[Zope-dev] MethodsArgumentsValidation Proposal
Hello, I've created a proposal on dev.zope.org, regarding methods argument validation -- an extension to Zope's security framework, which would allow for validating method arguments, before they are passed to the actual methods. This will simplify things such as HTML form validation, etc. You can read the proposal at: http://dev.zope.org/Wikis/DevSite/Proposals/MethodArgumentsValidation -Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Hookable Parameter Checking
> Now that's a brilliant idea :-)
> Could you stick that in a Proposal and get it implemented? I'd love to use it...
Write a proposal -- yes. Get it implemented -- I'll try :-)
> Ah, but surely the hookable method you propose could be used to doing any
> filtering required. This'd be my idea:
>
> param1 = kw.get('param1','')
> param1 = coerce(param1,'html',tags=self.allowed_tags)
> return ((),{'param1':param1})
Hm, I've never thought of using coerce for that purpose; I've
always thought it's used only for math operations... Anyway, when I
proposed the filter methods, I meant that we can still use the hook
mechanism, but provide a number of pre-defined, stock methods that
people can use (kinda like the __coerce__ methods from your example).
> I just have a feeling that it might make your app crawl though :-(
Hey, I never said it'll be fast 8-) But seriously, while I don't
know how fast would Python filtering be, if there are any performance
issues, I think a primitive HTML parser written in C can take care of
most of them.
___
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Stripogram or similar in core
So, in this validation framework, do you envision having a parameter-validating routine being invoked whenever a publicly-exposed method is called by DTML methods, or did you want to focus on mere HTML form validation/stripping? I'm asking because I've had situations when I've needed the ability to restrict access to methods based on the values of their parameters -- that's a little more fine-grained than the current security machinery allows. I've always thought that it might be nice to provide a hook for each method in a Zope class (similar to declarative security statements), and to use this hook to validate the parameters, according to the needs of the user. For string parameters, perhaps we can also have the ability to specify a "filter" -- something like a search and replace statement, with Sed-like syntax. "Andy" <[EMAIL PROTECTED]> wrote: > That depends where you do the checking, yes html validation in just a form > is not as secure as checking at the application level. What I am suggesting > is adding the HTML validation framework into the core of Zope so people can > add checking to any level of their application as they wish. Making a > standard interface to this gives a the developer chance to put the checking > in at the level they choose. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Problems with permissionsOfRole in Zope 2.3.x
Hello, I have a Folder-like object, which inherits ObjectManager and PropertyManager, in addition to the acquisition and persistence classes, and inside I have an instance of class which is a direct descendant of SimpleItem. In the SimpleItem-like object, I have a method, let's call it 'test', which is protected by permission 'TestItem' (via a declarative security statement). In addition, the entire object is covered by permission 'Access TestItem', and the parent folder-like object is covered by permission 'Access Test'. Both of the access permissions are visible to the anonymous user. A sample implementation of those classes can be found at: http://www.prism.gatech.edu/~gte085h/zope Suppose now I create an instance of the Test folder, and inside I put a user folder and a TestItem instance. I also create a role, 'TestRole' which is comprised of the 'TestItem' permission. Then I create a user which has only 'TestRole'. Next, I log in as this user, and I attempt to access the method 'test' in my TestItem instance. This attempt succeeds, so I'm presuming the Zope authentication machinery has successfully determined the roles and permissions of this user, and the permissions on the method I'm trying to access. Now let's try to access method 'permissions'. Defined in the folder-like class Test, this method uses permissionsOfRole to display all permissions given to a certain user. What it should show upon invocation is the permission 'TestItem' since this is the only permission our user has been given, but instead is doesn't show anything, because permissionsOfRole returns an empty set of permissions. On the other hand, if one is to create a DTML form that invokes permissionsOfRole (or uses the one in manage_access), the correct permissions are displayed. Can anyone venture to guess where's the problem here? Thanks, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Vulnerability: attacking can get file list and directory
Why not use logrotate, similarly to how you handle the Apache logs? Or set a cron job to clear the logs, if you don't like logrotate... [EMAIL PROTECTED] writes: > On a high-traffic site, wouldn't the log get really big, really quickly with > tracebacks? It is also nice to have the tracebacks in the browser window > for debugging... ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Custom Login
Hello, Recently, I had to replace ZPublisher's default authentication scheme, as part of a product I'm working on. I am aware of the existence of LoginManager, exUserFolder, etc., but in this case I needed to have a custom login screen at root level, i.e. completely get rid of the basic HTTP authentication and browser popup window. So I replaced some of the HTTPRequest and HTTPResponse methods in order to present the user an HTML form whenever an 'Unauthorized' exception is raised. While I'm sure such an issue has arisen hundreds of times, somehow I was unable to find a product or a How-To that specifically addresses it, which means either I don't know how to browse the Web, or nobody has bothered to document their knowledge in the area. So I went ahead and created a simple Zope product that, upon installing, makes the necessary changes in HTTPRequest and HTTPResponse (HotFix style), so that cookie-based, HTML form login replaces the default one. For the curious, the product can be found at http://www.prism.gatech.edu/~gte085h/zope/CustomLogin/ In regards to this product, I've been pondering some questions that I'd like to be answered by knowledgeable people, if possible: 1. Is there a product that makes the changes I described, and where can I find it? 2. Does anyone think it's a good idea to provide some kind of a standardized API for replacing ZPublisher's authentication? 3. If a user attempts to access a resource, and is denied access, my modified HTTPResponse simply redirects to the login form, without bothering to record the URL the user originally tried to access (which can be a bad or a good thing, I suppose). Is there any way for an HTTPResponse instance to find out the URL of its HTTPRequest? 4. Not entirely related to this topic, but I noticed that the ChannelPipe class, used for communication between ZServer and ZPublisher, serves only one object instance at a time. What would be some practical difficulties in changing this class to serve multiple HTTPResponse instances? Finally, after noticing the ongoing discussion about the error HTML contents produced by ZPublisher upon an exception, I'd like to point out that it's extremely trivial to replace HTTPResponse._error_html and provide either custom behavior (e.g. sending email to the administrator), or custom HTML code, whether loaded from a file or hardcoded. Is anyone interested in me writing a How-To on this topic? The product I described above, already does that, so it would be rather easy for me to put together some documentation, provided that nobody has bothered to write any. Let me know... Sincerely, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] ZServerSSL trouble
Greetings, I just installed ZServerSSL, but when I try to access the https server, I get the following: Traceback (innermost last): File "/home/ivan/src/Zope-2.1.6-src/z2s.py", line 681, in ? asyncore.loop() File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 115, in loop poll_fun (timeout) File "/home/ivan/src/Zope-2.1.6-src/ZServer/medusa/asyncore.py", line 62, in poll (r,w,e) = select.select (r,w,e, timeout) ValueError: filedescriptor out of range in select() I don't know enough about Zope innards, so I was wondering if someone can explain when such a situation can occur. I also noticed that the lists (or tuples) r and w get their values from an object called `socket_map', so I'd like to know what the purpose of this object is, and where it is initialized. Regards, Ivan Raikov ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
