stay/ in SSL modeonce authenticated."Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL. However on my main server where I have other sites I was thinking about implementing SSL for the login areas to make them fully secure. From what you are saying though you'd basically need to make a whole site go over SSL and just implementing that on the login areas isn't worth it? I still have an issue with IE6 over SSL where trying to create new pages or edit content, produces a server not found and the padlock dissapears. I have TLS 1.0 and SSL 2.3, 3.0 selected in advanced. IE 6.02. Firefox 1.5 (predictably..) works fine but I don't want to have to get all my users to install it even though I'd like to :-)On 2/11/06, Philip Kilner < [EMAIL PROTECTED]> wrote:Hi Michael,michael nt milne wrote: > I've implemented what's outlined in the make private site> documentation and it works fine on Plone 2.1.1. No content is available> apart from the site-map page (doesn't list content) and the contact form > but I can figure that out separately.>Since neither of those counts as "content" as such, I think that that is legitimate and as you say, you can work around those if it matters to you (In cases where I've wanted to work around such things, I've simplycalled a script that redirects with an error message if the theappropriate conditions aren't met.> Yes I think I like the HTML login page way to authenticate. It feels > more usable. And I don't think I'll use an Apache login box at all. Most> users will find it hard remembering one password and with cookie> authentication over SSL you can go straight into the site. Brilliant. >Agreed. Apache does a great job of managing the SSL, securing the dataover public wires, but that's a 100% generic task whereas theauthentication is tightly bound to your application.It's worth bearing in mind that those credentials are passed over the wire with every page, so you need your sessions to /stay/ in SSL modeonce authenticated.> I'm revisting some of the points made in this thread though about> security. It does seem that Zope and Plone as you say, are at odds on this. >Because Zope is an application server, it has to expose it's mechanism -Plone has an easier job because it has a specific task to do (e.g.manage content), and so can take an approach which is much simpler to fly. In Plone, always do things the Plone way - working at the Zopelevel may potentially subvert Plone's mechanisms for achieving things.--Regards,PhilKEmail: [EMAIL PROTECTED]PGP Public key: http://www.xfr.co.ukVoicemail & Facsimile: 07092 070518"You'll find that one part's sweet and one part's tart:say where the sweetness and the sourness start." - Tony Harrison-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Hi Michael, michael nt milne wrote: > I've implemented what's outlined in the make private site > documentation and it works fine on Plone 2.1.1. No content is available > apart from the site-map page (doesn't list content) and the contact form > but I can figure that out separately. > Since neither of those counts as "content" as such, I think that that is legitimate and as you say, you can work around those if it matters to you (In cases where I've wanted to work around such things, I've simply called a script that redirects with an error message if the the appropriate conditions aren't met. > Yes I think I like the HTML login page way to authenticate. It feels > more usable. And I don't think I'll use an Apache login box at all. Most > users will find it hard remembering one password and with cookie > authentication over SSL you can go straight into the site. Brilliant. > Agreed. Apache does a great job of managing the SSL, securing the data over public wires, but that's a 100% generic task whereas the authentication is tightly bound to your application. It's worth bearing in mind that those credentials are passed over the wire with every page, so you need your sessions to /stay/ in SSL mode once authenticated. > I'm revisting some of the points made in this thread though about > security. It does seem that Zope and Plone as you say, are at odds on this. > Because Zope is an application server, it has to expose it's mechanism - Plone has an easier job because it has a specific task to do (e.g. manage content), and so can take an approach which is much simpler to fly. In Plone, always do things the Plone way - working at the Zope level may potentially subvert Plone's mechanisms for achieving things. -- Regards, PhilK Email: [EMAIL PROTECTED] PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
Scratch that, looking more closely at the thread it looks like you followed the "make site private" documentation and it worked. Peace, George ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne <[EMAIL PROTECTED]> writes: > HiI have major problems here trying to set-up authentication over a > whole Plone site using Zope. I'm not going to get involved in the large Zope security discussion but I will post an additional something to plone-users in reply to the more narrow problem. If you want additional help with it there, we'll need more details and debugging from you. I usually like to help folks figure out bugs because it's a nice problem solving stint, but I can't do much without more info. Peace, George ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Hi Phil I've implemented what's outlined in the make private site documentation and it works fine on Plone 2.1.1. No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately. Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant. I'm revisting some of the points made in this thread though about security. It does seem that Zope and Plone as you say, are at odds on this. Thanks alot for your help and words of advice. I still seem to have an issue where editing a page in IE over SSL produces a 'can't find server' but it's a browser issue as this works fine on the latest Firefox. Michael On 2/11/06, Philip Kilner <[EMAIL PROTECTED]> wrote: Hi Michael,michael nt milne wrote:> Yes I found that as well but picked it up from the Google cache. > Strange that it is available there as it's password protected.> Possibly it was public before?>Yes, it was public before.Have you tried this, and does it solve your problems? JCC is spot on when he points to workflow as being the basis of securityin Plone - it's also worth saying that the Zope system and the Plonesystem are pretty much at odds with one another. You are more likely to make mistakes at the Zope level than to do what you intend.(If you try the "howto", don't overlook that last step - hitting the"update security settings" button. Managed to overlook this myself recently (despite it being the umpteenth time I've followed this howto),and spent hours thinking that something more exotic was going on!)Let us know how you get on...--Regards, PhilKEmail: [EMAIL PROTECTED]PGP Public key: http://www.xfr.co.ukVoicemail & Facsimile: 07092 070518"You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start."- Tony Harrison-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Hi Michael, michael nt milne wrote: > Yes I found that as well but picked it up from the Google cache. > Strange that it is available there as it's password protected. > Possibly it was public before? > Yes, it was public before. Have you tried this, and does it solve your problems? JCC is spot on when he points to workflow as being the basis of security in Plone - it's also worth saying that the Zope system and the Plone system are pretty much at odds with one another. You are more likely to make mistakes at the Zope level than to do what you intend. (If you try the "howto", don't overlook that last step - hitting the "update security settings" button. Managed to overlook this myself recently (despite it being the umpteenth time I've followed this howto), and spent hours thinking that something more exotic was going on!) Let us know how you get on... -- Regards, PhilK Email: [EMAIL PROTECTED] PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
Yes I found that as well but picked it up from the Google cache. Strange that it is available there as it's password protected. Possibly it was public before? On 2/11/06, Philip Kilner <[EMAIL PROTECTED]> wrote: > Hi Again, > > Re. "Private Plone Site" Howto > > Philip Kilner wrote: > > It's still there, still works - and is very likely what Michael wants. > > > > I'm an idiot - should have checked, knowing that there was a > documentation sprint last weekend. It was at: - > > http://plone.org/documentation/how-to/creating-private-plone-site/howto_view > > ...but I get a login prompt at that URL now. > > Has this how to been pulled because flawed, or is it just missing? > > I've used it in numerous places, so I'd be interested to know either way! > > > -- > > Regards, > > PhilK > > Email: [EMAIL PROTECTED] > PGP Public key: http://www.xfr.co.uk > Voicemail & Facsimile: 07092 070518 > > "You'll find that one part's sweet and one part's tart: > say where the sweetness and the sourness start." > - Tony Harrison > -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Hi Again, Re. "Private Plone Site" Howto Philip Kilner wrote: > It's still there, still works - and is very likely what Michael wants. > I'm an idiot - should have checked, knowing that there was a documentation sprint last weekend. It was at: - http://plone.org/documentation/how-to/creating-private-plone-site/howto_view ...but I get a login prompt at that URL now. Has this how to been pulled because flawed, or is it just missing? I've used it in numerous places, so I'd be interested to know either way! -- Regards, PhilK Email: [EMAIL PROTECTED] PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Hi, J Cameron Cooper wrote: > Also, as I recall, there was a "private plone site" howto on plone.org; > dunno what happened to it. > It's still there, still works - and is very likely what Michael wants. -- Regards, PhilK Email: [EMAIL PROTECTED] PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
In the very beginning of my Zope career, I once "shot myself in the foot" with a very stupid thing... I kept it to myself then but if we are talking about Zope security settings and usability of the ZMI at the same time, perhaps it is an ideal place to raise this issue. If you use the famous manage_access page with all the checkboxes to set permissions on an object, it then calls manage_changePermissions to using POST method to apply your settings. The result is that http://your_object_url/manage_changePermissions (without any parameters) stays in your browser visited url history. Now imagine what happens if you click this url by mistake being logged as someone with "Change permissions" permission. I guess changing the form method to GET is not going to be liked by browsers that put additional restrictions on URL length. So I would propose to introduce a basic request sanity check in the manage_changePermissions itself. I cannot think of any use for resetting all permissions and acquisition for everyone, so the easiest way to do that is to simply check that at least something exists in the form: ... def manage_changePermissions(self, REQUEST): """Change all permissions settings, called by management screen. """ >>if len(REQUEST.form)<2: raise ... self._isBeingUsedAsAMethod(REQUEST, 0) valid_roles=self.valid_roles() indexes=range(len(valid_roles)) have=REQUEST.has_key permissions=self.ac_inherited_permissions(1) fails = [] ... or something like that. J Cameron Cooper wrote: michael nt milne wrote: Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few others as well. The whole ZMI interface could be put through a usability re-design to be honest and that's not even to comtemplate the security areas. The ZMI is well known to be geeky. "For developers, by developers" might be its motto. If you have some concrete suggestions, by all means put them forth. Patches are even better. Anyway, ACLs are ACLs. And if you don't know what you're doing, you can get into trouble real fast. Ever tried managing file security on a Windows machine with ACLs? CMF (this includes Plone) provides a way to manage this complexity: workflow states. Each workflow has a set of permissions it manages, and a setting of these for each state. This is much more easily comprehended than infinite fiddling with the ZMI Security tab. Also, as I recall, there was a "private plone site" howto on plone.org; dunno what happened to it. --jcc ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few others as well. The whole ZMI interface could be put through a usability re-design to be honest and that's not even to comtemplate the security areas. The ZMI is well known to be geeky. "For developers, by developers" might be its motto. If you have some concrete suggestions, by all means put them forth. Patches are even better. Anyway, ACLs are ACLs. And if you don't know what you're doing, you can get into trouble real fast. Ever tried managing file security on a Windows machine with ACLs? CMF (this includes Plone) provides a way to manage this complexity: workflow states. Each workflow has a set of permissions it manages, and a setting of these for each state. This is much more easily comprehended than infinite fiddling with the ZMI Security tab. Also, as I recall, there was a "private plone site" howto on plone.org; dunno what happened to it. --jcc -- "Building Websites with Plone" http://plonebook.packtpub.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Hi Michael, michael nt milne wrote: > Also I feel that Plone has > usabillity which sits above it's prettyness. It is a well designed > interface graphically but also has very strong non graphical usability > elements. > You are correct - but you are not comparing like with like, as Plone is an /application/ and Zope is an /application server/. An analogous comparison might be between a car's dashboard and it's engine compartment - you would expect the dashboard to be designed for a human user above all, but the engine compartment - however logically laid out - is primarily functional and is always going to appear alien to the person who is more comfortable driving than using a spanner. Ultimately, Zope's ZMI user interface is designed for techies who want a minimal user interface which allows them to see the moving parts, not the kind of end-user oriented GUI that Plone sports. You've been given a bit of a hard time in this thread, and I think that some good points have been made, but I've seen your energetic but somewhat misdirected posting as more a symptom of youth and over-confidence than any great sin - you seem to be coping with the feedback, so you'll learn. However, I'd like to make the point that the counter-productive and gratuitous insults for which Chris is rightly famous are another thing entirely. He's a clever bloke and helpful, but he seems to enjoy being rude - which is a shame. FWIW, I think the best advice you've been given, albeit in the midst of quite a strong mail were Floyd's - "the security framework in Zope and Plone was built in the way that it is FOR A REASON" - both in terms of etiquette and in terms of what should be reasonable to assume, it is usually best to assume that the core of Zope and Plone /work/, and that if some part of them appears not to then it is more likely the nut behind the steering wheel that is responsible, as it were. ;-) Have a good weekend... -- Regards, PhilK Email: [EMAIL PROTECTED] PGP Public key: http://www.xfr.co.uk Voicemail & Facsimile: 07092 070518 "You'll find that one part's sweet and one part's tart: say where the sweetness and the sourness start." - Tony Harrison ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Yes I've apologised for the initial tone which was the wrong way to begin and yes I agree I should have routed out more documentation. I've read Andy Mackay, Plone Live, printed out screeds of how tos, chapters of the Zope book, installed Zope on my Unix server etc so I do have a reasonable, if still not mature, take on the environment. I feel that 'leech' and 'cretinous' are perhaps slightly over the top to be honest though :-)Anyway, yes I feel we should over and out on this thread as it's not too entertaining now, even if it was before :-) Apologies to Zope if he's been offended.On 2/10/06, Floyd May <[EMAIL PROTECTED]> wrote: On 2/10/06, michael nt milne <[EMAIL PROTECTED] > wrote:> I agree. I didn't start it and I find it un-professional. I came here with a> genuine issue, have received some help which I thank people for and have> made some legitimate points. I find the Zope and Plone lists are generally > very good and an not interested in slanging matches.>> Thanks>> Michael On 2/10/06, Paul Winkler < [EMAIL PROTECTED] > wrote:> > Can we all stop with the public name-calling and personal insults?> > It's embarassing.> >> > --> >> > Paul Winkler> > http://www.slinkp.com> > ___> > Zope maillist - Zope@zope.org> > http://mail.zope.org/mailman/listinfo/zope> > ** No cross posts or HTML encoding! **> > (Related lists -> > http://mail.zope.org/mailman/listinfo/zope-announce > > http://mail.zope.org/mailman/listinfo/zope-dev )> > --> Michael> ___ > Zope maillist - Zope@zope.org> http://mail.zope.org/mailman/listinfo/zope> ** No cross posts or HTML encoding! ** > (Related lists -> http://mail.zope.org/mailman/listinfo/zope-announce> http://mail.zope.org/mailman/listinfo/zope-dev )>>>I've resisted the urge to weigh in on this conversation for far too long.Mr. Milne,Your original email to this list was presented in such a way that youguaranteed yourself a difficult time acquiring assistance for the following reasons:1. It contained a tone indicating something along the lines of "thisis broken and you need to fix it because I'm complaining".2. You made no indication that you had attempted to understand the existing framework. Most people cite or quote existing documentation,e.g. "The zope book says X, but I am experiencing Y" when attemptingto sort out a problem.3. You assume that because you are technically-capable in other realms, your experience with Zope and Plone must be the fault of Zopeand Plone, and not the fault of your inexperience with the paradigmdifferences between the common Apache+RDBMS architectures and theobject-oriented Zope/Plone architecture. Zope and Plone are both built by volunteers. Thousands of peopleworldwide pour their free-time efforts into making these products thebest that they can be. Regardless of what you may think, the security framework in Zope and Plone was built in the way that it is FOR AREASON, and that reason is to make the Zope Application Server aspowerful as possible in terms of security. If you would have read theZope book, the Definitive Guide to Plone, or the Zope Developer's Guide, you would have found the following phrase:"Security is hard."Despite the fact that your original email that started this confoundedthread was an ignorant insult to the years of time and effort spent making Zope and Plone what they are, faithful patrons of the Zopemailing list attempted to help you. In response, you continued toinsult Zope with cretinous comments like:>I find the Zope security, permissions set-up hideously >complex and unusable to be honest and it doesn't even seem to workand...>But ultimately my comments on usabiltity should be taken>on board because Zope security is overly complex. ...and indicating your complete unwillingness to conform to simplerequests from the people who are attempting to help you for free, inspite of your near-intolerable insults interspersed with vagueinformation detailing what everyone has told you is what Zope *should* do with comments like the following:>Sorry but this is not my experience and I have experimented.>Am using gmail basic setting which I like.It is obvious to the people who have taken the time to understand how Zope's security works that the trouble you are experiencing has onesource and one source alone - you don't know what you're doing. Readthe documentation, go through the tutorials, and prove that you areable to understand what's happening, then attempt again to set up the security model that you are attempting. Furthermore (and I want youto read this carefully), you would do well to understand that Zope isbuilt by volunteers. Insulting the work of such volunteers, andfailing to respect the expertise of those people who caused Zope to be what it is by considering unexpected behaviors bugs that should befixed just because you say so is a certain way to get hostilereactions.You are a dinner guest in the
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
I take the point that I approached this issue from the wrong standpoint and apologise for that. This was perhaps born out of a little frustration. I was never rude though. Also I feel that Plone has usabillity which sits above it's prettyness. It is a well designed interface graphically but also has very strong non graphical usability elements. On 2/10/06, Lennart Regebro <[EMAIL PROTECTED]> wrote: On 2/10/06, michael nt milne <[EMAIL PROTECTED]> wrote:> I've spoken to many people on various lists and can confirm the feeling> about usability on the ZMI etc. You call them 'halfwits'. That puts you on > rather high ground and this attitude is obviously part of the problem.1. By complaining about something that a lot of people do not find anyproblem with, YOU put yourself on a rather high ground compared to the people here who both created and use it.Suggestion: Don't complain about the software that you want help with,because it makes the people who wrote it pissed off. Quite simple,really.2. I have myself held courses in how to use a CMS (EasyPublisher) where you did most everything through the ZMI for people with bothervery little computer experience and a lot, and it was never a bigusebility problem. That the ZMI has big useability problems is simplynot true. You also claim that there are lot of people complainng that the ZMI has useability problems. Well, we are on all thosemailing-lists, unless you have found some secret mailing lists forpeople who don't like Zope, so we know that there is in fact NOT a lotof complaints about this. When you claim that there are loads of people who say so, when thereobviously isn't undermines your credbility and inclines people to nottake you seriously.Suggestion: Don't make up facts and statements that is not true, don't invent people that doesn't exist. Don't say that X is generallyaccepted as a fact when it isn't. If you do that, people will call youa liar, and you don't want that.(Oh, and if you want an explanation about why a few people don't find the ZMI useable, it's because it's not "pretty", don't have flashgraphics and such. People often confuse "prettyness" with"useability". ZMI is basic and well, ugly. It is however quite consistent and useable.)And the same goes for Zopes access control. It is in no waycomplicated or hard to understand. By starting early in the discussionwith complaining about it, you just make people pissed off and get the discussion running away in the wrong direction. Don't do that.> How come Plone's interface is so useable and a delight to work with? How was> that financed?Because it's pretty? :-)-- Lennart Regebro, Nuxeo http://www.nuxeo.com/CPS Content Management http://www.cps-project.org/ -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
On 2/10/06, michael nt milne <[EMAIL PROTECTED]> wrote: > I agree. I didn't start it and I find it un-professional. I came here with a > genuine issue, have received some help which I thank people for and have > made some legitimate points. I find the Zope and Plone lists are generally > very good and an not interested in slanging matches. > > Thanks > > Michael > > > > On 2/10/06, Paul Winkler < [EMAIL PROTECTED]> wrote: > > Can we all stop with the public name-calling and personal insults? > > It's embarassing. > > > > -- > > > > Paul Winkler > > http://www.slinkp.com > > ___ > > Zope maillist - Zope@zope.org > > http://mail.zope.org/mailman/listinfo/zope > > ** No cross posts or HTML encoding! ** > > (Related lists - > > http://mail.zope.org/mailman/listinfo/zope-announce > > http://mail.zope.org/mailman/listinfo/zope-dev ) > > > > > > -- > Michael > ___ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > > > I've resisted the urge to weigh in on this conversation for far too long. Mr. Milne, Your original email to this list was presented in such a way that you guaranteed yourself a difficult time acquiring assistance for the following reasons: 1. It contained a tone indicating something along the lines of "this is broken and you need to fix it because I'm complaining". 2. You made no indication that you had attempted to understand the existing framework. Most people cite or quote existing documentation, e.g. "The zope book says X, but I am experiencing Y" when attempting to sort out a problem. 3. You assume that because you are technically-capable in other realms, your experience with Zope and Plone must be the fault of Zope and Plone, and not the fault of your inexperience with the paradigm differences between the common Apache+RDBMS architectures and the object-oriented Zope/Plone architecture. Zope and Plone are both built by volunteers. Thousands of people worldwide pour their free-time efforts into making these products the best that they can be. Regardless of what you may think, the security framework in Zope and Plone was built in the way that it is FOR A REASON, and that reason is to make the Zope Application Server as powerful as possible in terms of security. If you would have read the Zope book, the Definitive Guide to Plone, or the Zope Developer's Guide, you would have found the following phrase: "Security is hard." Despite the fact that your original email that started this confounded thread was an ignorant insult to the years of time and effort spent making Zope and Plone what they are, faithful patrons of the Zope mailing list attempted to help you. In response, you continued to insult Zope with cretinous comments like: >I find the Zope security, permissions set-up hideously >complex and unusable to be honest and it doesn't even seem to work. ...and... >But ultimately my comments on usabiltity should be taken >on board because Zope security is overly complex. ...and indicating your complete unwillingness to conform to simple requests from the people who are attempting to help you for free, in spite of your near-intolerable insults interspersed with vague information detailing what everyone has told you is what Zope *should* do with comments like the following: >Sorry but this is not my experience and I have experimented. >Am using gmail basic setting which I like. It is obvious to the people who have taken the time to understand how Zope's security works that the trouble you are experiencing has one source and one source alone - you don't know what you're doing. Read the documentation, go through the tutorials, and prove that you are able to understand what's happening, then attempt again to set up the security model that you are attempting. Furthermore (and I want you to read this carefully), you would do well to understand that Zope is built by volunteers. Insulting the work of such volunteers, and failing to respect the expertise of those people who caused Zope to be what it is by considering unexpected behaviors bugs that should be fixed just because you say so is a certain way to get hostile reactions. You are a dinner guest in the world of Zope, and you have come into our living room and told us that we should repaint the walls and remodel our kitchen because "it doesn't work for you." The Zope community has made a robust product (regardless of your opinions to the contrary), and your behavior would have been much better-received if you would have kept your opinions about Zope's security (opinions founded in inexperience, I might add) to yourself and considered your own capability for making mistakes before pointing fingers at a worldwide community of software developers.
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
On 2/10/06, michael nt milne <[EMAIL PROTECTED]> wrote: > I've spoken to many people on various lists and can confirm the feeling > about usability on the ZMI etc. You call them 'halfwits'. That puts you on > rather high ground and this attitude is obviously part of the problem. 1. By complaining about something that a lot of people do not find any problem with, YOU put yourself on a rather high ground compared to the people here who both created and use it. Suggestion: Don't complain about the software that you want help with, because it makes the people who wrote it pissed off. Quite simple, really. 2. I have myself held courses in how to use a CMS (EasyPublisher) where you did most everything through the ZMI for people with bother very little computer experience and a lot, and it was never a big usebility problem. That the ZMI has big useability problems is simply not true. You also claim that there are lot of people complainng that the ZMI has useability problems. Well, we are on all those mailing-lists, unless you have found some secret mailing lists for people who don't like Zope, so we know that there is in fact NOT a lot of complaints about this. When you claim that there are loads of people who say so, when there obviously isn't undermines your credbility and inclines people to not take you seriously. Suggestion: Don't make up facts and statements that is not true, don't invent people that doesn't exist. Don't say that X is generally accepted as a fact when it isn't. If you do that, people will call you a liar, and you don't want that. (Oh, and if you want an explanation about why a few people don't find the ZMI useable, it's because it's not "pretty", don't have flash graphics and such. People often confuse "prettyness" with "useability". ZMI is basic and well, ugly. It is however quite consistent and useable.) And the same goes for Zopes access control. It is in no way complicated or hard to understand. By starting early in the discussion with complaining about it, you just make people pissed off and get the discussion running away in the wrong direction. Don't do that. > How come Plone's interface is so useable and a delight to work with? How was > that financed? Because it's pretty? :-) -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and an not interested in slanging matches. ThanksMichaelOn 2/10/06, Paul Winkler < [EMAIL PROTECTED]> wrote:Can we all stop with the public name-calling and personal insults? It's embarassing.--Paul Winklerhttp://www.slinkp.com___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
>You liar! I couldn't resist :-) You seem so entertained. Bit of sport and all that.I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the problem. How come Plone's interface is so useable and a delight to work with? How was that financed? > who I have built sites for using Plone and on showing> them the ZMI they have re-coiled in absolute horror. >>Sure it wasn't just your cack-handed coding? ;-)>>> I haven't coded anything in the ZMI ! >>They shouldn't be going to the ZMI if you've done your job properly with the Plohn interface..>>>Wrong. There are many things you still have to do through the ZMI. Like changing the banner graphic on the site if you want to. Basic things like that. >Guessing? Yay, just what you need from someone you're paying to develop >something...>> Just a figure of speech in trying to be diplomatic. I shouldn't have bothered to be honest. And as for the clients comment I'm not even going to go there. I have many highly satisfied clients. I hope you do as well but I doubt it with such an un-professional manner. Please don't post again or I will have to reply :-) haOn 2/10/06, Chris Withers <[EMAIL PROTECTED] > wrote:michael nt milne wrote:> Well I said it was over and out but I have to respond to this latest post. You liar! > Basically though, Zope permissions and security could be made a lot more > usable.Cool, we look forward to your documented proposal to dev.zope.orgincluding implemented code on a branch with unit tests that satisfiesall of Zope's potential users while maintaining complete security in all scenarios and providing a ui so perfect that even muppets could use itand not shoot themselves in the foot.> It's far too technically focused and this is the opinion of a few> others as well. A few other halfwits maybe...> The whole ZMI interface could be put through a usability> re-design to be honestAh great, does that mean you're offering to finance this?> and that's not even to comtemplate the security > areas.I'm not sure you're qualified or capable of contemplating such areas ;-)> I have a few clients,I pitty them, I really do...> who I have built sites for using Plone and on showing > them the ZMI they have re-coiled in absolute horror.Sure it wasn't just your cack-handed coding? ;-)> Now obviously Plone is> trying to bring more and more features within its own interface, which is > good as it's more usable.Obiviously, it's why we all _love_ Plohn so _damn_ much *grinz*> However many things still remain.Sadly, including you...> Most of my> clients are able to use the Plone editing tools and interfaces but can't at > all get their heads round the ZMI.They shouldn't be going to the ZMI if you've done your job properly withthe Plohn interface...> I would guess that changing interfaces> doesn't help but there you go. Guessing? Yay, just what you need from someone you're paying to developsomething...> Glad you feel entertained Norbert. I have been as well and at the same time> have made quite a bit of progress. Cheers. Please god, leaves us alone...Chris--Simplistix - Content Management, Zope & Python Consulting- http://www.simplistix.co.uk -- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Can we all stop with the public name-calling and personal insults? It's embarassing. -- Paul Winkler http://www.slinkp.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
michael nt milne wrote: Well I said it was over and out but I have to respond to this latest post. You liar! Basically though, Zope permissions and security could be made a lot more usable. Cool, we look forward to your documented proposal to dev.zope.org including implemented code on a branch with unit tests that satisfies all of Zope's potential users while maintaining complete security in all scenarios and providing a ui so perfect that even muppets could use it and not shoot themselves in the foot. It's far too technically focused and this is the opinion of a few others as well. A few other halfwits maybe... The whole ZMI interface could be put through a usability re-design to be honest Ah great, does that mean you're offering to finance this? and that's not even to comtemplate the security areas. I'm not sure you're qualified or capable of contemplating such areas ;-) I have a few clients, I pitty them, I really do... who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror. Sure it wasn't just your cack-handed coding? ;-) Now obviously Plone is trying to bring more and more features within its own interface, which is good as it's more usable. Obiviously, it's why we all _love_ Plohn so _damn_ much *grinz* However many things still remain. Sadly, including you... Most of my clients are able to use the Plone editing tools and interfaces but can't at all get their heads round the ZMI. They shouldn't be going to the ZMI if you've done your job properly with the Plohn interface... I would guess that changing interfaces doesn't help but there you go. Guessing? Yay, just what you need from someone you're paying to develop something... Glad you feel entertained Norbert. I have been as well and at the same time have made quite a bit of progress. Cheers. Please god, leaves us alone... Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?
Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few others as well. The whole ZMI interface could be put through a usability re-design to be honest and that's not even to comtemplate the security areas. I have a few clients, who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror. Now obviously Plone is trying to bring more and more features within its own interface, which is good as it's more usable. However many things still remain. Most of my clients are able to use the Plone editing tools and interfaces but can't at all get their heads round the ZMI. I would guess that changing interfaces doesn't help but there you go. Glad you feel entertained Norbert. I have been as well and at the same time have made quite a bit of progress. Cheers.On 2/9/06, Norbert Marrale <[EMAIL PROTECTED]> wrote:Chris Withers wrote: > michael nt milne wrote:>> Over and out on this one from me>> You promise? ;-)>> Chris>I think Tino made the key suggestion earlier on: log out of the ZMI,close your browser, restart it, clear the cache, clear any saved passwords, try to view the page in question and - if your settings arecorrect - get prompted to log by whichever authentication mechanism youchose to implement. If you cancel out and are able to view the page, you made a configuration mistake somewhere. Find it, fix it - and try again.This has become one of the more hilarious threads I've read in a longtime. I suggest submitting Michael's name to alt.usenet.kooks for consideration as KotM.Norbert___Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: major problems placing authentication on an extranet site-security flaw?
Chris Withers wrote: michael nt milne wrote: Over and out on this one from me You promise? ;-) Chris I think Tino made the key suggestion earlier on: log out of the ZMI, close your browser, restart it, clear the cache, clear any saved passwords, try to view the page in question and - if your settings are correct - get prompted to log by whichever authentication mechanism you chose to implement. If you cancel out and are able to view the page, you made a configuration mistake somewhere. Find it, fix it - and try again. This has become one of the more hilarious threads I've read in a long time. I suggest submitting Michael's name to alt.usenet.kooks for consideration as KotM. Norbert ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )