[Zope-dev] Methods with no __roles__ defined no always protected?

2000-08-21 Thread Chris Withers 

Hi,

Just doing Squishdot for 2.2 when I noticed the following:

The SquishSite class has a method called item_count() which is used on
one of the management pages. It currently isn't protected by any
permissions or __roles__ and yet it still works fine on the management
screen concerned.

I thought this sort of thing was supposed to throw up an unauthorized
error in 2.2?

cheers,

Chris

PS: It is now protected by a permission, but I can send anyone who cares
a version which isn't...

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] acquired methods and permissions

2000-08-21 Thread Chris Withers 

More questions from 2.2'ing Squishdot ;-)

If a method is acquired by an object, does it use any permissions
defined for that method in the object it's acquired from, or do you have
to specify the permissions in the acquiring object as well?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] attribute protection question

2000-08-21 Thread Chris Withers 

In the new security model is it just attributes that are methods that
are protected or is it all attributes?

For example, I have a lump of text in an Article class which is stored
in self.body.

Now, would I need body__roles__=None or somethign similar to be able to
do:

?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] zpatterns: how to invalidate the attributecache?

2000-08-21 Thread Jephte CLAIN 

"Phillip J. Eby" wrote:
> I don't see a need for a mass invalidation operation, just more
> documentation on these inner workings.  :)

or the lack of an attribute depencies mechanism :-)
if attribute x depends on attribute y from another generic attribute
provider, invalidation of y doesn't make y to be recomputed.

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Methods with no __roles__ defined no always protected?

2000-08-21 Thread Toby Dickenson 

On Mon, 21 Aug 2000 12:15:24 +0100, Chris Withers <[EMAIL PROTECTED]>
wrote:
>The SquishSite class has a method called item_count() which is used on
>one of the management pages. It currently isn't protected by any
>permissions or __roles__ and yet it still works fine on the management
>screen concerned.
>
>I thought this sort of thing was supposed to throw up an unauthorized
>error in 2.2?

No, for two reasons:

Firstly, I assume your management page is a dtml file on disk, not a
dtml object stored in the ZODB. dtml files bypass *all* security
checks. 

Secondly, all objects that inherit from OFS.Item.SimpleItem (that is,
almost all high level objects) have the
__allow_access_to_unprotected_subobjects__ flag set. Your method would
be callable from through-the-web dtml too.


The basic rules of Zope security are fairly easy; its the exceptions
that cause the problems.

Toby Dickenson
[EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Methods with no __roles__ defined no always protected?

2000-08-21 Thread Chris Withers 

Toby Dickenson wrote:
> Firstly, I assume your management page is a dtml file on disk, not a
> dtml object stored in the ZODB. dtml files bypass *all* security
> checks.

That's nice :(

> Secondly, all objects that inherit from OFS.Item.SimpleItem (that is,
> almost all high level objects) have the
> __allow_access_to_unprotected_subobjects__ flag set. Your method would
> be callable from through-the-web dtml too.

Even though it now has a permission attached to it?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Unauthorized head hurting :(

2000-08-21 Thread Chris Withers 

Is there any way you can find out what, exactly (ie a traceback ;-) is
causing an unauthorized error?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] attribute protection question

2000-08-21 Thread Brian Lloyd 

> In the new security model is it just attributes that are methods that
> are protected or is it all attributes?

All attributes - methods just happen to be the most common 
case.


> Now, would I need body__roles__=None or somethign similar to 
> be able to
> do:
> 

Yes, or (better) associate the name of the attribute with 
a permission.


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Squish

2000-08-21 Thread Chris Withers 

...it was named appropriately ;-)

Right, this would probably be easier if you have a background knowledge
of Confera/Squishdot code, anyway...

there's two classes, SquishSite and Posting. They don't inherit from
each other, but postings are always contained in a SquishSite and
eveything is Acquisition.Implicit-inheriting.

Right, there's a whole host of methods:
def postingValues(self): 
def tpId(self): 
def tpURL(self): 
def this(self): return self 
def has_items(self): 
def desc_items(self): 

...that are implemented identically. So I thought 'why?' Why can't they
just be implemented in the SquishSite class and acquired by the
postings? 

So I commented them out... bad move :( Things that used desc_items, and
a dtml-tree that used postingValues suddenly started producing infinite
recusion errors and other weirdness. I think, instead of returning the
children like postingValues is supposed to, it just returned the
children of the Site object instead. very strange. Can you help explain?

(it seemed to me like the method was being acquired alright, but the
'self' being used was that of the object the method was acquired from
rather than object the method was being called on)

The code for the two methods of any substance (the rest are just things
like 'return self' and 'return self.id') is shown below.

cheers,

Chris

# protected by 'View' permission
def desc_items(self): 
# """ return latest list of replies """ 
mlist = [] 
mstack = Stack() 
if self.has_items(): 
plist = [] 
for id in self.ids: 
plist.append(id) 
plist.reverse() 
for id in plist: 
mstack.push(id) 
while not mstack.isEmpty(): 
item_id = mstack.pop() 
item = self.data[item_id] 
mlist.append(item) 
if item.has_items(): 
plist = [] 
for id in item.ids: 
plist.append(id) 
plist.reverse() 
for id in plist: 
mstack.push(id) 
return map((lambda x, p=self: x.__of__(p)), mlist) 

# protected by 'Manage Postings' permission
def postingValues(self): 
# """ return all replies """ 
return map(lambda x, p=self: x.__of__(p),
self.data.map(self.ids)) 

self.data is an IOBtree in the SquishSite object.
self.ids is an intSet in the SquishSite object.
(I think both are acquired by Posting objects)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] aq_inContextOf/can anyone explain this zmonitor log?

2000-08-21 Thread Bob Pepin 

Hi,
I just experienced some very weird behaviour from aq_inContextOf while I was
trying to get Cut and Paste to work (I had to trace to the whole security stuff
to do this, and read the C source for the acquisition stuff the figure out what
aq_inContextOf does of course... thanks for having such a great, consistent,
mature and well-documented design Zope-guys...)
oh, btw, Copy & Paste seems to work only for objects that have their User
Source at the / level because of the behaviour of inContextOf.

well, here's the log:

Python 1.5.2 (#5, Aug 10 2000, 15:45:20)  [GCC 2.95.2 19991024 (release)]
Copyright 1991-1995 Stichting Mathematisch Centrum, Amsterdam
Welcome to 
>>> import Zope
import Zope
>>> app=Zope.app()
app=Zope.app()
>>> iee=app.iee
iee=app.iee
>>> doc1=app.iee.doc1
doc1=app.iee.doc1
>>> doc1.aq_inContextOf(iee)
doc1.aq_inContextOf(iee)
0
>>> doc1.aq_inContextOf(app)
doc1.aq_inContextOf(app)
1
>>> doc1.aq_inContextOf(app.iee)
doc1.aq_inContextOf(app.iee)
0
>>> iee.doc1.aq_inContextOf(app.iee)
iee.doc1.aq_inContextOf(app.iee)
0
>>> iee.doc1.aq_inContextOf(iee)
iee.doc1.aq_inContextOf(iee)
1
>>> app.iee.doc1.aq_inContextOf(iee)
app.iee.doc1.aq_inContextOf(iee)
0
>>> app.iee.doc1.aq_inContextOf(app.iee)
app.iee.doc1.aq_inContextOf(app.iee)
0
>>> doc1.aq_inContextOf(iee)
doc1.aq_inContextOf(iee)
0
>>> doc1=iee.doc1
doc1=iee.doc1
>>> doc1.aq_inContextOf(iee)
doc1.aq_inContextOf(iee)
1
>>> doc1.aq_inContextOf(app.iee)
doc1.aq_inContextOf(app.iee)
0
>>> doc1=app.iee.doc1
doc1=app.iee.doc1
>>> doc1.aq_inContextOf(app.iee)
doc1.aq_inContextOf(app.iee)

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] attribute protection question

2000-08-21 Thread Chris Withers 

Brian Lloyd wrote:
> 
> > In the new security model is it just attributes that are methods that
> > are protected or is it all attributes?
> 
> All attributes - methods just happen to be the most common
> case.

Ah, okay, that makes life interesting :S
(although it does make more sense than just protecting methods ;-)

> > Now, would I need body__roles__=None or somethign similar to
> > be able to
> > do:
> > 
> 
> Yes, or (better) associate the name of the attribute with
> a permission.

Hmmm. Hence the problem with properties that meant OFS.Item.SimpleItem
had to have __allow_access_to_unprotected_subobjects__=1?

Can you not just assign roles to properties as they're created or am I
missing something else?

Well, related to this:

Is there any way I can find out what attribute is trying to be accessed
that is raising an exception?
I feel like I'm trying to find a needle in a haystack converting
Squishdot and I don't want to just wimp out and put 
__allow_access_to_unprotected_subobjects__=1 in all the classes :S

Any ideas?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] __ac_permissions__ question

2000-08-21 Thread Chris Withers 

If I define the following in an Article class (which subclasses
Posting):

__ac_permissions__ = Posting.__ac_permissions__ + (
('View', ['prev_item','next_item','showSummary','desc_items'],
('Anonymous', 'Manager')),
)

and Posting.__ac_permissions__ also defines a 'View' permission, which
methods are covered?

(the ones from Posting, the ones from Article or (hopefully) the union
of the two sets of methods)

cheers,

Chris

PS: If it's nto the union, how can I achieve this effect?

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: __ac_permissions__ question

2000-08-21 Thread Shane Hathaway 

Chris Withers wrote:
> 
> If I define the following in an Article class (which subclasses
> Posting):
> 
> __ac_permissions__ = Posting.__ac_permissions__ + (
> ('View', ['prev_item','next_item','showSummary','desc_items'],
> ('Anonymous', 'Manager')),
> )

You don't need to concatenate the permissions of the base classes. 
default__class_init__ will pick them up.

> 
> and Posting.__ac_permissions__ also defines a 'View' permission, which
> methods are covered?

Assertions made on a method in a subclass override the assertions made
in the base class.

I hope that's clear enough...

Shane

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Re: __ac_permissions__ question

2000-08-21 Thread Chris Withers 

Shane Hathaway wrote:
> > __ac_permissions__ = Posting.__ac_permissions__ + (
> > ('View', ['prev_item','next_item','showSummary','desc_items'],
> > ('Anonymous', 'Manager')),
> > )
> 
> You don't need to concatenate the permissions of the base classes.
> default__class_init__ will pick them up.

Now that I've got it in there ;-)

> > and Posting.__ac_permissions__ also defines a 'View' permission, which
> > methods are covered?
> 
> Assertions made on a method in a subclass override the assertions made
> in the base class.

Okay, Posting has the following list of methods for the 'view'
permission:
['date_posted','body_len','date_created','time_created','attachment','thread_path','index_html','showBody',
 
'desc_items','dupString','striptags','tpId','tpURL','this','has_items','thread','title','author','body',
  'email','subject']

Now, what I want to do is add the following methods to this list for the
Article class which subclasses Posting:
['prev_item','next_item','showSummary','desc_items']

How do I do that? 

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] aq_inContextOf/can anyone explain this zmonitor log?

2000-08-21 Thread Toby Dickenson 

On Mon, 21 Aug 2000 16:03:38 +0200, Bob Pepin <[EMAIL PROTECTED]> wrote:

Yeah, this is a good one. Theres some debate in the Collector about
whether this is actually a bug or not.

In short, aq_inContextOf checks for nested aquisition contexts. It
does *not* check for nested objects.  It will return zero if you pass
it parallel acquisition contexts, even if the objects are indeed
nested.

 iee=app.iee
>iee=app.iee

 iee.doc1.aq_inContextOf(iee)
>iee.doc1.aq_inContextOf(iee)
>1

This was what you expected

 iee.doc1.aq_inContextOf(app.iee)
>iee.doc1.aq_inContextOf(app.iee)
>0

Here the acquisition wrappers `iee` and `app.iee` are distinct
objects. 

Here is the full story, and a patch to get it to work the other way.

http://classic.zope.org:8080/Collector/1066/view

(This patch used to work, but ive not used it since it was submitted)



Toby Dickenson
[EMAIL PROTECTED]

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] intSet and the new security model

2000-08-21 Thread Chris Withers 

Hi,

Squishdot uses an intSet called 'thread' to store some information.
Items in this intSet are used in several DTML methods, for example:

/index_html#">Return to main thread

Now, in Zope 2.2 this throws an unauthorized error as show in the PS.

How can I make this go away in a non-hacky fashion?

cheers,

Chris

PS:



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] intSet and the new security model: solved with hack :(

2000-08-21 Thread Chris Withers 

Chris Withers wrote:
> Squishdot uses an intSet called 'thread' to store some information.
> Items in this intSet are used in several DTML methods, for example:
> 
>  >/index_html#">Return to main thread
> 
> Now, in Zope 2.2 this throws an unauthorized error as show in the PS.

I'ev solved this

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: intSet and the new security model: solved with hack :(

2000-08-21 Thread Chris Withers 

Chris Withers wrote:
> > Squishdot uses an intSet called 'thread' to store some information.
> > Items in this intSet are used in several DTML methods, for example:
> >
> >  > >/index_html#">Return to main thread
> >
> > Now, in Zope 2.2 this throws an unauthorized error as show in the PS.

I've solved this now by adding a method to SquishSite:

def getThread(self, index):
"""A nasty hack since intSet's became protected in Zope 2.2.0"""
return self.thread[index]

This is nasty 'cos it means everyone with old Squish Sites will haveto
change them :(

Anyone got anything better?

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] Re: __ac_permissions__ question

2000-08-21 Thread Shane Hathaway 

Chris Withers wrote:
> Okay, Posting has the following list of methods for the 'view'
> permission:
> 
>['date_posted','body_len','date_created','time_created','attachment','thread_path','index_html','showBody',
> 
> 
>'desc_items','dupString','striptags','tpId','tpURL','this','has_items','thread','title','author','body',
>   'email','subject']
> 
> Now, what I want to do is add the following methods to this list for the
> Article class which subclasses Posting:
> ['prev_item','next_item','showSummary','desc_items']
> 
> How do I do that?

class Article:

  __ac_permissions__ = (
('View', ('prev_item', 'next_item', 'showSummary', 'desc_items')),
)

  ... etc ...

Globals.default__class_init__(Article)

This should work as expected.  Security assertions are inherited except
when overridden.

BTW did getSubject() solve your other problem?  I'm not sure irc is
going to work again.  "irc.openprojects.net" seems to be too busy.

Shane

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] attribute protection question

2000-08-21 Thread Brian Lloyd 

> Hmmm. Hence the problem with properties that meant OFS.Item.SimpleItem
> had to have __allow_access_to_unprotected_subobjects__=1?
> 
> Can you not just assign roles to properties as they're created or am I
> missing something else?

That's one way to do it - but it will require some thought 
to make sure we do it right. Having the "=1" assertion is 
a short-term solution intended to avoid breaking everyone's 
code for 2.2 while taking a step on the road to changing 
the default policy. I expect that it will soon make a 
distinction between properties and attributes that are not 
properties, which will be the next step on the road. I'd 
like to see this for 2.3, but I don't promise specific 
features for particular release numbers anymore :) 

I do want it to be Soon. My hope is that we'll release a 
2.x beta where:

  o far less things are available via the __allow_... hack

  o product authors and app builders will have auth problems 
because they're using attrs formerly covered by the hack

  o the new security assertion spelling from dev.zope.org will 
be available and make it much easier for people to go in 
and protect the problem attrs correctly :)

  o most if not all of the Zope core will be using the new 
assertion style, which will help the product authors along 
with the "guide" to making security assertions that will 
be a deliverable of that dev.zope.org project

  o we'll be one more step closer to where we want to be


Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Squishdot and Zope 2.2

2000-08-21 Thread Chris Withers 

Shane Hathaway wrote:
> > How do I do that?
> 
> class Article:
> 
>   __ac_permissions__ = (
> ('View', ('prev_item', 'next_item', 'showSummary', 'desc_items')),
> )
> 
>   ... etc ...
> 
> Globals.default__class_init__(Article)

Okay, I've changed it to that now :-)

> BTW did getSubject() solve your other problem?  

I don't think I got that bit ;-)

The subject issue was solved by mixing RoleManager into posting.
Does everything have to have RoleManager mixed in now? :S

Then there was the thread[0] intSet issue which was solved with a hacky
getThread() method.
*grumble* *grumble* why aren't intSet's done properly?!

cheers,

Chris

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: Squishdot and Zope 2.2

2000-08-21 Thread Shane Hathaway 

Chris Withers wrote:
> 
> Shane Hathaway wrote:
> > > How do I do that?
> >
> > class Article:
> >
> >   __ac_permissions__ = (
> > ('View', ('prev_item', 'next_item', 'showSummary', 'desc_items')),
> > )
> >
> >   ... etc ...
> >
> > Globals.default__class_init__(Article)
> 
> Okay, I've changed it to that now :-)
> 
> > BTW did getSubject() solve your other problem?
> 
> I don't think I got that bit ;-)

Add a getSubject() method which simply returns the subject, that way
you can protect getSubject() without any question of future
portability.

> The subject issue was solved by mixing RoleManager into posting.
> Does everything have to have RoleManager mixed in now? :S

Hmm, that worked huh?  :-/

> Then there was the thread[0] intSet issue which was solved with a hacky
> getThread() method.
> *grumble* *grumble* why aren't intSet's done properly?!

Hopefully you got the mail I sent to Brian and CC'd to you.  The
response is that we need to find a proper solution to the mutability
problem rather than open up intSet and BTree to an attack.  Actually,
in terms of OO purity, using a getThread() method is much better, so
what you did is *not* a hack.  :-)

Shane

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

RE: [Zope-dev] Re: __ac_permissions__ question

2000-08-21 Thread Brian Lloyd 

> > Assertions made on a method in a subclass override the 
> assertions made
> > in the base class.
> 
> Okay, Posting has the following list of methods for the 'view'
> permission:
> ['date_posted','body_len','date_created','time_created','attac
> hment','thread_path','index_html','showBody',
>  
> 'desc_items','dupString','striptags','tpId','tpURL','this','ha
> s_items','thread','title','author','body',
>   'email','subject']
> 
> Now, what I want to do is add the following methods to this 
> list for the
> Article class which subclasses Posting:
> ['prev_item','next_item','showSummary','desc_items']
> 
> How do I do that?

class Article(Posting):

  __ac_permissions__ = (
  ('View', 
('prev_item','next_item','showSummary','desc_items'),
('Anonymous', 'Manager')),
)


It may be helpful to think of it this way:

  - the class that defines an attribute/method is responsible 
for protecting it (declaring it in a permission or with 
other security assertions)

  - a class doesn't have to worry about assertions made by 
its base classes (the base classes will have worried 
about the attrs they defined)

  - any class that defines security info must be initialized 
with default__class_init__ for the right thing to happen.


Note that the only time you really have to care about what 
your base classes did is if you need to redefine the 
permission used cover an inherited attribute. For ex:

  
class Posting:
  # doAction_A is under view permission
  __ac_permissions__ = (
  ('View', ('doAction_A',), ('Anonymous', 'Manager')),
)

  def doAction_A(self):
...


class Article(Posting):

  # For Articles, I want doAction_A to be under the 'Spam'
  # permission. 
  __ac_permissions__ = (
  ('View', ('doAction_B',), ('Anonymous', 'Manager')),
  ('Spam', ('doAction_A',), ('Anonymous', 'Manager')),
)

Hope this helps!

Brian Lloyd[EMAIL PROTECTED]
Software Engineer  540.371.6909  
Digital Creations  http://www.digicool.com 



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Fighting with ZServer

2000-08-21 Thread Dieter Maurer 

Since this afternoon, I am fighting with ZServer.
Currently, it seems Zserver is winning 
I do not understand, what I see...

At work: Zope 2.1.6, Sparc Solaris 2.7, Linux Netscape 4.51

  Sometimes, images are not shown by Netscape (broken image).
  No "simple" reload is able to change this, however a "forced" reload
  lets Netscape show the image correctly.
  From then on, the image is always shown correctly: by "simple" reload,
  "forced" reload or directly (served from cache).

  The strange thing, inside "Image.index_html" the failing
  "simple" reload and the succeeding "forced" reload look
  completely identical.


At home: Zope 2.1.6, Intel Linux 2, Linux Netscape 4.5

  All images are always shown correctly.
  However, there is no log entry in "var/Z2.log" for
  about 50 % of the requests that are answered by
  a 304 response. It is non-deterministic whether
  a log entry is written or not.


Did you ever see something like this?


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] ZServer logging bug (was: Fighting with ZServer)

2000-08-21 Thread Dieter Maurer 

Dieter Maurer writes:
 > Since this afternoon, I am fighting with ZServer.
 > 
 > 
 > At home: Zope 2.1.6, Intel Linux 2, Linux Netscape 4.5
 > 
 >   All images are always shown correctly.
 >   However, there is no log entry in "var/Z2.log" for
 >   about 50 % of the requests that are answered by
 >   a 304 response. It is non-deterministic whether
 >   a log entry is written or not.

This is partially analysed:

 ZServer looses log entries, when its client closes the
 connection too fast.

 On my linux machine, ZServer looses all log entries, when 
 it answers requests with code 304 to a local httplib
 client that immediately deletes the reply after
 "getreply".

 ZServer uses a "producers.hooked_producer" for logging.
 Such a producer calls its hook function when the primary
 producer runs out of data. The hook function performs
 the logging.

 When the client closes its socket immediately, then,
 probably, not all data of the producer is consumed and
 the hook function is not called --> no log entry.


The problem occurs in Zope 2.1.6 and Zope 2.2.1b1 (CVS 2000-8-19).

Apparently, the problem is not restricted to code 304.
Requests answered with code 404 (not found) seem to be
affected, too.


Dieter

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] LoginManager.

2000-08-21 Thread Bill Anderson 

Terje Malmedal wrote:
> 
> Can anybody please provide a simple example of a working usersource
> written in python?


Look at the UserSource source for LoginManager and Membership.

--
Do not meddle in the affairs of sysadmins, for they are easy to annoy,
and have the root password.

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: [Zope] Looping through a folder's contents...

2000-08-21 Thread Andrew Kenneth Milton 

+---[ [EMAIL PROTECTED] ]--
| What would the "Recurse_Subfolder" method do?
| 
| > 
| >  
| > 
| > 

That *is* Recruse_Subfolder :-)

-- 
Totally Holistic Enterprises Internet|  P:+61 7 3870 0066   | Andrew Milton
The Internet (Aust) Pty Ltd  |  F:+61 7 3870 4477   | 
ACN: 082 081 472 ABN: 83 082 081 472 |  M:+61 416 022 411   | Carpe Daemon
PO Box 837 Indooroopilly QLD 4068|[EMAIL PROTECTED]| 

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Re: [Zope] Looping through a folder's contents...

2000-08-21 Thread jiva 

What would the "Recurse_Subfolder" method do?

On Mon, Aug 21, 2000 at 04:12:05PM +1000, Andrew Kenneth Milton wrote:
> +---[ [EMAIL PROTECTED] ]--
> | I would like to loop through the contents of a folder, and the
> | contents of the subfolders of that folder.  I know I can do this to a
> | singular level by doing something like:
> | 
> | 
> | 
> | 
> | 
> | Should give me a list of the titles of all the subfolders of the
> | folder called "subfolder".  So, once I get there, how do I loop
> | through the subobjects of each of those folders?
> | 
> | In other words, I have a subfolder inside of the folder called
> | "subfolder" and I want to see the contents of that folder.  How do I
> | do it?
> 
> I'll give you the general case for 'all' folders:-
> 
> Make a Method...  Recurse_SubFolder.
> 
> 
>  
> 
> 
> 
> 
> 
> 
> 
> You can obviously expand this to also take a 'type' for objectValues,
> and pass the namespace etc.
> 

-- 
A homeowner's reach should exceed his grasp, or what's a weekend for?

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )