Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Chris Withers

michael nt milne wrote:

Yes, I do realise that it's hard. Regarding the cookie comment that
was the reason I wanted to use Apache location based login. 


Huh? I'm sure some people would love to know how those two things relate 
in your head...



I do
realise that leaving a logon cookie is insecure and that comment was
perhaps misguided. I started to think about usability etc.


If you're lucky, you might get a system that's both insecure _and_ 
unusable ;-)



I'm going to block 8080 at the router/firewall level as Zope obviously
needs to keep serving through 8080 to Apache.


using iptables in the box is probably a better idea...


As for the issue with IE6 and editing pages over SSL it all works fine
in Firefox 1.5, so it's a browser issue which I just can't quite
fathom just now. 


I doubt it, my guess would still be that you're doing something wrong 
somewhere...


Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Chris Withers

Dario Lopez-Kästen wrote:
Nevertheless, it is not simple to implement proper security with 
cookie-based logins. I had to make my own hacked version of 
SinmpleUserFodler with seesioning on the zeo server to get it secure 
enough (it is actually a trade off from what I would have liked to have 
in the first place, but it works ok).


I know from personal experience that using sessions for this kind of 
information doesn't necessarilly scale very well... check for conflict 
errors in your event log ;-)


cheers,

Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Igor Stroh
michael nt milne wrote:
 Yes, I do realise that it's hard. Regarding the cookie comment that
 was the reason I wanted to use Apache location based login. I do
 realise that leaving a logon cookie is insecure and that comment was
 perhaps misguided. I started to think about usability etc.
 
 I'm going to block 8080 at the router/firewall level as Zope obviously
 needs to keep serving through 8080 to Apache.

No need to do that, just configure your zope (etc/zope.conf) to
listen only on your loopback interface:

http-server
  address 127.0.0.1:8080
/http-server

An btw, Zope doesn't *need* to serve on 8080...

HTH,
Igor
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread michael nt milne
 Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache location based login.Huh? I'm sure some people would love to know how those two things relate
in your head...

I wanted to use an Apache served login box before the Zope/Plone site is served but I've decided against that now as authentication should be closely linked to the application. Also Apache location based authentication isn't cookie based. Now going with Zope/Plone auth over SSL alone with cookies set to expire.
 I do realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc.If you're lucky, you might get a system that's both insecure _and_
unusable ;-)

My aim is security with a good level of usability and I'll achieve that :-) I'm going to block 8080 at the router/firewall level as Zope obviously needs to keep serving through 8080 to Apache.

using iptables in the box is probably a better idea...

thanks for the advice but I'll probably go with router level As for the issue with IE6 and editing pages over SSL it all works fine in Firefox 1.5, so it's a browser issue which I just can't quite
 fathom just now.I doubt it, my guess would still be that you're doing something wrongsomewhere...

Sorry but I don't agree on this one. I haven't altered any of the Plone 'edit page' functionality. It's out of the box. Works fine without SSL but on SSL trying to edit a page causes 'can't find server'. Firefox though works perfectly viewing and editing so it's a browser issue. I know of other people who have issues with IE and posting images over SSL. Must be something to do with POST security over IE. I'm going to take it up with them but don't expect too much of a response. I'm now about to try with Opera.

On 2/14/06, Igor Stroh [EMAIL PROTECTED] wrote:
michael nt milne wrote: Yes, I do realise that it's hard. Regarding the cookie comment that was the reason I wanted to use Apache location based login. I do
 realise that leaving a logon cookie is insecure and that comment was perhaps misguided. I started to think about usability etc. I'm going to block 8080 at the router/firewall level as Zope obviously
 needs to keep serving through 8080 to Apache.No need to do that, just configure your zope (etc/zope.conf) tolisten only on your loopback interface:http-serveraddress 
127.0.0.1:8080/http-serverAn btw, Zope doesn't *need* to serve on 8080...HTH,Igor___Zope maillist-
Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announcehttp://mail.zope.org/mailman/listinfo/zope-dev )-- 
Michael 
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Dario Lopez-Kästen

michael nt milne said the following on 2006-02-14 12:30:

 As for the issue with IE6 and editing pages over SSL it all works fine
 in Firefox 1.5, so it's a browser issue which I just can't quite
 fathom just now.


 I doubt it, my guess would still be that you're doing something wrong
somewhere...
 
 Sorry but I don't agree on this one. I haven't altered any of the 
Plone 'edit page' functionality. It's out of the box. Works fine without 
SSL but on SSL trying to edit a page causes 'can't find server'. Firefox 
though works perfectly viewing and editing so it's a browser issue. I 
know of other people who have issues with IE and posting images over 
SSL. Must be something to do with POST security over IE. I'm going to 
take it up with them but don't expect too much of a response. I'm now 
about to try with Opera.


This part is *only* about setting up the servers, apache and zope in 
this context, properly.


There is nothing in Zope that works differently when serving over ssl or 
not. SSL is just a transport layer, so it does *not* affect 
zope-capabilities in any way.


I am sure you know this, but since we have learned very little (or at 
least I have - maybe I am not paying attention well enough :-):


*HOWEVER*, IIRC, plone, especially on windows (if installed with the 
windows installer) uses a trick, which is not documented at all, as far 
as I know, uses a Site Access rule.


Have you modified that rule to take advantage of the SSL -server? 
Perhaps the SiteAccess rule is triggering adn trying to redirect you to 
an address/port where there is no service listeing?


/dario

--
-- ---
Dario Lopez-Kästen, IT Systems  Services Chalmers University of Tech.
Lyrics applied to programming  application design:
emancipate yourself from mental slavery - redemption song, b. marley

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread michael nt milne
I am sure you know this, but since we have learned very little (or atleast I have - maybe I am not paying attention well enough :-):

Have you modified that rule to take advantage of the SSL -server?Perhaps the SiteAccess rule is triggering adn trying to redirect you toan address/port where there is no service listeing?

No I haven't modified anything apart from upgrading Apache, installing and configuring SSL, doing VirtualHost rules and then locking down Plone using the 'private site' documentation.

Why would Firefox 1.5.1work perfectly and be able to edit pages and upload images? As I've said I know of more issues with IE and posting attachments througha private contact on this list. Doesn'ts seem like a coincidence to me. At least you've learned that :-)



On 2/14/06, Dario Lopez-Kästen [EMAIL PROTECTED] wrote:
Alexander Limi said the following on 2006-02-14 14:05: On Tue, 14 Feb 2006 04:59:07 -0800, Dario Lopez-Kästen
 [EMAIL PROTECTED] wrote: *HOWEVER*, IIRC, plone, especially on windows (if installed with the
 windows installer) uses a trick, which is not documented at all, as faras I know, uses a Site Access rule. 
http://plone.org/documentation/faq/multiple-sites-installers What part is not documented at all? :)ähh... woopsy-daisy! my mistake. Sorry! 8^)/dario - crawls back under a rock... ;)
 ---Dario Lopez-Kästen, IT Systems  Services Chalmers University of Tech.Lyrics applied to programming  application design:
emancipate yourself from mental slavery - redemption song, b. marley___Zope maillist-Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**(Related lists -http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael 
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-14 Thread Chris Withers

michael nt milne wrote:

cookie based. Now going with Zope/Plone auth over SSL alone with cookies set
to expire.


I hope you're making sure the secure bit is set on those cookies ;-)


My aim is security with a good level of usability and I'll achieve that

:-)


Considering you can't even quote a response correctly, I somehow doubt 
that...



I'm going to block 8080 at the router/firewall level as Zope obviously
needs to keep serving through 8080 to Apache.

using iptables in the box is probably a better idea...



thanks for the advice but I'll probably go with router level


Fine, don't take our advice, but don't expect help either...


works perfectly viewing and editing so it's a browser issue. I know of other
people who have issues with IE and posting images over SSL. Must be
something to do with POST security over IE. I'm going to take it up with
them but don't expect too much of a response. I'm now about to try with
Opera.


Sheesh, sorry, but I've come to the conclusion you're just trolling and 
so won't be wasting my time with any more of your posts...


Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-13 Thread Dario Lopez-Kästen

Chris Withers said the following on 2006-02-12 15:27:


Given your earlier paranoia about security


uh, us security nerds^H^H^H^H^H^H 
folks-who-have-an-strong-interest-in-security, actually prefer to call 
it eagerness. Paranoia has such negative timbre, don't you think? :-)


Nevertheless, it is not simple to implement proper security with 
cookie-based logins. I had to make my own hacked version of 
SinmpleUserFodler with seesioning on the zeo server to get it secure 
enough (it is actually a trade off from what I would have liked to have 
in the first place, but it works ok).


Cheers,

/dario


--
-- ---
Dario Lopez-Kästen, IT Systems  Services Chalmers University of Tech.
Lyrics applied to programming  application design:
emancipate yourself from mental slavery - redemption song, b. marley

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread michael nt milne
ThanksIt's worth bearing in mind that those credentials are passed over thewire with every page, so you need your sessions to /stay/ in SSL modeonce authenticated.Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL.
However on my main server where I have other sites I was thinking about implementing SSL for the login areas to make them fully secure. From what you are saying though you'd basically need to make a whole site go over SSL and just implementing that on the login areas isn't worth it?
I still have an issue with IE6 over SSL where trying to create new pages or edit content, produces a server not found and the padlock dissapears. I have TLS 1.0 and SSL 2.3, 3.0 selected in advanced. IE 6.02. Firefox 
1.5 (predictably..) works fine but I don't want to have to get all my users to install it even though I'd like to :-)On 2/11/06, Philip Kilner 
[EMAIL PROTECTED] wrote:Hi Michael,michael nt milne wrote:
 I've implemented what's outlined in the make private site documentation and it works fine on Plone 2.1.1. No content is available apart from the site-map page (doesn't list content) and the contact form
 but I can figure that out separately.Since neither of those counts as content as such, I think that that is legitimate and as you say, you can work around those if it matters to
you (In cases where I've wanted to work around such things, I've simplycalled a script that redirects with an error message if the theappropriate conditions aren't met. Yes I think I like the HTML login page way to authenticate. It feels
 more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant.
Agreed. Apache does a great job of managing the SSL, securing the dataover public wires, but that's a 100% generic task whereas theauthentication is tightly bound to your application.It's worth bearing in mind that those credentials are passed over the
wire with every page, so you need your sessions to /stay/ in SSL modeonce authenticated. I'm revisting some of the points made in this thread though about security. It does seem that Zope and Plone as you say, are at odds on this.
Because Zope is an application server, it has to expose it's mechanism -Plone has an easier job because it has a specific task to do (e.g.manage content), and so can take an approach which is much simpler to
fly. In Plone, always do things the Plone way - working at the Zopelevel may potentially subvert Plone's mechanisms for achieving things.--Regards,PhilKEmail: 
[EMAIL PROTECTED]PGP Public key: http://www.xfr.co.ukVoicemail  Facsimile: 07092 070518You'll find that one part's sweet and one part's tart:say where the sweetness and the sourness start.
- Tony Harrison-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread Chris Withers

michael nt milne wrote:


Yes I think I like the HTML login page way to authenticate. It feels more
usable. And I don't think I'll use an Apache login box at all. Most users
will find it hard remembering one password and with cookie authentication
over SSL you can go straight into the site. Brilliant.


Given your earlier paranoia about security, this a truly bizarre 
paragraph; you're so worried about basic auth that you didn't want to 
use it, and yet you're quite happy to have a cookie living on a user's 
machine long term, and still leave port 8080 exposed?


wow...

Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread Chris Withers

michael nt milne wrote:

Yes, I've got the whole site going over SSL and the :8080 port re-directing
to SSL.


Anything not over SSL should be blocked, not redirected, given your 
earlier paranoia...



However on my main server where I have other sites I was thinking about
implementing SSL for the login areas to make them fully secure. From what
you are saying though you'd basically need to make a whole site go over SSL
and just implementing that on the login areas isn't worth it?


Correct. Also, don't turn SSL into a panacea. Security is hard. Very 
hard. I'm not sure you understand that yet...



I still have an issue with IE6 over SSL where trying to create new pages or
edit content, produces a server not found and the padlock dissapears.


Look at where the form action points to, I suspect you haven't correctly 
configured your virtual hosting stuff in Apache and/or Zope.


cheers,

Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-12 Thread michael nt milne
Yes, I do realise that it's hard. Regarding the cookie comment that
was the reason I wanted to use Apache location based login. I do
realise that leaving a logon cookie is insecure and that comment was
perhaps misguided. I started to think about usability etc.

I'm going to block 8080 at the router/firewall level as Zope obviously
needs to keep serving through 8080 to Apache.

As for the issue with IE6 and editing pages over SSL it all works fine
in Firefox 1.5, so it's a browser issue which I just can't quite
fathom just now. Annoying as all the users are on IE. Unless I use
that as an excuse for them all to get a better browser..

Thanks for the comments

Michael



On 2/12/06, Chris Withers [EMAIL PROTECTED] wrote:
 michael nt milne wrote:
  Yes, I've got the whole site going over SSL and the :8080 port re-directing
  to SSL.

 Anything not over SSL should be blocked, not redirected, given your
 earlier paranoia...

  However on my main server where I have other sites I was thinking about
  implementing SSL for the login areas to make them fully secure. From what
  you are saying though you'd basically need to make a whole site go over SSL
  and just implementing that on the login areas isn't worth it?

 Correct. Also, don't turn SSL into a panacea. Security is hard. Very
 hard. I'm not sure you understand that yet...

  I still have an issue with IE6 over SSL where trying to create new pages or
  edit content, produces a server not found and the padlock dissapears.

 Look at where the form action points to, I suspect you haven't correctly
 configured your virtual hosting stuff in Apache and/or Zope.

 cheers,

 Chris

 --
 Simplistix - Content Management, Zope  Python Consulting
 - http://www.simplistix.co.uk




--
Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi,

J Cameron Cooper wrote:
 Also, as I recall, there was a private plone site howto on plone.org;
 dunno what happened to it.
 

It's still there, still works - and is very likely what Michael wants.


-- 

Regards,

PhilK

Email: [EMAIL PROTECTED]
PGP Public key: http://www.xfr.co.uk
Voicemail  Facsimile: 07092 070518

You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start.
- Tony Harrison
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi Again,

Re. Private Plone Site Howto

Philip Kilner wrote:
 It's still there, still works - and is very likely what Michael wants.
 

I'm an idiot - should have checked, knowing that there was a
documentation sprint last weekend. It was at: -

http://plone.org/documentation/how-to/creating-private-plone-site/howto_view

...but I get a login prompt at that URL now.

Has this how to been pulled because flawed, or is it just missing?

I've used it in numerous places, so I'd be interested to know either way!


-- 

Regards,

PhilK

Email: [EMAIL PROTECTED]
PGP Public key: http://www.xfr.co.uk
Voicemail  Facsimile: 07092 070518

You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start.
- Tony Harrison
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi Michael,

michael nt milne wrote:
 Yes I found that as well but picked it up from the Google cache.
 Strange that it is available there as it's password protected.
 Possibly it was public before?
 

Yes, it was public before.

Have you tried this, and does it solve your problems?

JCC is spot on when he points to workflow as being the basis of security
in Plone - it's also worth saying that the Zope system and the Plone
system are pretty much at odds with one another. You are more likely to
make mistakes at the Zope level than to do what you intend.

(If you try the howto, don't overlook that last step - hitting the
update security settings button. Managed to overlook this myself
recently (despite it being the umpteenth time I've followed this howto),
and spent hours thinking that something more exotic was going on!)

Let us know how you get on...


-- 

Regards,

PhilK

Email: [EMAIL PROTECTED]
PGP Public key: http://www.xfr.co.uk
Voicemail  Facsimile: 07092 070518

You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start.
- Tony Harrison
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread michael nt milne
Hi Phil

I've implementedwhat's outlined in the make private site documentationand it works fine on Plone 2.1.1.No content is available apart from the site-map page (doesn't list content) and the contact form but I can figure that out separately.


Yes I think I like the HTML login page way to authenticate. It feels more usable. And I don't think I'll use an Apache login box at all. Most users will find it hard remembering one password and with cookie authentication over SSL you can go straight into the site. Brilliant.


I'm revisting some of the points made in this thread though about security. It does seem that Zope and Plone as you say, are at odds on this.

Thanks alot for your help and words of advice. I still seem to have an issue where editing a page in IE over SSL produces a 'can't find server' but it's a browser issue as this works fine on the latest Firefox.


Michael
On 2/11/06, Philip Kilner [EMAIL PROTECTED] wrote:
Hi Michael,michael nt milne wrote: Yes I found that as well but picked it up from the Google cache.
 Strange that it is available there as it's password protected. Possibly it was public before?Yes, it was public before.Have you tried this, and does it solve your problems?
JCC is spot on when he points to workflow as being the basis of securityin Plone - it's also worth saying that the Zope system and the Plonesystem are pretty much at odds with one another. You are more likely to
make mistakes at the Zope level than to do what you intend.(If you try the howto, don't overlook that last step - hitting theupdate security settings button. Managed to overlook this myself
recently (despite it being the umpteenth time I've followed this howto),and spent hours thinking that something more exotic was going on!)Let us know how you get on...--Regards,
PhilKEmail: [EMAIL PROTECTED]PGP Public key: http://www.xfr.co.ukVoicemail  Facsimile: 07092 070518You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start.- Tony Harrison-- Michael 
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-11 Thread Philip Kilner
Hi Michael,

michael nt milne wrote:
 I've implemented what's outlined in the make private site
 documentation and it works fine on Plone 2.1.1. No content is available
 apart from the site-map page (doesn't list content) and the contact form
 but I can figure that out separately.
  

Since neither of those counts as content as such, I think that that is
 legitimate and as you say, you can work around those if it matters to
you (In cases where I've wanted to work around such things, I've simply
called a script that redirects with an error message if the the
appropriate conditions aren't met.

 Yes I think I like the HTML login page way to authenticate. It feels
 more usable. And I don't think I'll use an Apache login box at all. Most
 users will find it hard remembering one password and with cookie
 authentication over SSL you can go straight into the site. Brilliant.
  

Agreed. Apache does a great job of managing the SSL, securing the data
over public wires, but that's a 100% generic task whereas the
authentication is tightly bound to your application.

It's worth bearing in mind that those credentials are passed over the
wire with every page, so you need your sessions to /stay/ in SSL mode
once authenticated.

 I'm revisting some of the points made in this thread though about
 security. It does seem that Zope and Plone as you say, are at odds on this.
  

Because Zope is an application server, it has to expose it's mechanism -
Plone has an easier job because it has a specific task to do (e.g.
manage content), and so can take an approach which is much simpler to
fly. In Plone, always do things the Plone way - working at the Zope
level may potentially subvert Plone's mechanisms for achieving things.


-- 

Regards,

PhilK

Email: [EMAIL PROTECTED]
PGP Public key: http://www.xfr.co.uk
Voicemail  Facsimile: 07092 070518

You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start.
- Tony Harrison
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
Well I said it was over and out but I have to respond to this latest post. I appreciate the help here and will be trying out some of the suggestions. Basically though, Zope permissions and security could be made a lot more usable. It's far too technically focused and this is the opinion of a few others as well. The whole ZMI interface could be put through a usability re-design to be honest and that's not even to comtemplate the security areas.
I have a few clients, who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror. Now obviously Plone is trying to bring more and more features within its own interface, which is good as it's more usable. However many things still remain. Most of my clients are able to use the Plone editing tools and interfaces but can't at all get their heads round the ZMI. I would guess that changing interfaces doesn't help but there you go.
Glad you feel entertained Norbert. I have been as well and at the same time have made quite a bit of progress. Cheers.On 2/9/06, Norbert Marrale
 [EMAIL PROTECTED] wrote:Chris Withers wrote:
 michael nt milne wrote: Over and out on this one from me You promise? ;-) ChrisI think Tino made the key suggestion earlier on: log out of the ZMI,close your browser, restart it, clear the cache, clear any saved
passwords, try to view the page in question and - if your settings arecorrect - get prompted to log by whichever authentication mechanism youchose to implement. If you cancel out and are able to view the page, you
made a configuration mistake somewhere. Find it, fix it - and try again.This has become one of the more hilarious threads I've read in a longtime. I suggest submitting Michael's name to alt.usenet.kooks for
consideration as KotM.Norbert___Zope maillist-Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Chris Withers

michael nt milne wrote:

Well I said it was over and out but I have to respond to this latest post.


You liar!


Basically though, Zope permissions and security could be made a lot more
usable. 


Cool, we look forward to your documented proposal to dev.zope.org 
including implemented code on a branch with unit tests that satisfies 
all of Zope's potential users while maintaining complete security in all 
scenarios and providing a ui so perfect that even muppets could use it 
and not shoot themselves in the foot.



It's far too technically focused and this is the opinion of a few
others as well. 


A few other halfwits maybe...


The whole ZMI interface could be put through a usability
re-design to be honest


Ah great, does that mean you're offering to finance this?


and that's not even to comtemplate the security
areas.


I'm not sure you're qualified or capable of contemplating such areas ;-)

I have a few clients, 


I pitty them, I really do...


who I have built sites for using Plone and on showing
them the ZMI they have re-coiled in absolute horror.


Sure it wasn't just your cack-handed coding? ;-)


Now obviously Plone is
trying to bring more and more features within its own interface, which is
good as it's more usable.


Obiviously, it's why we all _love_ Plohn so _damn_ much *grinz*

However many things still remain. 


Sadly, including you...


Most of my
clients are able to use the Plone editing tools and interfaces but can't at
all get their heads round the ZMI. 


They shouldn't be going to the ZMI if you've done your job properly with 
the Plohn interface...



I would guess that changing interfaces
doesn't help but there you go.


Guessing? Yay, just what you need from someone you're paying to develop 
something...



Glad you feel entertained Norbert. I have been as well and at the same time
have made quite a bit of progress. Cheers.


Please god, leaves us alone...

Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Paul Winkler
Can we all stop with the public name-calling and personal insults?
It's embarassing.

-- 

Paul Winkler
http://www.slinkp.com
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
You liar! I couldn't resist :-) You seem so entertained. Bit of sport and all that.I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on rather high ground and this attitude is obviously part of the problem.
How come Plone's interface is so useable and a delight to work with? How was that financed?  who I have built sites for using Plone and on showing them the ZMI they have re-coiled in absolute horror.
Sure it wasn't just your cack-handed coding? ;-) I haven't coded anything in the ZMI ! They shouldn't be going to the ZMI if you've done your job properly with
the Plohn interface..Wrong. There are many things you still have to do through the ZMI. Like changing the banner graphic on the site if you want to. Basic things like that. Guessing? Yay, just what you need from someone you're paying to develop
something... Just a figure of speech in trying to be diplomatic. I shouldn't have bothered to be honest. And as for the clients comment I'm not even going to go there. I have many highly satisfied clients. I hope you do as well but I doubt it with such an un-professional manner.
Please don't post again or I will have to reply :-) haOn 2/10/06, Chris Withers [EMAIL PROTECTED]
 wrote:michael nt milne wrote: Well I said it was over and out but I have to respond to this latest post.
You liar! Basically though, Zope permissions and security could be made a lot more
 usable.Cool, we look forward to your documented proposal to dev.zope.orgincluding implemented code on a branch with unit tests that satisfiesall of Zope's potential users while maintaining complete security in all
scenarios and providing a ui so perfect that even muppets could use itand not shoot themselves in the foot. It's far too technically focused and this is the opinion of a few others as well.
A few other halfwits maybe... The whole ZMI interface could be put through a usability re-design to be honestAh great, does that mean you're offering to finance this? and that's not even to comtemplate the security
 areas.I'm not sure you're qualified or capable of contemplating such areas ;-) I have a few clients,I pitty them, I really do... who I have built sites for using Plone and on showing
 them the ZMI they have re-coiled in absolute horror.Sure it wasn't just your cack-handed coding? ;-) Now obviously Plone is trying to bring more and more features within its own interface, which is
 good as it's more usable.Obiviously, it's why we all _love_ Plohn so _damn_ much *grinz* However many things still remain.Sadly, including you... Most of my clients are able to use the Plone editing tools and interfaces but can't at
 all get their heads round the ZMI.They shouldn't be going to the ZMI if you've done your job properly withthe Plohn interface... I would guess that changing interfaces doesn't help but there you go.
Guessing? Yay, just what you need from someone you're paying to developsomething... Glad you feel entertained Norbert. I have been as well and at the same time have made quite a bit of progress. Cheers.
Please god, leaves us alone...Chris--Simplistix - Content Management, Zope  Python Consulting- http://www.simplistix.co.uk
-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally very good and an not interested in slanging matches.
ThanksMichaelOn 2/10/06, Paul Winkler 

[EMAIL PROTECTED] wrote:Can we all stop with the public name-calling and personal insults?
It's embarassing.--Paul Winklerhttp://www.slinkp.com___
Zope maillist-Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding!**
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev
 )-- 
Michael

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Lennart Regebro
On 2/10/06, michael nt milne [EMAIL PROTECTED] wrote:
 I've spoken to many people on various lists and can confirm the feeling
 about usability on the ZMI etc. You call them 'halfwits'. That puts you on
 rather high ground and this attitude is obviously part of the problem.

1. By complaining about something that a lot of people do not find any
problem with, YOU put yourself on a rather high ground compared to the
people here who both created and use it.

Suggestion: Don't complain about the software that you want help with,
because it makes the people who wrote it pissed off. Quite simple,
really.

2. I have myself held courses in how to use a CMS (EasyPublisher)
where you did most everything through the ZMI for people with bother
very little computer experience and a lot, and it was never a big
usebility problem. That the ZMI has big useability problems is simply
not true. You also claim that there are lot of people complainng that
the ZMI has useability problems. Well, we are on all those
mailing-lists, unless you have found some secret mailing lists for
people who don't like Zope, so we know that there is in fact NOT a lot
of complaints about this.
When you claim that there are loads of people who say so, when there
obviously isn't undermines your credbility and inclines people to not
take you seriously.

Suggestion: Don't make up facts and statements that is not true, don't
invent people that doesn't exist. Don't say that X is generally
accepted as a fact when it isn't. If you do that, people will call you
a liar, and you don't want that.

(Oh, and if you want an explanation about why a few people don't find
the ZMI useable, it's because it's not pretty, don't have flash
graphics and such. People often confuse prettyness with
useability. ZMI is basic and well, ugly. It is however quite
consistent and useable.)

And the same goes for Zopes access control. It is in no way
complicated or hard to understand. By starting early in the discussion
with complaining about it, you just make people pissed off and get the
discussion running away in the wrong direction.  Don't do that.

 How come Plone's interface is so useable and a delight to work with? How was
 that financed?

Because it's pretty? :-)

--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Floyd May
On 2/10/06, michael nt milne [EMAIL PROTECTED] wrote:
 I agree. I didn't start it and I find it un-professional. I came here with a
 genuine issue, have received some help which I thank people for and have
 made some legitimate points. I find the Zope and Plone lists are generally
 very good and an not interested in slanging matches.

 Thanks

 Michael



 On 2/10/06, Paul Winkler  [EMAIL PROTECTED] wrote:
  Can we all stop with the public name-calling and personal insults?
  It's embarassing.
 
  --
 
  Paul Winkler
  http://www.slinkp.com
  ___
  Zope maillist  -  Zope@zope.org
  http://mail.zope.org/mailman/listinfo/zope
  **   No cross posts or HTML encoding!  **
  (Related lists -
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )
 



 --
  Michael
 ___
 Zope maillist  -  Zope@zope.org
 http://mail.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )




I've resisted the urge to weigh in on this conversation for far too long.

Mr. Milne,
Your original email to this list was presented in such a way that you
guaranteed yourself a difficult time acquiring assistance for the
following reasons:
1. It contained a tone indicating something along the lines of this
is broken and you need to fix it because I'm complaining.
2. You made no indication that you had attempted to understand the
existing framework.  Most people cite or quote existing documentation,
e.g. The zope book says X, but I am experiencing Y when attempting
to sort out a problem.
3. You assume that because you are technically-capable in other
realms, your experience with Zope and Plone must be the fault of Zope
and Plone, and not the fault of your inexperience with the paradigm
differences between the common Apache+RDBMS architectures and the
object-oriented Zope/Plone architecture.

Zope and Plone are both built by volunteers.  Thousands of people
worldwide pour their free-time efforts into making these products the
best that they can be.  Regardless of what you may think, the security
framework in Zope and Plone was built in the way that it is FOR A
REASON, and that reason is to make the Zope Application Server as
powerful as possible in terms of security.  If you would have read the
Zope book, the Definitive Guide to Plone, or the Zope Developer's
Guide, you would have found the following phrase:
Security is hard.

Despite the fact that your original email that started this confounded
thread was an ignorant insult to the years of time and effort spent
making Zope and Plone what they are, faithful patrons of the Zope
mailing list attempted to help you.  In response, you continued to
insult Zope with cretinous comments like:

I find the Zope security, permissions set-up hideously
complex and unusable to be honest and it doesn't even seem to work.

...and...

But ultimately my  comments on usabiltity should be taken
on board because Zope security is overly complex.

...and indicating your complete unwillingness to conform to simple
requests from the people who are attempting to help you for free, in
spite of your near-intolerable insults interspersed with vague
information detailing what everyone has told you is what Zope *should*
do with comments like the following:
Sorry but this is not my experience and I have experimented.
Am using gmail basic setting which I like.

It is obvious to the people who have taken the time to understand how
Zope's security works that the trouble you are experiencing has one
source and one source alone - you don't know what you're doing.  Read
the documentation, go through the tutorials, and prove that you are
able to understand what's happening, then attempt again to set up the
security model that you are attempting.  Furthermore (and I want you
to read this carefully), you would do well to understand that Zope is
built by volunteers.  Insulting the work of such volunteers, and
failing to respect the expertise of those people who caused Zope to be
what it is by considering unexpected behaviors bugs that should be
fixed just because you say so is a certain way to get hostile
reactions.

You are a dinner guest in the world of Zope, and you have come into
our living room and told us that we should repaint the walls and
remodel our kitchen because it doesn't work for you.  The Zope
community has made a robust product (regardless of your opinions to
the contrary), and your behavior would have been much better-received
if you would have kept your opinions about Zope's security (opinions
founded in inexperience, I might add) to yourself and considered your
own capability for making mistakes before pointing fingers at a
worldwide community of software developers.  The trouble that you are
having with Zope's security is YOUR fault.  The 

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
I take the point that I approached this issue from the wrong standpoint and apologise for that. This was perhaps born out of a little frustration. I was never rude though. Also I feel that Plone has usabillity which sits above it's prettyness. It is a well designed interface graphically but also has very strong non graphical usability elements.
On 2/10/06, Lennart Regebro [EMAIL PROTECTED] wrote:
On 2/10/06, michael nt milne [EMAIL PROTECTED] wrote: I've spoken to many people on various lists and can confirm the feeling about usability on the ZMI etc. You call them 'halfwits'. That puts you on
 rather high ground and this attitude is obviously part of the problem.1. By complaining about something that a lot of people do not find anyproblem with, YOU put yourself on a rather high ground compared to the
people here who both created and use it.Suggestion: Don't complain about the software that you want help with,because it makes the people who wrote it pissed off. Quite simple,really.2. I have myself held courses in how to use a CMS (EasyPublisher)
where you did most everything through the ZMI for people with bothervery little computer experience and a lot, and it was never a bigusebility problem. That the ZMI has big useability problems is simplynot true. You also claim that there are lot of people complainng that
the ZMI has useability problems. Well, we are on all thosemailing-lists, unless you have found some secret mailing lists forpeople who don't like Zope, so we know that there is in fact NOT a lotof complaints about this.
When you claim that there are loads of people who say so, when thereobviously isn't undermines your credbility and inclines people to nottake you seriously.Suggestion: Don't make up facts and statements that is not true, don't
invent people that doesn't exist. Don't say that X is generallyaccepted as a fact when it isn't. If you do that, people will call youa liar, and you don't want that.(Oh, and if you want an explanation about why a few people don't find
the ZMI useable, it's because it's not pretty, don't have flashgraphics and such. People often confuse prettyness withuseability. ZMI is basic and well, ugly. It is however quite
consistent and useable.)And the same goes for Zopes access control. It is in no waycomplicated or hard to understand. By starting early in the discussionwith complaining about it, you just make people pissed off and get the
discussion running away in the wrong direction.Don't do that. How come Plone's interface is so useable and a delight to work with? How was that financed?Because it's pretty? :-)--
Lennart Regebro, Nuxeo http://www.nuxeo.com/CPS Content Management http://www.cps-project.org/
-- Michael
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread michael nt milne
Yes I've apologised for the initial tone which was the wrong way to begin and yes I agree I should have routed out more documentation. I've read Andy Mackay, Plone Live, printed out screeds of how tos, chapters of the Zope book, installed Zope on my Unix server etc so I do have a reasonable, if still not mature, take on the environment. 
I feel that 'leech' and 'cretinous' are perhaps slightly over the top to be honest though :-)Anyway, yes I feel we should over and out on this thread as it's not too entertaining now, even if it was before :-)
Apologies to Zope if he's been offended.On 2/10/06, Floyd May [EMAIL PROTECTED] wrote:
On 2/10/06, michael nt milne [EMAIL PROTECTED]
 wrote: I agree. I didn't start it and I find it un-professional. I came here with a genuine issue, have received some help which I thank people for and have made some legitimate points. I find the Zope and Plone lists are generally
 very good and an not interested in slanging matches. Thanks Michael On 2/10/06, Paul Winkler  [EMAIL PROTECTED]
 wrote:  Can we all stop with the public name-calling and personal insults?  It's embarassing.   --   Paul Winkler  
http://www.slinkp.com  ___  Zope maillist-Zope@zope.org  
http://mail.zope.org/mailman/listinfo/zope  ** No cross posts or HTML encoding!**  (Related lists -  http://mail.zope.org/mailman/listinfo/zope-announce
  http://mail.zope.org/mailman/listinfo/zope-dev )  --Michael ___
 Zope maillist-Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding!**
 (Related lists -http://mail.zope.org/mailman/listinfo/zope-announcehttp://mail.zope.org/mailman/listinfo/zope-dev
 )I've resisted the urge to weigh in on this conversation for far too long.Mr. Milne,Your original email to this list was presented in such a way that youguaranteed yourself a difficult time acquiring assistance for the
following reasons:1. It contained a tone indicating something along the lines of thisis broken and you need to fix it because I'm complaining.2. You made no indication that you had attempted to understand the
existing framework.Most people cite or quote existing documentation,e.g. The zope book says X, but I am experiencing Y when attemptingto sort out a problem.3. You assume that because you are technically-capable in other
realms, your experience with Zope and Plone must be the fault of Zopeand Plone, and not the fault of your inexperience with the paradigmdifferences between the common Apache+RDBMS architectures and theobject-oriented Zope/Plone architecture.
Zope and Plone are both built by volunteers.Thousands of peopleworldwide pour their free-time efforts into making these products thebest that they can be.Regardless of what you may think, the security
framework in Zope and Plone was built in the way that it is FOR AREASON, and that reason is to make the Zope Application Server aspowerful as possible in terms of security.If you would have read theZope book, the Definitive Guide to Plone, or the Zope Developer's
Guide, you would have found the following phrase:Security is hard.Despite the fact that your original email that started this confoundedthread was an ignorant insult to the years of time and effort spent
making Zope and Plone what they are, faithful patrons of the Zopemailing list attempted to help you.In response, you continued toinsult Zope with cretinous comments like:I find the Zope security, permissions set-up hideously
complex and unusable to be honest and it doesn't even seem to workand...But ultimately mycomments on usabiltity should be takenon board because Zope security is overly complex.
...and indicating your complete unwillingness to conform to simplerequests from the people who are attempting to help you for free, inspite of your near-intolerable insults interspersed with vagueinformation detailing what everyone has told you is what Zope *should*
do with comments like the following:Sorry but this is not my experience and I have experimented.Am using gmail basic setting which I like.It is obvious to the people who have taken the time to understand how
Zope's security works that the trouble you are experiencing has onesource and one source alone - you don't know what you're doing.Readthe documentation, go through the tutorials, and prove that you areable to understand what's happening, then attempt again to set up the
security model that you are attempting.Furthermore (and I want youto read this carefully), you would do well to understand that Zope isbuilt by volunteers.Insulting the work of such volunteers, andfailing to respect the expertise of those people who caused Zope to be
what it is by considering unexpected behaviors bugs that should befixed just because you say so is a certain way to get hostilereactions.You are a dinner guest in the world of Zope, and you have come into
our living room and told us that we should repaint the walls andremodel our 

Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Philip Kilner
Hi Michael,

michael nt milne wrote:
 Also I feel that Plone has
 usabillity which sits above it's prettyness. It is a well designed
 interface graphically but also has very strong non graphical usability
 elements.
 

You are correct - but you are not comparing like with like, as Plone is
an /application/ and Zope is an /application server/.

An analogous comparison might be between a car's dashboard and it's
engine compartment - you would expect the dashboard to be designed for a
human user above all, but the engine compartment - however logically
laid out - is primarily functional and is always going to appear alien
to the person who is more comfortable driving than using a spanner.

Ultimately, Zope's ZMI user interface is designed for techies who want a
minimal user interface which allows them to see the moving parts, not
the kind of end-user oriented GUI that Plone sports.

You've been given a bit of a hard time in this thread, and I think that
some good points have been made, but I've seen your energetic but
somewhat misdirected posting as more a symptom of youth and
over-confidence than any great sin - you seem to be coping with the
feedback, so you'll learn. However, I'd like to make the point that the
counter-productive and gratuitous insults for which Chris is rightly
famous are another thing entirely. He's a clever bloke and helpful, but
he seems to enjoy being rude - which is a shame.

FWIW, I think the best advice you've been given, albeit in the midst of
quite a strong mail were Floyd's - the security framework in Zope and
Plone was built in the way that it is FOR A REASON - both in terms of
etiquette and in terms of what should be reasonable to assume, it is
usually best to assume that the core of Zope and Plone /work/, and that
if some part of them appears not to then it is more likely the nut
behind the steering wheel that is responsible, as it were.

;-)

Have a good weekend...


-- 

Regards,

PhilK

Email: [EMAIL PROTECTED]
PGP Public key: http://www.xfr.co.uk
Voicemail  Facsimile: 07092 070518

You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start.
- Tony Harrison
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread J Cameron Cooper

michael nt milne wrote:
Well I said it was over and out but I have to respond to this latest 
post. I appreciate the help here and will be trying out some of the 
suggestions. Basically though, Zope permissions and security could be 
made a lot more usable. It's far too technically focused and this is the 
opinion of a few others as well. The whole ZMI interface could be put 
through a usability re-design to be honest and that's not even to 
comtemplate the security areas.


The ZMI is well known to be geeky. For developers, by developers might 
be its motto. If you have some concrete suggestions, by all means put 
them forth. Patches are even better.


Anyway, ACLs are ACLs. And if you don't know what you're doing, you can 
get into trouble real fast. Ever tried managing file security on a 
Windows machine with ACLs?


CMF (this includes Plone) provides a way to manage this complexity: 
workflow states. Each workflow has a set of permissions it manages, and 
a setting of these for each state. This is much more easily comprehended 
than infinite fiddling with the ZMI Security tab.


Also, as I recall, there was a private plone site howto on plone.org; 
dunno what happened to it.


--jcc
--
Building Websites with Plone
http://plonebook.packtpub.com
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Re: major problems placing authentication on an extranet site-security flaw?

2006-02-10 Thread Michael Vartanyan
In the very beginning of my Zope career, I once shot myself in the 
foot with a very stupid thing... I kept it to myself then but if we are 
talking about Zope security settings and usability of the ZMI at the 
same time, perhaps it is an ideal place to raise this issue.


If you use the famous manage_access page with all the checkboxes to set 
permissions on an object, it then calls manage_changePermissions to 
using POST method to apply your settings. The result is that 
http://your_object_url/manage_changePermissions (without any parameters) 
stays in your browser visited url history. Now imagine what happens if 
you click this url by mistake being logged as someone with Change 
permissions permission.


I guess changing the form method to GET is not going to be liked by 
browsers that put additional restrictions on URL length. So I would 
propose to introduce a basic request sanity check in the 
manage_changePermissions itself. I cannot think of any use for resetting 
all permissions and acquisition for everyone, so the easiest way to do 
that is to simply check that at least something exists in the form:


...
   def manage_changePermissions(self, REQUEST):
   Change all permissions settings, called by management screen.
   
if  len(REQUEST.form)2: raise ...
   self._isBeingUsedAsAMethod(REQUEST, 0)
   valid_roles=self.valid_roles()
   indexes=range(len(valid_roles))
   have=REQUEST.has_key
   permissions=self.ac_inherited_permissions(1)
   fails = []
...

or something like that.


J Cameron Cooper wrote:


michael nt milne wrote:

Well I said it was over and out but I have to respond to this latest 
post. I appreciate the help here and will be trying out some of the 
suggestions. Basically though, Zope permissions and security could be 
made a lot more usable. It's far too technically focused and this is 
the opinion of a few others as well. The whole ZMI interface could be 
put through a usability re-design to be honest and that's not even to 
comtemplate the security areas.



The ZMI is well known to be geeky. For developers, by developers 
might be its motto. If you have some concrete suggestions, by all 
means put them forth. Patches are even better.


Anyway, ACLs are ACLs. And if you don't know what you're doing, you 
can get into trouble real fast. Ever tried managing file security on a 
Windows machine with ACLs?


CMF (this includes Plone) provides a way to manage this complexity: 
workflow states. Each workflow has a set of permissions it manages, 
and a setting of these for each state. This is much more easily 
comprehended than infinite fiddling with the ZMI Security tab.


Also, as I recall, there was a private plone site howto on 
plone.org; dunno what happened to it.


--jcc



___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )