[web2py] Which is faster?
I have a table 'x' with Field('z'), which is set via a multiselect.
The value will be a string like '|1|2|3|5|8|'. These correspond to the
ids of another table 'z'.
I'm trying to figure out which would be a faster search:
1) use the 'like' operator to match the db.z.id stored in the x.z
field
or
2) first, parse x.z and then create a many-to-many table foo, which
stores x.id and z.id in order to link the x and z tables. Then, do a
db(db.z.id==8).select(...,left=(db.foo.on(db.foo.x==db.x.id),db.foo.on(db.foo.z==db.z.id))
Obviously, the storage overhead of 1 is lower. But is there going to
be any significant speedup from 2?
[web2py] Re: calling secured function from cron
why should I put there?
I have logging function defined in models/log.py.
It works correctly, I think.
You want request.client?
so when I call by hand it gives 127.0.0.1,
when it is from Cron it gives None but only if function is NOT
secured.
When it is secured it is not called properly and gives an error:
Traceback (most recent call last):
File web2py.py, line 20, in module
gluon.widget.start(cron=True)
File /myapp/web2py/gluon/widget.py, line 759, in start
import_models=options.import_models, startfile=options.run)
File /myapp/web2py/gluon/shell.py, line 174, in run
exec ('print %s()' % f, _env)
File string, line 1, in module
File /myapp/web2py/gluon/tools.py, line 2116, in f
'?_next='+urllib.quote(next))
File /myapp/web2py/gluon/http.py, line 104, in redirect
Location=location)
gluon.http.HTTP
[web2py] Re: Which is faster?
I have done some tests in the past. On sqlite the like operator is
slow, slower then the join.
On 30 Giu, 01:38, weheh richard_gor...@verizon.net wrote:
I have a table 'x' with Field('z'), which is set via a multiselect.
The value will be a string like '|1|2|3|5|8|'. These correspond to the
ids of another table 'z'.
I'm trying to figure out which would be a faster search:
1) use the 'like' operator to match the db.z.id stored in the x.z
field
or
2) first, parse x.z and then create a many-to-many table foo, which
stores x.id and z.id in order to link the x and z tables. Then, do a
db(db.z.id==8).select(...,left=(db.foo.on(db.foo.x==db.x.id),db.foo.on(db.foo.z==db.z.id))
Obviously, the storage overhead of 1 is lower. But is there going to
be any significant speedup from 2?
[web2py] Re: WordPressClone/PyPress GAE fix
I'd prefer a web2py solution, of course. but meanwhile I'm planning to use Micolog http://micolog.appspot.com/en_us/main. Micolog is currently the most actively developed Python blog for GAE, with the most features that work out of the box (easy themes and plugins, for example). The developers are almost all Chinese, but Google Translate is somewhat helpful... On Jun 26, 8:52 am, mdmcginn michael.d.mcgin...@gmail.com wrote: I deployedPypress(based on Wordpress Clone) for Google App Engine athttp://writers-ear.appspot.com/earblog/but it's still horribly slow: 06-26 06:27AM 23.966 /earblog 200 5275ms 661cpu_ms 467api_cpu_ms 2kb Any suggestions, or should I try another GAE blog solution? I'm now an owner ofhttp://code.google.com/p/pypress4gae/andhttp://github.com/mdmcginn/pp4gae, so if anybody else wants to work on this project, contact me. I've made it more compatible with the latest Wordpress theme (http://2010dev.wordpress.com/) but I won't continue if it can't be sped up. On Jun 26, 6:47 am, mdmcginn michael.d.mcgin...@gmail.com wrote: Correction: the owner of pp4gae has just contacted me, saying he has stopped working on this project since last update and has given up on further work. Too bad. I have cloned the project athttp://github.com/mdmcginn/pp4gae/andhave asked him if he could make me the owner of his Google Code project. Not that I know what I'm doing, but I could add competent coders as owners and could continue the project that way. Unless someone plans to release the blog code from KPAX soon... On Jun 26, 5:32 am, mdmcginn michael.d.mcgin...@gmail.com wrote: molhokwai, note that we have both filed issues at Google Code, but we shouldn't have. The pp4gae project has moved to Github:http://github.com/zrenx/pp4gae On Jun 22, 10:38 am, molhokwai molhok...@gmail.com wrote: A reply to the message I saw while in a google search for pypress... Saw it on osdir.com (I'm sent in a redirection loop when I try to access the web2py-users group). Arghh... would have eventually saved me time if I had found out about the pypressfor gae project... But we can merge and have an even better app (if there is anything interesting to merge, from my code)... Voilà. -- *M*ayou *N*kensa *P*enda *N*gué -*H*ervé +32 489 33 71 51,molhok...@gmail.com,skype:molhokwaihttp://www.google.com/profiles/molhokwai On Tue, Jun 15, 2010 at 11:12 AM, molhokwai molhok...@gmail.com wrote: Hello there... Implemented fixes to runPyPresson GAE (Seehttp://www.molhokwai.net/blogforhowit'sworking...). Code fixes attached, and complete .w2p app also. Thanks all.
[web2py] form.custom: form.hidden_fields() no formkey
i created a form with
form = form_factory(
Field('role', requires = IS_NOT_EMPTY(), label=Name),
Field('description', 'text')
)
and rendered it with
{{=form.custom.begin}}
div id=create_group
h3Description/h3
table id='main_frm'
tr
thName/th
tddiv{{=form.custom.widget.role}}/div/td
/tr
tr
thDescription/th
tddiv{{=form.custom.widget.description}}/div/td
/tr
/table
h3Select Members/h3
{{=select_members_table}}
input type=submit value=Create Group name='submit'/
{{=form.hidden_fields()}}
{{=form.custom.end}}
/div
now i would expect form.hidden_fields() to render the formkey, but it
does not, it just renders
div class=hiddeninput name=_formname type=hidden
value=no_table_create //div
div class=hiddeninput name=_formname type=hidden
value=no_table_create //div
(yes twice, no clue why)
did I miss something?
[web2py] Re: form.custom: form.hidden_fields() no formkey
just found out that
http://www.web2py.com/AlterEgo/default/show/205
is WRONG
{{=form.hidden_fields()}}
{{=form.custom.end}}
do not play well together, just using
{{=form.custom.end}}
will do the trick, would be nice to change
http://www.web2py.com/AlterEgo/default/show/205
On Jun 30, 11:47 am, selecta gr...@delarue-berlin.de wrote:
i created a form with
form = form_factory(
Field('role', requires = IS_NOT_EMPTY(), label=Name),
Field('description', 'text')
)
and rendered it with
{{=form.custom.begin}}
div id=create_group
h3Description/h3
table id='main_frm'
tr
thName/th
tddiv{{=form.custom.widget.role}}/div/td
/tr
tr
thDescription/th
tddiv{{=form.custom.widget.description}}/div/td
/tr
/table
h3Select Members/h3
{{=select_members_table}}
input type=submit value=Create Group name='submit'/
{{=form.hidden_fields()}}
{{=form.custom.end}}
/div
now i would expect form.hidden_fields() to render the formkey, but it
does not, it just renders
div class=hiddeninput name=_formname type=hidden
value=no_table_create //div
div class=hiddeninput name=_formname type=hidden
value=no_table_create //div
(yes twice, no clue why)
did I miss something?
[web2py] Re: web2py with AppStats
I've added a appengine_config.py file in a comment to that blog post, since AppStats didn't work for me without it. Guido van Rossum (who wrote AppStats) says, it adds some overhead to your application. On Jun 29, 8:27 pm, Richard richar...@gmail.com wrote: neat! Does AppStats add much overhead? If not it would be good to commit that gaehandler.py change to trunk. On Jun 30, 3:30 am, PanosJee panos...@gmail.com wrote: if you are on GAE it s to have AppStats on it s quite easyhttp://blog.socialcaddy.com/appstats-for-web2py-0
[web2py] Re: form.custom: form.hidden_fields() no formkey
1) Do not use form.hidden_field() since that is called automatically
2) the formkey should be added when you call
form.accepts(...,session). If you do not pass session, no formkey.
On 30 Giu, 04:59, selecta gr...@delarue-berlin.de wrote:
just found out thathttp://www.web2py.com/AlterEgo/default/show/205
is WRONG
{{=form.hidden_fields()}}
{{=form.custom.end}}
do not play well together, just using
{{=form.custom.end}}
will do the trick, would be nice to
changehttp://www.web2py.com/AlterEgo/default/show/205
On Jun 30, 11:47 am, selecta gr...@delarue-berlin.de wrote:
i created a form with
form = form_factory(
Field('role', requires = IS_NOT_EMPTY(), label=Name),
Field('description', 'text')
)
and rendered it with
{{=form.custom.begin}}
div id=create_group
h3Description/h3
table id='main_frm'
tr
thName/th
tddiv{{=form.custom.widget.role}}/div/td
/tr
tr
thDescription/th
tddiv{{=form.custom.widget.description}}/div/td
/tr
/table
h3Select Members/h3
{{=select_members_table}}
input type=submit value=Create Group name='submit'/
{{=form.hidden_fields()}}
{{=form.custom.end}}
/div
now i would expect form.hidden_fields() to render the formkey, but it
does not, it just renders
div class=hiddeninput name=_formname type=hidden
value=no_table_create //div
div class=hiddeninput name=_formname type=hidden
value=no_table_create //div
(yes twice, no clue why)
did I miss something?
Re: [web2py] Re: OAuth and Web2Py Tutorial
Nice :) In the article you used python-oauth2. As an alternative, if you want to use it with twitter, you can use tweepy. It adds client functions. http://joshthecoder.github.com/tweepy/docs/index.html Regards! http://joshthecoder.github.com/tweepy/docs/index.html On Tue, Jun 22, 2010 at 10:24 AM, Mathieu Clabaut mathieu.clab...@gmail.com wrote: Nice.. Thank you for sharing! On Mon, Jun 21, 2010 at 18:45, mdipierro mdipie...@cs.depaul.edu wrote: +1 On Jun 21, 10:44 am, Doug Warren doug.war...@gmail.com wrote: I wrote a small tutorial on how to use OAuth with web2py by linking a session with a Twitter account. A future update will include embedding the access token with auth and creating an oauth login_method class. It can be found athttp:// dougwarren.org/2010/06/oauth-and-web2py-part-1/
[web2py] problem with global variables
hi together, i need help to solve this problem: i have a global variable in the model like: test = None def changingtest(): global test test = 5 return None how can i access to the variable test in every controllerfunction? thanks for your fast help peter
[web2py] Re: Problem trying to insert an image with CKEditor and SQLFORM
I now have a workaround, but I don't like it very much. By checking
the length of request.vars before calling form.accepts(), I can force
the request formkey to match the session formkey, e.g.
if len(request.vars):
request.vars._formkey = session['_formkey[page_create]']
if form.accepts(request.vars,session):
... etc ...
The unwanted submit from the CKEditor image dialog is still occurring,
but forcing the keys to match when there's a real submit is avoiding
the failure in form.accepts(). I don't like it as a solution
because:
1. It relies on knowledge of web2py's internal form naming
conventions.
2. It only works if the unwanted submit has an empty request.vars
3. I suspect I may be defeating the purpose of the formkey and
possibly creating a security hole.
Is there a better way?
thanks,
Mike
On Jun 29, 6:10 pm, MikeEllis michael.f.el...@gmail.com wrote:
This one still has me stumped so I'm taking the liberty of adding some
more info to make it current in the discussions. As I noted in the
earlier post, the problem has to to do with CKEditor's image
insertion dialog somehow triggering a form submission. This is really
puzzling, because the link insertion dialog is nearly identical but
doesn't trigger a submit. Below is a modified version of the index
function with some write statements to print the request vars and
session formkeys.
Any help much appreciated!
def index():
form = SQLFORM(db.page, showid=False,keepvalues=True)
sys.stderr.write(\n\nsession formkey:
%s%session['_formkey[page_create]'])
sys.stderr.write(\nrequest.vars:%s%repr(request.vars))
if form.accepts(request.vars,session):
response.flash = Form accepted
redirect(URL(r=request,f=show))
elif form.errors:
response.flash = Uh-oh!
else:
response.flash = Fill out the form
sys.stderr.write(\n%s\n%response.flash)
return dict(form=form)
So when I visit the index page and use the CKEditor to insert a link,
I see the following output in the console.
(initial display)
session formkey:bf5ec584-0ec9-4e74-90ff-ba53971ea2f5
request.vars:Storage {}
Fill out the form
(after inserting link, clicking ok to insert dialog, then clicking
submit)
session formkey:f95327b1-6152-4fb3-abd2-00444c9cc298
request.vars:Storage {'body': 'p\r\n\ta href=http://web2py.com/
book/static/tree.jpglink/a/p\r\n', '_formkey':
'f95327b1-6152-4fb3-abd2-00444c9cc298', '_formname': 'page_create'}
If I try the same thing except that this time I insert an image, I
get an extra submit and the session formkey gets out of sync with the
request.vars formkey.
(initial display)
session formkey:76e5e1fe-365c-401d-aaac-f2a751c8873e
request.vars:Storage {}
Fill out the form
(after inserting image and clicking ok in dialog)
session formkey:a143b2f1-bc5c-41b0-90e6-ef01fdc8e913
request.vars:Storage {}
Fill out the form
(after clicking Submit)
session formkey:9ee58f15-c1cd-4fa1-8766-b69b9a4478ac
request.vars:Storage {'body': 'p\r\n\timg alt= src=http://
web2py.com/book/static/tree.jpg style=width: 401px; height: 500px;
//p\r\n', '_formkey': 'a143b2f1-bc5c-41b0-90e6-ef01fdc8e913',
'_formname': 'page_create'}
Fill out the form
The formkeys don't match, so form.accepts fails and the data never
gets into the table.
Thanks,
Mike
On Jun 21, 2:01 pm, Michael Ellis michael.f.el...@gmail.com wrote:
Not sure if this is a web2py or ckeditor problem or just some
misunderstanding on my part. Here's what's happening:
If I create a CKEditor instance in a SQLFORM, things work as expected until
I try to insert an image. Clicking the Ok button in ckeditor's image dialog
appears to be causing an immediate and unwanted form submission with a
formkey that doesn't match the real formkey. This doesn't raise a form
error. Instead it triggers the final else branch of the form.accepts logic
(see below) and the image along with any other text that was entered is
lost.
I recently ran into this in a larger app, but am able to reproduce it in the
following minimal model and controller. Has anyone else run into this and is
there a workaround other than switching the CKEditor to Source mode and
manually entering the img tag? I'm using web2py1.79.2 and CKEditor 3.3.1
(revision 5586) but have also seen the problem in CKEditor 3.2.
MODEL
db.define_table('page',
Field('body', 'text'),
)
def advanced_editor(field, value):
eid = str(field).replace('.','_')
return TEXTAREA(_id = eid, _name=field.name,
_class='text ckeditor', value=value,
_cols=80, _rows=10)
db.page.body.widget = advanced_editor
VIEW (default.py/index.html)
{{extend 'layout.html'}}
script type=text/javascript
src={{=URL(request.application,'static','js/ckeditor/ckeditor.js')}}/sc
ript
{{=BEAUTIFY(response._vars)}}
CONTROLLER
def index():
form = SQLFORM(db.page,
[web2py] Re: problem with global variables
I think you want a session variable, not a global variable test=session.test def changingtest(): session.test = 5 return None On 30 Giu, 07:42, pk peter.kirch...@youngdesigners.de wrote: hi together, i need help to solve this problem: i have a global variable in the model like: test = None def changingtest(): global test test = 5 return None how can i access to the variable test in every controllerfunction? thanks for your fast help peter
[web2py] Needed Help
I want to know that is it possible to code a home automation system with web2py platform i need such type of automation system which can automate A/C and another home appliances and give me complete reporting graph please suggest me
[web2py] Re: elFinder-web2py , Filemanager for Web2py!
Hello, I'm author of elFinder.py In about a month we plan to release new version of elFinder, mostly bugfixes but I also plan to rewrite python version to be more library like. I know there are problems integrating elfinder with different frameworks on python, current version was written for use under pure CGI. This is my first major experience with python and so I have many questions about the right way how to write connector so it can be easy to integrate and write plugins. The biggest question to me is how to implement handling POST and GET data, I've seen many different ways how it is done in different frameworks. Currently this is done using: import cgi self._form = cgi.FieldStorage() Maybe I should put this outside elFinder.py and only pass parameters to connector? Feedback is welcome.
[web2py] Re: elFinder-web2py , Filemanager for Web2py!
Hello, I'm author of elFinder.py In about a month we plan to release new version of elFinder, mostly bugfixes but I also plan to rewrite python version to be more library like. I know there are problems integrating elfinder with different frameworks on python, current version was written for use under pure CGI. This is my first major experience with python and so I have many questions about the right way how to write connector so it can be easy to integrate and write plugins. The biggest question to me is how to implement handling POST and GET data, I've seen many different ways how it is done in different frameworks. Currently this is done using: import cgi self._form = cgi.FieldStorage() Maybe I should put this outside elFinder.py and only pass parameters to connector? Feedback is welcome. On Jun 24, 5:47 am, Phyo Arkar phyo.arkarl...@gmail.com wrote: Finally after 2 days of hacking elfinder backend for Django fromhttp://www.elrte.ru/redmine/issues/128http://www.google.com/url?sa=Dq=http://www.elrte.ru/redmine/issues/1... , i have managed to get elFinder working (about 90% of features) Attached is elFinder-web2py , still alot of improvement needed. -Downloading files is not working yet but should be easy to fix. -Help me make it more integrated into web2py -Their method of DIrectory scanning is so slow , going to replace with os.walk. Please note that this is not for Production use. I started a project , download and test there. Note URL (Both in View and web2py_elcon) need to be change to your host:port (i did with port 8080) http://code.google.com/p/elfinder-web2py/downloads/list
[web2py] Re: Needed Help
yes. Some people here use it to control robots. Do you have already python API to the automation system? On 30 Giu, 07:13, nadeem jafar nadeemjafa...@gmail.com wrote: I want to know that is it possible to code a home automation system with web2py platform i need such type of automation system which can automate A/C and another home appliances and give me complete reporting graph please suggest me
[web2py] Re: web2py security - keep it up!
Hi Craig, You may also want to ask some questions about form validation, default validators and directory traversal attacks in file uploads. Massimo On 29 Giu, 11:08, Craig Younkins cyounk...@gmail.com wrote: Hello there! My name is Craig Younkins. I'm a summer intern at OWASP, the Open Web Application Security Project. This summer I'm working heavily on web security in Python. First, I would like to praise Dr. Di Pierro and all the web2py contributors for their focus on security. Examining the OWASP Top 10 (http://www.web2py.com/examples/default/security) is a great way to start. Keep it up! Second, I'd like to invite the web2py community over to a site I've started about security in Python -http://www.pythonsecurity.org. The site aims to be the central hub for security in Python, and right now has a focus on web security. Inside there are articles specific to software like frameworks as well as articles related to security topics like cross-site scripting. We also have a Google Group (http:// groups.google.com/group/python-security/topics) which I encourage the developers to join. There you can get answers to your Python security questions. I hope you check it out! Lastly, I'd like to encourage you to take a look at web2py's page on PythonSecurity.org -http://www.pythonsecurity.org/wiki/web2py/. I haven't had the time yet to examine web2py in detail, but on that page there is a pretty well-defined template of questions to be answered. Going through the list there will help the developers see areas in web2py that could use improvement, as well as documenting the strengths for other frameworks to model off of. Thanks! Craig Younkins
[web2py] Re: problem with global variables
ok thanks, and what can i do now with the variable test in the first line. can i use this now in every function in each controller? On 30 Jun., 15:12, mdipierro mdipie...@cs.depaul.edu wrote: I think you want a session variable, not a global variable test=session.test def changingtest(): session.test = 5 return None On 30 Giu, 07:42, pk peter.kirch...@youngdesigners.de wrote: hi together, i need help to solve this problem: i have a global variable in the model like: test = None def changingtest(): global test test = 5 return None how can i access to the variable test in every controllerfunction? thanks for your fast help peter
[web2py] Re: Which is faster?
How about postgresql mysql? Can you quantify slower - by what %?
On Jun 30, 3:21 am, mdipierro mdipie...@cs.depaul.edu wrote:
I have done some tests in the past. On sqlite the like operator is
slow, slower then the join.
On 30 Giu, 01:38, weheh richard_gor...@verizon.net wrote:
I have a table 'x' with Field('z'), which is set via a multiselect.
The value will be a string like '|1|2|3|5|8|'. These correspond to the
ids of another table 'z'.
I'm trying to figure out which would be a faster search:
1) use the 'like' operator to match the db.z.id stored in the x.z
field
or
2) first, parse x.z and then create a many-to-many table foo, which
stores x.id and z.id in order to link the x and z tables. Then, do a
db(db.z.id==8).select(...,left=(db.foo.on(db.foo.x==db.x.id),db.foo.on(db.foo.z==db.z.id))
Obviously, the storage overhead of 1 is lower. But is there going to
be any significant speedup from 2?
[web2py] Re: problem with global variables
If the statement test=session.test is within a controller and outside all defs, then it is global to that controller, but that's all. It's not accessible to other controllers. It probably is visible to the controller's views -- you'll have to check to be sure. However, session.test is accessible to all controllers and views. If the statement test=session.test is within a model, it will be global to all models that come after the statement and appear in files that are alphabetically after the model file that contains the statement. It will also be global to all controllers and views. I'm pretty sure the accuracy of the above statements, but you can easily test to verify. On Jun 30, 10:03 am, pk peter.kirch...@youngdesigners.de wrote: ok thanks, and what can i do now with the variable test in the first line. can i use this now in every function in each controller? On 30 Jun., 15:12, mdipierro mdipie...@cs.depaul.edu wrote: I think you want a session variable, not a global variable test=session.test def changingtest(): session.test = 5 return None On 30 Giu, 07:42, pk peter.kirch...@youngdesigners.de wrote: hi together, i need help to solve this problem: i have a global variable in the model like: test = None def changingtest(): global test test = 5 return None how can i access to the variable test in every controllerfunction? thanks for your fast help peter
[web2py] Filtered search of db by dropdown selection
After two days of attempts I still can't figure it out. What I want is a set of dropdown selection, every one with some options and a submit button. When options are selected and submit pressed it start a search in a db table and return the list of all occurrence meeting all selected criteria... Something like this: Dropdowns - Category (choose from: a, b, c) - Year (choose from: 2000, 2001, 2002) Submit button (label: search) db model logically is like this: things category year If someone would be so nice to help me, Im very frustrated. What I really want now is someone showing me an example or pointing me to a simple tutorial, I'm sick of this problem. Thanks in advance, even some psycological support woul be good :D
[web2py] Re: Needed Help
I built a comprehensive voice-controlled home automation system in python a few years ago. I believe I could easily connect it to web2py if I were so inclined. On Jun 30, 9:14 am, mdipierro mdipie...@cs.depaul.edu wrote: yes. Some people here use it to control robots. Do you have already python API to the automation system? On 30 Giu, 07:13, nadeem jafar nadeemjafa...@gmail.com wrote: I want to know that is it possible to code a home automation system with web2py platform i need such type of automation system which can automate A/C and another home appliances and give me complete reporting graph please suggest me
[web2py] Re: ajax background function crashes web2py fcgi handler
There's a simple workaround for this problem. I've tested it and it
works fine. The concept is that I have to make the ajax request
synchronous. For this purpose I've used the jQuery.ajax function
instead of the web2py supplied one and I had to put everythin inside a
queue. The code in my first post was rewritten like this:
function dvd() {
$.ajax({
async: false,
url: 'bg_quick_dvd',
data: {
keyword: $('#keyword').val(),
option: $('#option').val()
},
type: 'POST',
success: function(data){
$('div#target_dvd').html(data);
}
})
queue_start();
}
function music_cd() {
$.ajax({
async: false,
url: 'bg_quick_music_cd',
data: {
keyword: $('#keyword').val(),
option: $('#option').val()
},
type: 'POST',
success: function(data){
$('div#target_music_cd').html(data);
}
})
queue_start();
}
function book() {
$.ajax({
async: false,
url: 'bg_quick_book',
data: {
keyword: $('#keyword').val(),
option: $('#option').val()
},
type: 'POST',
success: function(data){
$('div#target_book').html(data);
}
})
}
var queue = [];
function start() {
if(jQuery('#title').attr('checked'))
jQuery('#option').val('1');
if(jQuery('#store').attr('checked'))
jQuery('#option').val('0');
queue.push(book);
queue.push(music_cd);
queue.push(dvd);
queue_start();
}
function queue_start() {
if(queue.length 0) {
var fn = queue.pop();
fn();
}
}
On Jun 24, 7:14 pm, ScOut3R mailingl...@modernbiztonsag.org wrote:
Dear List,
theajaxbasedbackgroundsearch crashes my web2py installation. It's
version 1.77.3 and I'm using the fcgihandler to access the
application. OS: OpenBSD 4.6, Python version is Python 2.5.4
(r254:67916, Oct 19 2009, 01:52:14).
As You can see below the search makes three database queries. The
first search attempt works and the second crashes web2py. Would You be
so kind to look into it?
The error is the following:
Unhandled exception in thread started by bound method Connection.run
of gluon.contrib.gateways.fcgi.Connection object at 0x8b5af36c
Traceback (most recent call last):
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
664, in run
self.process_input()
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
700, in process_input
self._do_params(rec)
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
799, in _do_params
self._start_request(req)
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
783, in _start_request
req.run()
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
592, in run
self._flush()
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
599, in _flush
self.stdout.close()
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
358, in close
self._conn.writeRecord(rec)
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
715, in writeRecord
rec.write(self._sock)
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
552, in write
self._sendall(sock, header)
File /var/www/web2py/prod/gluon/contrib/gateways/fcgi.py, line
529, in _sendall
sent = sock.send(data)
socket.error: (32, 'Broken pipe')
The jquery snippet that calls thebackgroundfunctions:
function dvd() {ajax('bg_quick_dvd', ['keyword', 'option'],
'target_dvd'); }
function music_cd() {ajax('bg_quick_music_cd', ['keyword', 'option'],
'target_music_cd'); }
function book() {ajax('bg_quick_book', ['keyword', 'option'],
'target_book');
function start() {
if(jQuery('#title').attr('checked'))
jQuery('#option').val('1');
if(jQuery('#store').attr('checked'))
jQuery('#option').val('0');
dvd();
setTimeout('music_cd()', 150);
setTimeout('book()', 300);
}
And the backround functions:
def bg_quick_dvd():
if (request.vars.option == '1'):
pattern = '%' + request.vars.keyword + '%'
dvds = db((db.dvds.user==user_id)
(db.dvds.title.like(pattern))).select(orderby=db.dvds.title)
else:
dvds = db((db.dvds.user==user_id)
(db.dvds.store==request.vars.keyword)).select(orderby=db.dvds.title)
items = [A(row.title, _href=URL(c='dvd', r=request, f='show',
args=row.id)) for row in dvds]
[web2py] How to insert _blank in A html helper
I can't find this little piece of information anywhere in the cyberspace...
a simple plain link with html helpers:
A(B('link name'), _href=URL(r=request, f='show', args=x.id))
How to put a _black attribute inside this?
[web2py] Re: problem with global variables
thanks massimo:
i still get errors here my model:
import time
from naoqi import ALBroker
from naoqi import ALProxy
broker = session.broker
behaviorProxy = session.behaviorProxy
ttsProxy = session.ttsProxy
motionProxy = session.motionProxy
testvariable = session.testvariable
def connectRobo(roboip):
RoboIP = roboip
RoboPORT = 9559
BrokerIP = 127.0.0.1
BrokerPORT =
session.broker =
ALBroker(pythonBroker,BrokerIP,BrokerPORT,RoboIP,RoboPORT)
session.ttsProxy= ALProxy (ALTextToSpeech)
session.ttsProxy.setVolume(1.0)
session.ttsProxy.setLanguage(English)
session.ttsProxy.setVoice(Heather22Enhanced)
session.behaviorProxy = ALProxy (ALBehaviorManager)
session.motionProxy= ALProxy(ALMotion)
stiffnesses = 1.0
session.motionProxy.setStiffnesses('Body', stiffnesses)
leftArmEnable = True
rightArmEnable = True
session.motionProxy.setWalkArmsEnable(leftArmEnable,
rightArmEnable)
return None
in the first controller:
def startConnection():
connect = connectRobo(request.vars.iptext)
#testingfunction()
print(request.vars.iptext)
return None
in the second controller:
def automatic_control():
if auth.is_logged_in():
aktsession=auth.user.id
userfirstname=auth.user.first_name
userlastname=auth.user.last_name
behaviours = behaviorProxy.getInstalledBehaviors()
return dict(session=aktsession, firstname=userfirstname,
lastname=userlastname, behaviours=behaviours)
redirect(URL(r=request,c='default/user',f='login'))
i get the error:
POST http://127.0.0.1:8000/NetAVATAR_neu/roboconnect/startConnection
500 INTERNAL SERVER ERROR
1.28s
On 30 Jun., 15:12, mdipierro mdipie...@cs.depaul.edu wrote:
I think you want a session variable, not a global variable
test=session.test
def changingtest():
session.test = 5
return None
On 30 Giu, 07:42, pk peter.kirch...@youngdesigners.de wrote:
hi together,
i need help to solve this problem: i have a global variable in the
model like:
test = None
def changingtest():
global test
test = 5
return None
how can i access to the variable test in every controllerfunction?
thanks for your fast help
peter
[web2py] Disabling registration
Hi, I am relatively new to web2py. It would be great if somebody can guide me through this issues. 1. way to disable registration for anonymous users of the app. 2. When I am logged in as a authenticated user I'm redirected to my profile page instead of registration page. Please let me know how to fix this issues. Thanks for the help!
[web2py] Re: Which is faster?
I cannot quantify. If I run more tests I let you know.
On 30 Giu, 09:04, weheh richard_gor...@verizon.net wrote:
How about postgresql mysql? Can you quantify slower - by what %?
On Jun 30, 3:21 am, mdipierro mdipie...@cs.depaul.edu wrote:
I have done some tests in the past. On sqlite the like operator is
slow, slower then the join.
On 30 Giu, 01:38, weheh richard_gor...@verizon.net wrote:
I have a table 'x' with Field('z'), which is set via a multiselect.
The value will be a string like '|1|2|3|5|8|'. These correspond to the
ids of another table 'z'.
I'm trying to figure out which would be a faster search:
1) use the 'like' operator to match the db.z.id stored in the x.z
field
or
2) first, parse x.z and then create a many-to-many table foo, which
stores x.id and z.id in order to link the x and z tables. Then, do a
db(db.z.id==8).select(...,left=(db.foo.on(db.foo.x==db.x.id),db.foo.on(db.foo.z==db.z.id))
Obviously, the storage overhead of 1 is lower. But is there going to
be any significant speedup from 2?
[web2py] Re: How to insert _blank in A html helper
what is a _black attribute? Can you provide an HTML example of the
output you want?
On 30 Giu, 09:18, Giuseppe Luca Scrofani glsdes...@gmail.com wrote:
I can't find this little piece of information anywhere in the cyberspace...
a simple plain link with html helpers:
A(B('link name'), _href=URL(r=request, f='show', args=x.id))
How to put a _black attribute inside this?
[web2py] Re: problem with global variables
does session work with:
session.broker =
ALBroker(pythonBroker,BrokerIP,BrokerPORT,RoboIP,RoboPORT)
than here i get an error
On 30 Jun., 16:19, pk peter.kirch...@youngdesigners.de wrote:
thanks massimo:
i still get errors here my model:
import time
from naoqi import ALBroker
from naoqi import ALProxy
broker = session.broker
behaviorProxy = session.behaviorProxy
ttsProxy = session.ttsProxy
motionProxy = session.motionProxy
testvariable = session.testvariable
def connectRobo(roboip):
RoboIP = roboip
RoboPORT = 9559
BrokerIP = 127.0.0.1
BrokerPORT =
session.broker =
ALBroker(pythonBroker,BrokerIP,BrokerPORT,RoboIP,RoboPORT)
session.ttsProxy= ALProxy (ALTextToSpeech)
session.ttsProxy.setVolume(1.0)
session.ttsProxy.setLanguage(English)
session.ttsProxy.setVoice(Heather22Enhanced)
session.behaviorProxy = ALProxy (ALBehaviorManager)
session.motionProxy= ALProxy(ALMotion)
stiffnesses = 1.0
session.motionProxy.setStiffnesses('Body', stiffnesses)
leftArmEnable = True
rightArmEnable = True
session.motionProxy.setWalkArmsEnable(leftArmEnable,
rightArmEnable)
return None
in the first controller:
def startConnection():
connect = connectRobo(request.vars.iptext)
#testingfunction()
print(request.vars.iptext)
return None
in the second controller:
def automatic_control():
if auth.is_logged_in():
aktsession=auth.user.id
userfirstname=auth.user.first_name
userlastname=auth.user.last_name
behaviours = behaviorProxy.getInstalledBehaviors()
return dict(session=aktsession, firstname=userfirstname,
lastname=userlastname, behaviours=behaviours)
redirect(URL(r=request,c='default/user',f='login'))
i get the error:
POSThttp://127.0.0.1:8000/NetAVATAR_neu/roboconnect/startConnection
500 INTERNAL SERVER ERROR
1.28s
On 30 Jun., 15:12, mdipierro mdipie...@cs.depaul.edu wrote:
I think you want a session variable, not a global variable
test=session.test
def changingtest():
session.test = 5
return None
On 30 Giu, 07:42, pk peter.kirch...@youngdesigners.de wrote:
hi together,
i need help to solve this problem: i have a global variable in the
model like:
test = None
def changingtest():
global test
test = 5
return None
how can i access to the variable test in every controllerfunction?
thanks for your fast help
peter
[web2py] Re: problem with global variables
but without session, it works. but i need for example broker in every
controllerfunction (in each controller)
On 30 Jun., 16:38, pk peter.kirch...@youngdesigners.de wrote:
does session work with:
session.broker =
ALBroker(pythonBroker,BrokerIP,BrokerPORT,RoboIP,RoboPORT)
than here i get an error
On 30 Jun., 16:19, pk peter.kirch...@youngdesigners.de wrote:
thanks massimo:
i still get errors here my model:
import time
from naoqi import ALBroker
from naoqi import ALProxy
broker = session.broker
behaviorProxy = session.behaviorProxy
ttsProxy = session.ttsProxy
motionProxy = session.motionProxy
testvariable = session.testvariable
def connectRobo(roboip):
RoboIP = roboip
RoboPORT = 9559
BrokerIP = 127.0.0.1
BrokerPORT =
session.broker =
ALBroker(pythonBroker,BrokerIP,BrokerPORT,RoboIP,RoboPORT)
session.ttsProxy= ALProxy (ALTextToSpeech)
session.ttsProxy.setVolume(1.0)
session.ttsProxy.setLanguage(English)
session.ttsProxy.setVoice(Heather22Enhanced)
session.behaviorProxy = ALProxy (ALBehaviorManager)
session.motionProxy= ALProxy(ALMotion)
stiffnesses = 1.0
session.motionProxy.setStiffnesses('Body', stiffnesses)
leftArmEnable = True
rightArmEnable = True
session.motionProxy.setWalkArmsEnable(leftArmEnable,
rightArmEnable)
return None
in the first controller:
def startConnection():
connect = connectRobo(request.vars.iptext)
#testingfunction()
print(request.vars.iptext)
return None
in the second controller:
def automatic_control():
if auth.is_logged_in():
aktsession=auth.user.id
userfirstname=auth.user.first_name
userlastname=auth.user.last_name
behaviours = behaviorProxy.getInstalledBehaviors()
return dict(session=aktsession, firstname=userfirstname,
lastname=userlastname, behaviours=behaviours)
redirect(URL(r=request,c='default/user',f='login'))
i get the error:
POSThttp://127.0.0.1:8000/NetAVATAR_neu/roboconnect/startConnection
500 INTERNAL SERVER ERROR
1.28s
On 30 Jun., 15:12, mdipierro mdipie...@cs.depaul.edu wrote:
I think you want a session variable, not a global variable
test=session.test
def changingtest():
session.test = 5
return None
On 30 Giu, 07:42, pk peter.kirch...@youngdesigners.de wrote:
hi together,
i need help to solve this problem: i have a global variable in the
model like:
test = None
def changingtest():
global test
test = 5
return None
how can i access to the variable test in every controllerfunction?
thanks for your fast help
peter
Re: [web2py] Re: How to insert _blank in A html helper
Hi Massimo, On 30/06/10 15:33, mdipierro wrote: what is a _black attribute? Can you provide an HTML example of the output you want? As I read it, the OP wants to set the target attribute = _blank, e.g. to open the link in a new window. HTH -- Regards, PhilK 'work as if you lived in the early days of a better nation' - alasdair gray
Re: [web2py] Re: How to insert _blank in A html helper
Sorry for the typo, it is exactly a _blank target attribute desidered output a href =show target=_blanklink name/a
[web2py] What to Use... gluon.dal or gluon.sql ??
I am confused ... :?
[web2py] Re: Disabling registration
Check out the book located at www.web2py.com/book you'll find a lot of useful information in it. For 1: Section 8.1 talks about restricting registration http://www.web2py.com/book/default/section/8/1?search=Restrictions+on+registration For 2: Section 8.2 talks about the settings built into Auth. I believe you're looking for login_next http://www.web2py.com/book/default/section/8/2?search=login_next The search function on the book is fairly good, once you get use to some of the words you're looking for. On Jun 30, 9:24 am, Deepan nicky3...@gmail.com wrote: Hi, I am relatively new to web2py. It would be great if somebody can guide me through this issues. 1. way to disable registration for anonymous users of the app. 2. When I am logged in as a authenticated user I'm redirected to my profile page instead of registration page. Please let me know how to fix this issues. Thanks for the help!
[web2py] Re: What to Use... gluon.dal or gluon.sql ??
gluon/sql.py dal.py is an experimental rewrite that is stuck because of lack of time. On 30 Giu, 10:55, Phyo Arkar phyo.arkarl...@gmail.com wrote: I am confused ... :?
[web2py] Change submit text in generic submit button
Hi where I have to look to change the default submit string of generic submit button in something else? I'm not interested in localizing the application (it have to remain english) but if it is the only way, how I can do this? Creating a en locales?
[web2py] Re: patch to dal [Re: bug in SQLFORM?]
I was checking the file sql.py, seeing the way you get the IDs of the
different engine databases. I think the problem might occur with the
use of SELECT IDENT_CURRENT('tablename'); in SQLServer, so have the
other databases.
That is, if that was inserted between the registry and retrieves the
ID, someone inserts another record, the ID obtained will be incorrect.
I know that the probability is very small, but it can happen.
For example:
Postgres use: select currval ('tablename_id_Seq')
similarly the other engines.
Jose
[web2py] Re: Change submit text in generic submit button
Put something like this in your controller. INPUT( _type = 'submit', _value = 'Save', _style ='width: 100px;' ) On Jun 30, 11:04 am, Giuseppe Luca Scrofani glsdes...@gmail.com wrote: Hi where I have to look to change the default submit string of generic submit button in something else? I'm not interested in localizing the application (it have to remain english) but if it is the only way, how I can do this? Creating a en locales?
[web2py] Re: patch to dal [Re: bug in SQLFORM?]
If that can happen, than it is wrong. My understainding is that
because we are in a transaction, before the insert is committed we get
the id of the last record.
On 30 Giu, 11:56, Jose jjac...@gmail.com wrote:
I was checking the file sql.py, seeing the way you get the IDs of the
different engine databases. I think the problem might occur with the
use of SELECT IDENT_CURRENT('tablename'); in SQLServer, so have the
other databases.
That is, if that was inserted between the registry and retrieves the
ID, someone inserts another record, the ID obtained will be incorrect.
I know that the probability is very small, but it can happen.
For example:
Postgres use: select currval ('tablename_id_Seq')
similarly the other engines.
Jose
[web2py] Re: Change submit text in generic submit button
I think what you need is this:
form = SQLFORM(,submit_button=T('click me! me! me!'))
or
crud.messages.submit_button = 'click me to proceed'
form=crud.create()
On 30 Giu, 11:04, Giuseppe Luca Scrofani glsdes...@gmail.com wrote:
Hi where I have to look to change the default submit string of
generic submit button in something else? I'm not interested in
localizing the application (it have to remain english) but if it is
the only way, how I can do this? Creating a en locales?
[web2py] Re: web2py security - keep it up!
You may also want to ask some questions about form validation, default validators and directory traversal attacks in file uploads. Good idea. I'll add those. I've reviewed what you wrote on the wiki and some parts of the application code, and I have a few preliminary recommendations to improve security: * Drop support for basic auth. It's really insecure - http://www.pythonsecurity.org/wiki/basicauthentication/ * Drop MD5 as the default hashing algorithm, use SHA512. MD5 is now considered 'cryptographically broken' * The HMAC secret is by default 'your secret key', and I don't see anywhere in the documentation how to generate a new one or the recommendation to do so * Do not use cgi.escape for HTML escaping because it does not escape single quotes and may lead to XSS - See http://www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss and http://www.pythonsecurity.org/wiki/cgi/ * Session IDs should time out when the authentication information does, and the user should get a new session ID when they reauthenticate. This defense will help ensure that even if a session ID is leaked, it will only be useful for a limited amount of time. It sounds like users always have the same session ID. Questions: If not key/salt is provided is provided web2py uses MD5, but is a key/ salt is provided (and the scaffolding application generates one automatically) it uses HMAC+MD5 or HMAC+SHA512. I ran 'python web2py.py -S testapp' but it did not generate a new value for auth.settings.hmac_key in db.py. Should it have? It appears to use MD5 by default unless an alternative is specified, such as SHA512. Please feel free to discuss! Craig Younkins On Jun 30, 9:58 am, mdipierro mdipie...@cs.depaul.edu wrote: Hi Craig, You may also want to ask some questions about form validation, default validators and directory traversal attacks in file uploads. Massimo On 29 Giu, 11:08, Craig Younkins cyounk...@gmail.com wrote: Hello there! My name is Craig Younkins. I'm a summer intern at OWASP, the Open Web Application Security Project. This summer I'm working heavily on web security in Python. First, I would like to praise Dr. Di Pierro and all the web2py contributors for their focus on security. Examining the OWASP Top 10 (http://www.web2py.com/examples/default/security) is a great way to start. Keep it up! Second, I'd like to invite the web2py community over to a site I've started about security in Python -http://www.pythonsecurity.org. The site aims to be the central hub for security in Python, and right now has a focus on web security. Inside there are articles specific to software like frameworks as well as articles related to security topics like cross-site scripting. We also have a Google Group (http:// groups.google.com/group/python-security/topics) which I encourage the developers to join. There you can get answers to your Python security questions. I hope you check it out! Lastly, I'd like to encourage you to take a look at web2py's page on PythonSecurity.org -http://www.pythonsecurity.org/wiki/web2py/. I haven't had the time yet to examine web2py in detail, but on that page there is a pretty well-defined template of questions to be answered. Going through the list there will help the developers see areas in web2py that could use improvement, as well as documenting the strengths for other frameworks to model off of. Thanks! Craig Younkins
[web2py] Re: patch to dal [Re: bug in SQLFORM?]
On 30 jun, 14:04, mdipierro mdipie...@cs.depaul.edu wrote: If that can happen, than it is wrong. My understainding is that because we are in a transaction, before the insert is committed we get the id of the last record. Okay, but I believe that everything about AUTO_INCREMENT fields are out of the transactions. They are independent of whether you commit or rollback.
[web2py] Re: How to insert _blank in A html helper
In general, any attribute for an HTML helper can be set by referring
the the HTML tag name: this
in the helper as: _this
So, your original question can change to: How do I set the target
tag in the A() helper?
On Jun 30, 10:36 am, Giuseppe Luca Scrofani glsdes...@gmail.com
wrote:
Sorry for the typo, it is exactly a _blank target attribute
desidered output
a href =show target=_blanklink name/a
Like this:
A( B('link name'), _href = URL(r=request, f='show', args=x.id),
_target = _blank )
Hope this helps,
- Yarko
Re: [web2py] Re: elFinder-web2py , Filemanager for Web2py!
Hello Torex Welcome to Web2py Group! Thats very good to have you here! I am trying to make elfinder work for web2py , please feel free to reuse my work in your release. Here is the Connector initiation: http://code.google.com/p/elfinder-web2py/source/browse/filemanager/controllers/default.py Check inside function elcon . and here is elFinder Backend Class http://code.google.com/p/elfinder-web2py/source/browse/filemanager/modules/elw2p.py Currently it is working partially (atleast for me) Please review and test , we can work together on this. On Wed, Jun 30, 2010 at 11:59 AM, Troex Nevelin tr...@fury.scancode.ruwrote: Hello, I'm author of elFinder.py In about a month we plan to release new version of elFinder, mostly bugfixes but I also plan to rewrite python version to be more library like. I know there are problems integrating elfinder with different frameworks on python, current version was written for use under pure CGI. This is my first major experience with python and so I have many questions about the right way how to write connector so it can be easy to integrate and write plugins. The biggest question to me is how to implement handling POST and GET data, I've seen many different ways how it is done in different frameworks. Currently this is done using: import cgi self._form = cgi.FieldStorage() Maybe I should put this outside elFinder.py and only pass parameters to connector? Feedback is welcome. On Jun 24, 5:47 am, Phyo Arkar phyo.arkarl...@gmail.com wrote: Finally after 2 days of hacking elfinder backend for Django fromhttp:// www.elrte.ru/redmine/issues/128 http://www.google.com/url?sa=Dq=http://www.elrte.ru/redmine/issues/1... , i have managed to get elFinder working (about 90% of features) Attached is elFinder-web2py , still alot of improvement needed. -Downloading files is not working yet but should be easy to fix. -Help me make it more integrated into web2py -Their method of DIrectory scanning is so slow , going to replace with os.walk. Please note that this is not for Production use. I started a project , download and test there. Note URL (Both in View and web2py_elcon) need to be change to your host:port (i did with port 8080) http://code.google.com/p/elfinder-web2py/downloads/list
[web2py] Doctests keep getting stuck
Hi all, I wonder if anyone encountered similar problems with doctests. I have a couple of controllers (default.py and etc.py), and a single function (__addTLI__) in etc.py that has a doctest. When I try to run the tests through the admin app, default.py passes fine (since it has no tests), but etc.py just hangs. I have confirmed that there is a line in my code that determines whether etc.py will hang or return successfully, however I do not see how it is possible that the specific piece of code determines anything (basically it produces an xml file through some db interaction). I tried the same testing code in a function, opened it up on a browser and it ran fine, error-free. I also checked http://127.0.0.1:8000/std/etc/_TEST for raw test data, but it also surprisingly revealed that __addTLI__ had actually passed. Is it possible for a test to hang even though all subtests pass? BTW, I use version 1.79.2 Cheers, Kerem.
[web2py] Re: Disabling registration
I am clear with first point. Not with second one. How can I make only registered users to create new usersright now when I am logged in and click on register it redirects me to profile page. Thanks On Jun 30, 12:03 pm, Chris S sanders.ch...@gmail.com wrote: Check out the book located atwww.web2py.com/bookyou'll find a lot of useful information in it. For 1: Section 8.1 talks about restricting registrationhttp://www.web2py.com/book/default/section/8/1?search=Restrictions+on... For 2: Section 8.2 talks about the settings built into Auth. I believe you're looking for login_nexthttp://www.web2py.com/book/default/section/8/2?search=login_next The search function on the book is fairly good, once you get use to some of the words you're looking for. On Jun 30, 9:24 am, Deepan nicky3...@gmail.com wrote: Hi, I am relatively new to web2py. It would be great if somebody can guide me through this issues. 1. way to disable registration for anonymous users of the app. 2. When I am logged in as a authenticated user I'm redirected to my profile page instead of registration page. Please let me know how to fix this issues. Thanks for the help!
[web2py] Re: sql.py error?
I will have a look at this tonight, using the WING IDE debugger, because _last_reference was a new property added at my suggestion, so I am somewhat familiar with it Looks like somehow the same SQL Row instance is being 'reused' for creating a new row which I would not expect to happen. - Dave Lypka. On Jun 30, 1:03 am, Yarko Tymciurak resultsinsoftw...@gmail.com wrote: On Jun 29, 3:27 pm, Chris S sanders.ch...@gmail.com wrote: I'm actually not sure how to set break points. I'm using Eclipse so I'm sure there's a way but while I'm educating myself. A bit of an aside, but for completeness: Not sure about Eclipse... maybe this will help:http://pydev.org/manual_adv_debugger.html It sort of looks familiar - like winpdb (which is a free windowed --- NOT windows --- debugger for python; you could get that separate). I would (of course) do this with local gae environment. An alternative is to get a 30-day eval of WingIDE, and debug with that either should be fine. - Yarko Here's all you should need to know if the above isn't descriptive enough. In db.py: auth = Auth(globals(),db) # authentication/authorization auth.define_tables() # creates all needed tables Using Appadmin -Add a user to auth_users -Create group 'admin' in auth_groups -Make the user a member of admin in auth_memberships In the application: def add(): Debug Function group=db(db.auth_group.role=='admin').select()[0] auth.add_permission(group.id,'access','mystuff') auth.add_permission(group.id,'access','myotherstuff') redirect(URL(request.application,request.controller,'index')) Call /application/controller/add In appadmin view the auth_permissions table. You should see two entries one with the group.id for Admin, access, and table of 'mystuff'. one with the group.id for Admin, access, and table of 'myotherstuff'. Instead you'll get the above error and only mystuff is added to the auth_permissions. You can comment out either line and add them one at a time with no errors. In fact you can add the same permission several times and you'll see duplicate enteries. You can not however, have both of the above added in a single function call. This use to work but no longer does. When I get some time maybe I can test which revision broke this but my guess is it's 650:7c531beb7820 with comment self._last_reference, thanks Dave. Sorry I'm not more help. Wish I could just patch this but I'm still learning python/web2py and this one's a bit above me. On Jun 29, 3:01 pm, Yarko Tymciurak resultsinsoftw...@gmail.com wrote: can you give a complete example necessary to reproduce? Alternatively, you can debug yourself: set a breakpoint at gluon/ tools.py::Auth:add_permission() and analyze what's going on... - Yarko On Jun 29, 2:13 pm, Chris S sanders.ch...@gmail.com wrote: Crap that should read: To reproduce: def test(): auth.add_permission(id,'name','table1') auth.add_permission(id,'name','table2') return I'm trying to assign two different permissions to the same group in a single function to get the error. On Jun 29, 2:11 pm, Chris S sanders.ch...@gmail.com wrote: Actually, that's not exactly what's happening. The error is produced when trying to make two calls back to back to auth.add_permission(). Single calls still create duplicate enteries but back to back calls error on the 2nd call never creating an entry. To reproduce: def test(): auth.add_permission(id,'name','table1') auth.add_permission(id,'name','table1') return Either one of the above can be run by itself, but both in the same controller will fail with the above error on the 2nd permission. On Jun 29, 1:35 pm, Chris S sanders.ch...@gmail.com wrote: I think the most recent update to trunk I've found a spot in sql.py where functionality is different though it might be intended. In the last stable release you could make a call: auth.add_permission(group.id,'name','table_name') You could do this with out first checking for it's existence already. A new entry was created and no errors thrown. Now if you try to do the above call and that same permission is already defined you get: --New Error raise SyntaxError, 'Object exists and cannot be redefined: %s' % key SyntaxError: Object exists and cannot be redefined: _last_reference --/New Error While it's good that this points out that I wasn't checking for these permissions before, it's bad that you find out by an error which didn't previously exist. I can wrap my add_permission calls in a try: block, or i could check for the permission before adding. But is that something that should
[web2py] Re: Accessing auth_user table
Unfortunatelly it doesn't. I can access any other table that's available through my application but I can't get any value out of auth_user table. Is it somehow protected? Do I need to add some extra piece of code to expose them in my application in order to be able to acqiure any value out of them? Desperate searcher. On 30 Cze, 06:25, Chris S sanders.ch...@gmail.com wrote: I don't guess I follow. Isn't that the same as: def userexist(namecheck): if db(db.auth_user.username==namecheck).count() 0: return 'yes' else: return 'no' So Im saying your querry should be: query = (db.auth_user.username==username) Hope that helps On Jun 29, 5:34 pm, elfuego1 elfue...@gmail.com wrote: Hello, On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave found a great pice of code which allows to check on the fly if there is an exact value already in database. Oryginal code: def ajaxuserexist(): username = request.vars.values()[0] query = db.users.name.like(username) numres = db(query).count() if numres 0 : return 'yes' return 'no' But when I try to implement the same solution on auth_user table for login column it stops working: query = db.auth_users.login.like(username) Do you know some solution/workaround to this problem? Best regards.
[web2py] Re: Caching downloads
I've had this bookmarked and have been looking over it recently. I added a c_download (cached download) function as described above to allow local caching of files. The above code did not get me there though I ended up using: def c_download(): controller=request.vars.c file=request.vars.f response.headers['Cache-Control']='private' del response.headers['Content-Type'] del response.headers['Pragma'] del response.headers['Expires'] filename = os.path.join(request.folder,'static',controller,file) response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y %H: %M:%S +, time.localtime(os.path.getmtime(filename))) return response.stream(open(filename,'rb')) The key difference being I found I had to set the 'Cache-Control' header, just deleting it didn't do the trick. What I'm not clear on is why this is necessary. From the book: When static files are downloaded, web2py does not create a session, nor does it issue a cookie or execute the models. web2py always streams static files in chunks of 1MB, and sends PARTIAL CONTENT when the client sends a RANGE request for a subset of the file. web2py also supports the IF_MODIFIED_SINCE protocol, and does not send the file if it is already stored in the browser's cache and if the file has not changed since that version. Link: http://web2py.com/book/default/section/4/2?search=supports+the+IF_MODIFIED_SINCE+protocol%2C+and+does+not+send+the+file+if+it+is+already+stored+in+the+browser%27s+cache+and+if+the+file+has+not+changed+since+that+version. So then, if I serve a style.css file from static, or build a link from URL() to a file in static. Why do these files get downloaded every time the page is loaded? Here's an example. Using http://127.0.0.1:8080/welcome/static/menu.gif running on the GAE development server I get: Header: HTTP/1.0 200 Server: Development/1.0 Date: Wed, 30 Jun 2010 18:37:05 GMT Content-Type: image/gif Cache-Control: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Content-Length: 264 Cache: Last Modified Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Last FetchedWed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time) Data Size 264 Fetch Count 7 Device disk Is this working as intended? I *can* wrap every single download in a function call to c_download, but should that be necessary? Am I just missing a configuration option somewhere? I feel like I'm re- inventing the wheel since 'static' files were in my understanding not meant to change often anyway. On May 6, 8:15 am, mdipierro mdipie...@cs.depaul.edu wrote: Can you provide an example of code that causes cache failure? Remember that you cannot @cache def download because of range requests. On May 6, 2:49 am, Iceberg iceb...@21cn.com wrote: It seems Mariano's story has a happy ending. Congratulations. But on a second thought, can anyone explain why if you quickly reload pages, they fail in the very first caching-download version? Caching download can improve speed, can with a side effect of bypassing priviledge check, but no matter what, it shall not cause content fail to load. I remember I once tried @cache(...) but encounter similar problems, then I give up. :-( Nice to pick it up if someone can throw some light. Thanks! Regards, iceberg On May5, 11:39am, Mariano Reingart reing...@gmail.com wrote: .. after usingfast_download(changing headers and using stream) it runs really quickly! (I know, serving through apache would be even faster, but in this case I prefer portability and a easy configuration) You can see how it's running here: http://www.pyday.com.ar/rafaela2010/ (look at images at the sidebar) Thanks so much, Mariano On May 4, 9:04 pm, Mariano Reingart reing...@gmail.com wrote: I thought so, I had to modify mydownload so browsers do client-side caching, speeding up the web-page load: deffast_download(): # very basic security: if not request.args(0).startswith(sponsor.logo): return download() # remove/add headers that prevent/favors caching del response.headers['Cache-Control'] del response.headers['Pragma'] del response.headers['Expires'] filename = os.path.join(request.folder,'uploads',request.args(0)) response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y %H:%M:%S +, time.localtime(os.path.getmtime(filename))) return response.stream(open(filename,'rb')) TODO: handle If-Modified-Since (returning 304 if not modified), but as you said, let the browser do that if so much performance is needed (so far,fast_downloadis working fine for me now :-) Thanks very much for your help, and please let me know if there is anything wrong with this approach, Best regards, Mariano On Tue, May 4, 2010 at 10:23 PM, mdipierro
[web2py] Re: Accessing auth_user table
And you've defined auth in db.py with: from gluon.tools import Auth auth = Auth(globals(), db) auth.define_tables() I've done searches on auth_user before... I think. On Jun 30, 1:44 pm, elfuego1 elfue...@gmail.com wrote: Unfortunatelly it doesn't. I can access any other table that's available through my application but I can't get any value out of auth_user table. Is it somehow protected? Do I need to add some extra piece of code to expose them in my application in order to be able to acqiure any value out of them? Desperate searcher. On 30 Cze, 06:25, Chris S sanders.ch...@gmail.com wrote: I don't guess I follow. Isn't that the same as: def userexist(namecheck): if db(db.auth_user.username==namecheck).count() 0: return 'yes' else: return 'no' So Im saying your querry should be: query = (db.auth_user.username==username) Hope that helps On Jun 29, 5:34 pm, elfuego1 elfue...@gmail.com wrote: Hello, On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave found a great pice of code which allows to check on the fly if there is an exact value already in database. Oryginal code: def ajaxuserexist(): username = request.vars.values()[0] query = db.users.name.like(username) numres = db(query).count() if numres 0 : return 'yes' return 'no' But when I try to implement the same solution on auth_user table for login column it stops working: query = db.auth_users.login.like(username) Do you know some solution/workaround to this problem? Best regards.
[web2py] Re: Accessing auth_user table
Since I had added some fields (and intend to customize it further) to
my auth_user table the code for auth_user in db.py looks like that:
from gluon.tools import *
auth=Auth(globals(),db)
db.define_table('auth_user',
SQLField('login', 'string', length=50, default=''),
SQLField('password', 'password', length=512, readable=False,
label='Password'),
SQLField('registration_key', length=512, default= '',
writable=False, readable=False),
SQLField('reset_password_key', length=512, default='',
writable=False, readable=False),
SQLField('first_name', length=128,default=''),
SQLField('last_name', length=128,default=''),
SQLField('email', length=128,default='', unique=True),
SQLField('phone', 'string', length=30, default=''),
)
On 30 Cze, 20:59, Chris S sanders.ch...@gmail.com wrote:
And you've defined auth in db.py with:
from gluon.tools import Auth
auth = Auth(globals(), db)
auth.define_tables()
I've done searches on auth_user before... I think.
On Jun 30, 1:44 pm, elfuego1 elfue...@gmail.com wrote:
Unfortunatelly it doesn't.
I can access any other table that's available through my application
but I can't get any value out of auth_user table.
Is it somehow protected?
Do I need to add some extra piece of code to expose them in my
application in order to be able to acqiure any value out of them?
Desperate searcher.
On 30 Cze, 06:25, Chris S sanders.ch...@gmail.com wrote:
I don't guess I follow. Isn't that the same as:
def userexist(namecheck):
if db(db.auth_user.username==namecheck).count() 0:
return 'yes'
else:
return 'no'
So Im saying your querry should be:
query = (db.auth_user.username==username)
Hope that helps
On Jun 29, 5:34 pm, elfuego1 elfue...@gmail.com wrote:
Hello,
On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
found a great pice of code which allows to check on the fly if there
is an exact value already in database.
Oryginal code:
def ajaxuserexist():
username = request.vars.values()[0]
query = db.users.name.like(username)
numres = db(query).count()
if numres 0 :
return 'yes'
return 'no'
But when I try to implement the same solution on auth_user table for
login column it stops working:
query = db.auth_users.login.like(username)
Do you know some solution/workaround to this problem?
Best regards.
[web2py] Re: Disabling registration
Oh I didn't understand the initial question. Here's one way to go
about it, though I'm sure there are other (possibly easier) ways to do
it.
You first need to create a form for inserting users, and then protect
it.
The form can be created with CRUD.
In your controller:
@auth.requires_login() #restricts function
def add_user():
form=crud.create(db.auth_user) #Create form for inserting users
return dict(form=form) #Return the form to a view
Then in add_user.html the form is inserted with:
{{=form}}
Crud will automatically generate a SQLFORM for the table with self
submission and validation.
You can read on CRUD in the manual here:
http://web2py.com/book/default/section/7/6?search=CRUD
You can read on Authentication in the manual here:
http://web2py.com/book/default/section/8/2?search=Decorators
I think once you understand how to generate a form based on a table,
and how to require access with decorators or just enforcing
authorization via CRUD you'll fully understand how to do what you're
trying. What I've shown is just one way to do it, I'm sure there's
many many ways to
On Jun 30, 1:30 pm, Deepan nicky3...@gmail.com wrote:
I am clear with first point.
Not with second one.
How can I make only registered users to create new usersright now
when I am logged in and click on register it redirects me to profile
page.
Thanks
On Jun 30, 12:03 pm, Chris S sanders.ch...@gmail.com wrote:
Check out the book located atwww.web2py.com/bookyou'llfind a lot of
useful information in it.
For 1:
Section 8.1 talks about restricting
registrationhttp://www.web2py.com/book/default/section/8/1?search=Restrictions+on...
For 2:
Section 8.2 talks about the settings built into Auth. I believe
you're looking for
login_nexthttp://www.web2py.com/book/default/section/8/2?search=login_next
The search function on the book is fairly good, once you get use to
some of the words you're looking for.
On Jun 30, 9:24 am, Deepan nicky3...@gmail.com wrote:
Hi,
I am relatively new to web2py. It would be great if somebody can guide
me through this issues.
1. way to disable registration for anonymous users of the app.
2. When I am logged in as a authenticated user I'm redirected to my
profile page instead of registration page.
Please let me know how to fix this issues.
Thanks for the help!
[web2py] Re: Accessing auth_user table
auth.define_tables() is there as well but bellow auth_user table definition. On 30 Cze, 20:59, Chris S sanders.ch...@gmail.com wrote: And you've defined auth in db.py with: from gluon.tools import Auth auth = Auth(globals(), db) auth.define_tables() I've done searches on auth_user before... I think. On Jun 30, 1:44 pm, elfuego1 elfue...@gmail.com wrote: Unfortunatelly it doesn't. I can access any other table that's available through my application but I can't get any value out of auth_user table. Is it somehow protected? Do I need to add some extra piece of code to expose them in my application in order to be able to acqiure any value out of them? Desperate searcher. On 30 Cze, 06:25, Chris S sanders.ch...@gmail.com wrote: I don't guess I follow. Isn't that the same as: def userexist(namecheck): if db(db.auth_user.username==namecheck).count() 0: return 'yes' else: return 'no' So Im saying your querry should be: query = (db.auth_user.username==username) Hope that helps On Jun 29, 5:34 pm, elfuego1 elfue...@gmail.com wrote: Hello, On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave found a great pice of code which allows to check on the fly if there is an exact value already in database. Oryginal code: def ajaxuserexist(): username = request.vars.values()[0] query = db.users.name.like(username) numres = db(query).count() if numres 0 : return 'yes' return 'no' But when I try to implement the same solution on auth_user table for login column it stops working: query = db.auth_users.login.like(username) Do you know some solution/workaround to this problem? Best regards.
[web2py] Re: Accessing auth_user table
Probably a dumb question, but what are you checking the user against?
Both my and your example above are checking for username and you
didn't define a username in your auth_user.
Your query then is not working as:
def userexist(emailcheck):
if db(db.auth_user.email==emailcheck).count() 0:
return 'yes'
else:
return 'no'
I know I've returned searches on auth_user it's no different than
other tables. Just gotta find whey your getting no results. Might
help if you post the exact search code that goes with the above
auth_user and the error message that's generated.
On Jun 30, 2:12 pm, elfuego1 elfue...@gmail.com wrote:
Since I had added some fields (and intend to customize it further) to
my auth_user table the code for auth_user in db.py looks like that:
from gluon.tools import *
auth=Auth(globals(),db)
db.define_table('auth_user',
SQLField('login', 'string', length=50, default=''),
SQLField('password', 'password', length=512, readable=False,
label='Password'),
SQLField('registration_key', length=512, default= '',
writable=False, readable=False),
SQLField('reset_password_key', length=512, default='',
writable=False, readable=False),
SQLField('first_name', length=128,default=''),
SQLField('last_name', length=128,default=''),
SQLField('email', length=128,default='', unique=True),
SQLField('phone', 'string', length=30, default=''),
)
On 30 Cze, 20:59, Chris S sanders.ch...@gmail.com wrote:
And you've defined auth in db.py with:
from gluon.tools import Auth
auth = Auth(globals(), db)
auth.define_tables()
I've done searches on auth_user before... I think.
On Jun 30, 1:44 pm, elfuego1 elfue...@gmail.com wrote:
Unfortunatelly it doesn't.
I can access any other table that's available through my application
but I can't get any value out of auth_user table.
Is it somehow protected?
Do I need to add some extra piece of code to expose them in my
application in order to be able to acqiure any value out of them?
Desperate searcher.
On 30 Cze, 06:25, Chris S sanders.ch...@gmail.com wrote:
I don't guess I follow. Isn't that the same as:
def userexist(namecheck):
if db(db.auth_user.username==namecheck).count() 0:
return 'yes'
else:
return 'no'
So Im saying your querry should be:
query = (db.auth_user.username==username)
Hope that helps
On Jun 29, 5:34 pm, elfuego1 elfue...@gmail.com wrote:
Hello,
On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
found a great pice of code which allows to check on the fly if there
is an exact value already in database.
Oryginal code:
def ajaxuserexist():
username = request.vars.values()[0]
query = db.users.name.like(username)
numres = db(query).count()
if numres 0 :
return 'yes'
return 'no'
But when I try to implement the same solution on auth_user table for
login column it stops working:
query = db.auth_users.login.like(username)
Do you know some solution/workaround to this problem?
Best regards.
[web2py] Re: Accessing auth_user table
During registration I want to check on the fly, if login chosen by the
user is already in use or is it not in db and available to be used.
def ajaxuserexist():
username = request.vars.values()[0]
query = (db.auth_user.login==username)
numres = db(query).count()
if numres 0 :
return 'yes'
else:
return 'no'
When I test it on any other table that doesn't have prefix auth_ then
the above code works, but unfortunatelly I need to test auth_user
table :-(
On 30 Cze, 21:19, Chris S sanders.ch...@gmail.com wrote:
Probably a dumb question, but what are you checking the user against?
Both my and your example above are checking for username and you
didn't define a username in your auth_user.
Your query then is not working as:
def userexist(emailcheck):
if db(db.auth_user.email==emailcheck).count() 0:
return 'yes'
else:
return 'no'
I know I've returned searches on auth_user it's no different than
other tables. Just gotta find whey your getting no results. Might
help if you post the exact search code that goes with the above
auth_user and the error message that's generated.
On Jun 30, 2:12 pm, elfuego1 elfue...@gmail.com wrote:
Since I had added some fields (and intend to customize it further) to
my auth_user table the code for auth_user in db.py looks like that:
from gluon.tools import *
auth=Auth(globals(),db)
db.define_table('auth_user',
SQLField('login', 'string', length=50, default=''),
SQLField('password', 'password', length=512, readable=False,
label='Password'),
SQLField('registration_key', length=512, default= '',
writable=False, readable=False),
SQLField('reset_password_key', length=512, default='',
writable=False, readable=False),
SQLField('first_name', length=128,default=''),
SQLField('last_name', length=128,default=''),
SQLField('email', length=128,default='', unique=True),
SQLField('phone', 'string', length=30, default=''),
)
On 30 Cze, 20:59, Chris S sanders.ch...@gmail.com wrote:
And you've defined auth in db.py with:
from gluon.tools import Auth
auth = Auth(globals(), db)
auth.define_tables()
I've done searches on auth_user before... I think.
On Jun 30, 1:44 pm, elfuego1 elfue...@gmail.com wrote:
Unfortunatelly it doesn't.
I can access any other table that's available through my application
but I can't get any value out of auth_user table.
Is it somehow protected?
Do I need to add some extra piece of code to expose them in my
application in order to be able to acqiure any value out of them?
Desperate searcher.
On 30 Cze, 06:25, Chris S sanders.ch...@gmail.com wrote:
I don't guess I follow. Isn't that the same as:
def userexist(namecheck):
if db(db.auth_user.username==namecheck).count() 0:
return 'yes'
else:
return 'no'
So Im saying your querry should be:
query = (db.auth_user.username==username)
Hope that helps
On Jun 29, 5:34 pm, elfuego1 elfue...@gmail.com wrote:
Hello,
On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
found a great pice of code which allows to check on the fly if
there
is an exact value already in database.
Oryginal code:
def ajaxuserexist():
username = request.vars.values()[0]
query = db.users.name.like(username)
numres = db(query).count()
if numres 0 :
return 'yes'
return 'no'
But when I try to implement the same solution on auth_user table for
login column it stops working:
query = db.auth_users.login.like(username)
Do you know some solution/workaround to this problem?
Best regards.
[web2py] Re: web2py security - keep it up!
If you'd like this moved to the developers list, just approve my application
and reply there.
When I say that MD5 is the default that applies only to the case that
a hmac_key is not specified. This is 1) for backward compatibility; 2)
because without a key/salt sha512 and md5 are vulnerable to the same
dictionary attacks.
Hmm Well, I'm looking at the CRYPT class and it appears that in order to
use HMAC the *caller* needs to pass in the key parameter. Grepping the
source tree I've found a few places where the caller does not supply the
key:
applications/admin/models/access.py:55
applications/admin/controllers/default.py:78
gluon/main.py:480
gluon/main.py:495
gluon/validators.py:2344
I am of course unfamiliar with the internals of the project, but it would
appear to me that admin passwords are never HMAC'd. Can you confirm?
I suggest that the key be pulled in from the configuration inside CRYPT so
that the caller isn't required to pass it in. I would also suggest that the
hash method be placed in configuration. Consolidating the configuration of
security mechanisms greatly aids in a security review. If it were
consolidated, a reviewer would only have to look at the default
configuration. In it's current state, a reviewer needs to look at all the
callers of CRYPT to determine the security of CRYPT.
I realize some of my suggestions may prove difficult to support backwards
compatibility. In many cases this can be worked around to implement and
start using newer, safer security controls while maintaining support for
older methods. In some cases it's more difficult than others.
If you use admin to create a new app, the 'your secret key' is
automatically replaced with something like
Thanks for clarifying! This works.
* Do not use cgi.escape for HTML escaping because it does not escape
single quotes and may lead to XSS - Seehttp://
www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss
and http://www.pythonsecurity.org/wiki/cgi/
I assume you refer to attribute escaping. When using helpers like
{{=A(link,_href=url)}} then link is escaped using cgi.escape but url
is escaped differently (quotes are escaped). The problem is that the
escape function does not know whether a variable is to be inserted in
html, css, js, attribute, a string in js, etc. etc. and therefore if
the function does know the context it is in it can never always escape
correcly. I do not believe there is a general solution to this
problem. web2py assumes {{=}} is escaping HTML/XML. If you need to
scape attributes we suggest using helpers. If you need to scape js
code or strings in js code, you may have to do it manually.
That's not quite what I was getting at. You're right about needing the
context in order to escape correctly though. I think the default escaping
should include single and double quotes. cgi.escape escapes double quotes
but not single quotes.
I thought that the default escaping was going through cgi.escape by way of
the xmlescape method, but given the below, that appears to not be the case.
I'm a little confused.
Here's an example of something I don't think I should be able to do:
Controller: return dict(data=' onload=alert(1); bad=')
View: body class={{=data}}/body
Output:body class= onload=alert(1); bad=/body
The same attack works with single quoted attributes. While you're right, we
can't do full proper escaping without knowing the context, I don't think
quotes should be permitted in any web context.
I disagree but probably I did not explain this very well. web2py has
two things it calls session. One is the general session managed via
cookie session_id. One is the authentication session stored into the
general session file. When a user logs out the authentication session
information into the general session is deleted. If an attacker where
to intercept the cookie session_id and try to use it to gain access to
the system, it would not work. The session_id is used for the general
session and it does not expire because when the user logs in again, if
the user had a state stored in the session file, you want that state
to be retrieved.
Hmmm. I'll have to ponder this.
As mentioned above the admin does this and web2py -S app should
too (but there is the bug you pointed out). admin automatically sets
the hmac_key=sha512:., i.e. defaults to SHA512.
Thanks, I understand this better now. What's confusing is that the algorithm
could be set by the key or digest_alg params, neither of which the caller
need provide. It gets a little complicated to determine what code path will
execute because of how it depends on these two params. Like I said before,
I'd love to see these be statically set in the application configuration so
there is only one algorithm and one key that is used throughout the
application, with no requirement for the caller.
Best,
Craig Younkins
On Jun 30, 2:16 pm, mdipierro mdipie...@cs.depaul.edu wrote:
On 30 Giu,
[web2py] Re: Accessing auth_user table
You can simplify it a bit
def ajaxuserexist():
username = request.vars.values()[0]
return db(db.auth_user.login==username).count() and 'yes' or
'no'
although it will not solve your problem.
There is nothing special in table auth_user so the problem is
somewhere else.
I suggest you insert a print repr(username).
Do you get any thicket? What does it say?
massimo
On 30 Giu, 14:29, elfuego1 elfue...@gmail.com wrote:
During registration I want to check on the fly, if login chosen by the
user is already in use or is it not in db and available to be used.
def ajaxuserexist():
username = request.vars.values()[0]
query = (db.auth_user.login==username)
numres = db(query).count()
if numres 0 :
return 'yes'
else:
return 'no'
When I test it on any other table that doesn't have prefix auth_ then
the above code works, but unfortunatelly I need to test auth_user
table :-(
On 30 Cze, 21:19, Chris S sanders.ch...@gmail.com wrote:
Probably a dumb question, but what are you checking the user against?
Both my and your example above are checking for username and you
didn't define a username in your auth_user.
Your query then is not working as:
def userexist(emailcheck):
if db(db.auth_user.email==emailcheck).count() 0:
return 'yes'
else:
return 'no'
I know I've returned searches on auth_user it's no different than
other tables. Just gotta find whey your getting no results. Might
help if you post the exact search code that goes with the above
auth_user and the error message that's generated.
On Jun 30, 2:12 pm, elfuego1 elfue...@gmail.com wrote:
Since I had added some fields (and intend to customize it further) to
my auth_user table the code for auth_user in db.py looks like that:
from gluon.tools import *
auth=Auth(globals(),db)
db.define_table('auth_user',
SQLField('login', 'string', length=50, default=''),
SQLField('password', 'password', length=512, readable=False,
label='Password'),
SQLField('registration_key', length=512, default= '',
writable=False, readable=False),
SQLField('reset_password_key', length=512, default='',
writable=False, readable=False),
SQLField('first_name', length=128,default=''),
SQLField('last_name', length=128,default=''),
SQLField('email', length=128,default='', unique=True),
SQLField('phone', 'string', length=30, default=''),
)
On 30 Cze, 20:59, Chris S sanders.ch...@gmail.com wrote:
And you've defined auth in db.py with:
from gluon.tools import Auth
auth = Auth(globals(), db)
auth.define_tables()
I've done searches on auth_user before... I think.
On Jun 30, 1:44 pm, elfuego1 elfue...@gmail.com wrote:
Unfortunatelly it doesn't.
I can access any other table that's available through my application
but I can't get any value out of auth_user table.
Is it somehow protected?
Do I need to add some extra piece of code to expose them in my
application in order to be able to acqiure any value out of them?
Desperate searcher.
On 30 Cze, 06:25, Chris S sanders.ch...@gmail.com wrote:
I don't guess I follow. Isn't that the same as:
def userexist(namecheck):
if db(db.auth_user.username==namecheck).count() 0:
return 'yes'
else:
return 'no'
So Im saying your querry should be:
query = (db.auth_user.username==username)
Hope that helps
On Jun 29, 5:34 pm, elfuego1 elfue...@gmail.com wrote:
Hello,
On this
page:http://web2pyslices.com/main/slices/take_slice/53Ihave
found a great pice of code which allows to check on the fly if
there
is an exact value already in database.
Oryginal code:
def ajaxuserexist():
username = request.vars.values()[0]
query = db.users.name.like(username)
numres = db(query).count()
if numres 0 :
return 'yes'
return 'no'
But when I try to implement the same solution on auth_user table
for
login column it stops working:
query = db.auth_users.login.like(username)
Do you know some solution/workaround to this problem?
Best regards.
[web2py] Re: Caching downloads
Unfortunately settings cache-control breaks IE with SSL http://support.microsoft.com/kb/316431 On 30 Giu, 13:57, Chris S sanders.ch...@gmail.com wrote: I've had this bookmarked and have been looking over it recently. I added a c_download (cached download) function as described above to allow local caching of files. The above code did not get me there though I ended up using: def c_download(): controller=request.vars.c file=request.vars.f response.headers['Cache-Control']='private' del response.headers['Content-Type'] del response.headers['Pragma'] del response.headers['Expires'] filename = os.path.join(request.folder,'static',controller,file) response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y %H: %M:%S +, time.localtime(os.path.getmtime(filename))) return response.stream(open(filename,'rb')) The key difference being I found I had to set the 'Cache-Control' header, just deleting it didn't do the trick. What I'm not clear on is why this is necessary. From the book: When static files are downloaded, web2py does not create a session, nor does it issue a cookie or execute the models. web2py always streams static files in chunks of 1MB, and sends PARTIAL CONTENT when the client sends a RANGE request for a subset of the file. web2py also supports the IF_MODIFIED_SINCE protocol, and does not send the file if it is already stored in the browser's cache and if the file has not changed since that version. Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD So then, if I serve a style.css file from static, or build a link from URL() to a file in static. Why do these files get downloaded every time the page is loaded? Here's an example. Usinghttp://127.0.0.1:8080/welcome/static/menu.gif running on the GAE development server I get: Header: HTTP/1.0 200 Server: Development/1.0 Date: Wed, 30 Jun 2010 18:37:05 GMT Content-Type: image/gif Cache-Control: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Content-Length: 264 Cache: Last Modified Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Last Fetched Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time) Data Size 264 Fetch Count 7 Device disk Is this working as intended? I *can* wrap every single download in a function call to c_download, but should that be necessary? Am I just missing a configuration option somewhere? I feel like I'm re- inventing the wheel since 'static' files were in my understanding not meant to change often anyway. On May 6, 8:15 am, mdipierro mdipie...@cs.depaul.edu wrote: Can you provide an example of code that causes cache failure? Remember that you cannot @cache def download because of range requests. On May 6, 2:49 am, Iceberg iceb...@21cn.com wrote: It seems Mariano's story has a happy ending. Congratulations. But on a second thought, can anyone explain why if you quickly reload pages, they fail in the very first caching-download version? Caching download can improve speed, can with a side effect of bypassing priviledge check, but no matter what, it shall not cause content fail to load. I remember I once tried @cache(...) but encounter similar problems, then I give up. :-( Nice to pick it up if someone can throw some light. Thanks! Regards, iceberg On May5, 11:39am, Mariano Reingart reing...@gmail.com wrote: .. after usingfast_download(changing headers and using stream) it runs really quickly! (I know, serving through apache would be even faster, but in this case I prefer portability and a easy configuration) You can see how it's running here: http://www.pyday.com.ar/rafaela2010/ (look at images at the sidebar) Thanks so much, Mariano On May 4, 9:04 pm, Mariano Reingart reing...@gmail.com wrote: I thought so, I had to modify mydownload so browsers do client-side caching, speeding up the web-page load: deffast_download(): # very basic security: if not request.args(0).startswith(sponsor.logo): return download() # remove/add headers that prevent/favors caching del response.headers['Cache-Control'] del response.headers['Pragma'] del response.headers['Expires'] filename = os.path.join(request.folder,'uploads',request.args(0)) response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y %H:%M:%S +, time.localtime(os.path.getmtime(filename))) return response.stream(open(filename,'rb')) TODO: handle If-Modified-Since (returning 304 if not modified), but as you said, let the browser do that if so much performance is needed (so far,fast_downloadis working fine for me now :-) Thanks very much for your help, and please let me know if there is
[web2py] Re: web2py security - keep it up!
On Jun 30, 2:44 pm, Craig Younkins cyounk...@gmail.com wrote:
If you'd like this moved to the developers list, just approve my application
and reply there.
When I say that MD5 is the default that applies only to the case that
a hmac_key is not specified. This is 1) for backward compatibility; 2)
because without a key/salt sha512 and md5 are vulnerable to the same
dictionary attacks.
Hmm Well, I'm looking at the CRYPT class and it appears that in order to
use HMAC the *caller* needs to pass in the key parameter. Grepping the
source tree I've found a few places where the caller does not supply the
key:
applications/admin/models/access.py:55
applications/admin/controllers/default.py:78
gluon/main.py:480
gluon/main.py:495
gluon/validators.py:2344
I am of course unfamiliar with the internals of the project, but it would
appear to me that admin passwords are never HMAC'd. Can you confirm?
... interesting discussion Let me FIRST point out some things
Craig mentions which should not fall by the wayside:
1. -- There is no documented way to generate {an appropriate}
hmac_key:
== This is true; One major way to alleviate this would be to
have an admin function that could be called manually (take your pick:
to do the replacement, as gluon/admin.py:app_create() does, which
would need a search/replace --- or better, just give a popup with a
newly formed key an admin could readily copy/paste.
== This is also inconsistently applied --- for example, if you
pack welcome app, and then (as you might with apps from other
sites, such as web2py.com, or other users) install it as a newly
(re)named application,your key here persists.At the
surface, the same thing app_create() is doing could be done in
app_install(), but this too would be prone to inconsistencies (i.e.
the user you get an app from to test for them will have already
installed their own hmac_key, so the kind of replacement that
app_create() does - which depends on a magic string in the template
app, will fail.
A better solution would be to make this completely transparent --- a
little thinking about this should come to a solution (hmac_key is
currently persisted in a source file...)
... Good discussion, guys - lovely to see this!
- Yarko
I suggest that the key be pulled in from the configuration inside CRYPT so
that the caller isn't required to pass it in. I would also suggest that the
hash method be placed in configuration. Consolidating the configuration of
security mechanisms greatly aids in a security review. If it were
consolidated, a reviewer would only have to look at the default
configuration. In it's current state, a reviewer needs to look at all the
callers of CRYPT to determine the security of CRYPT.
I realize some of my suggestions may prove difficult to support backwards
compatibility. In many cases this can be worked around to implement and
start using newer, safer security controls while maintaining support for
older methods. In some cases it's more difficult than others.
If you use admin to create a new app, the 'your secret key' is
automatically replaced with something like
Thanks for clarifying! This works.
* Do not use cgi.escape for HTML escaping because it does not escape
single quotes and may lead to XSS - Seehttp://
www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss and
http://www.pythonsecurity.org/wiki/cgi/
I assume you refer to attribute escaping. When using helpers like
{{=A(link,_href=url)}} then link is escaped using cgi.escape but url
is escaped differently (quotes are escaped). The problem is that the
escape function does not know whether a variable is to be inserted in
html, css, js, attribute, a string in js, etc. etc. and therefore if
the function does know the context it is in it can never always escape
correcly. I do not believe there is a general solution to this
problem. web2py assumes {{=}} is escaping HTML/XML. If you need to
scape attributes we suggest using helpers. If you need to scape js
code or strings in js code, you may have to do it manually.
That's not quite what I was getting at. You're right about needing the
context in order to escape correctly though. I think the default escaping
should include single and double quotes. cgi.escape escapes double quotes
but not single quotes.
I thought that the default escaping was going through cgi.escape by way of
the xmlescape method, but given the below, that appears to not be the case.
I'm a little confused.
Here's an example of something I don't think I should be able to do:
Controller: return dict(data=' onload=alert(1); bad=')
View: body class={{=data}}/body
Output: body class= onload=alert(1); bad=/body
The same attack works with single quoted attributes. While you're right, we
can't do full proper escaping without knowing the context, I don't think
quotes should be permitted in any web
[web2py] Re: Accessing auth_user table
There was NO error messages. The code just didn't work.
After inserting:
print repr(username) to default.py I got:
# -*- coding: utf-8 -*-
#
## This is a samples controller
## - index is the default action of any application
## - user is required for authentication and authorization
## - download is for downloading files uploaded in the db (does
streaming)
## - call exposes all registered services (none by default)
#
def index():
example action using the internationalization operator T and flash
rendered by views/default/index.html or views/generic.html
response.flash = T('Welcome to web2py')
return dict(message=T('Hello World'))
def user():
exposes:
http:///[app]/default/user/login
http:///[app]/default/user/logout
http:///[app]/default/user/register
http:///[app]/default/user/profile
http:///[app]/default/user/retrieve_password
http:///[app]/default/user/change_password
use @auth.requires_login()
@auth.requires_membership('group name')
@auth.requires_permission('read','table name',record_id)
to decorate functions that need access control
return dict(form=auth())
def download():
allows downloading of uploaded files
http:///[app]/default/download/[filename]
return response.download(request,db)
def call():
exposes services. for example:
http:///[app]/default/call/jsonrpc
decorate with @services.jsonrpc the functions to expose
supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
session.forget()
return service()
def page2():
name = request.vars.login
#db.auth_user.insert(name=name)
return dict(name=name)
def ajaxuserexist():
username = request.vars.values()[0]
return db(db.auth_user.login==username).count() and 'yes' or
'no'
print repr(username)
response._vars=response._caller(index)
On 30 Cze, 21:51, mdipierro mdipie...@cs.depaul.edu wrote:
You can simplify it a bit
def ajaxuserexist():
username = request.vars.values()[0]
return db(db.auth_user.login==username).count() and 'yes' or
'no'
although it will not solve your problem.
There is nothing special in table auth_user so the problem is
somewhere else.
I suggest you insert a print repr(username).
Do you get any thicket? What does it say?
massimo
On 30 Giu, 14:29, elfuego1 elfue...@gmail.com wrote:
During registration I want to check on the fly, if login chosen by the
user is already in use or is it not in db and available to be used.
def ajaxuserexist():
username = request.vars.values()[0]
query = (db.auth_user.login==username)
numres = db(query).count()
if numres 0 :
return 'yes'
else:
return 'no'
When I test it on any other table that doesn't have prefix auth_ then
the above code works, but unfortunatelly I need to test auth_user
table :-(
On 30 Cze, 21:19, Chris S sanders.ch...@gmail.com wrote:
Probably a dumb question, but what are you checking the user against?
Both my and your example above are checking for username and you
didn't define a username in your auth_user.
Your query then is not working as:
def userexist(emailcheck):
if db(db.auth_user.email==emailcheck).count() 0:
return 'yes'
else:
return 'no'
I know I've returned searches on auth_user it's no different than
other tables. Just gotta find whey your getting no results. Might
help if you post the exact search code that goes with the above
auth_user and the error message that's generated.
On Jun 30, 2:12 pm, elfuego1 elfue...@gmail.com wrote:
Since I had added some fields (and intend to customize it further) to
my auth_user table the code for auth_user in db.py looks like that:
from gluon.tools import *
auth=Auth(globals(),db)
db.define_table('auth_user',
SQLField('login', 'string', length=50, default=''),
SQLField('password', 'password', length=512, readable=False,
label='Password'),
SQLField('registration_key', length=512, default= '',
writable=False, readable=False),
SQLField('reset_password_key', length=512, default='',
writable=False, readable=False),
SQLField('first_name', length=128,default=''),
SQLField('last_name', length=128,default=''),
SQLField('email', length=128,default='', unique=True),
SQLField('phone', 'string', length=30, default=''),
)
On 30 Cze, 20:59, Chris S sanders.ch...@gmail.com wrote:
And you've defined auth in db.py with:
from gluon.tools import Auth
auth = Auth(globals(), db)
auth.define_tables()
I've done searches on auth_user before... I think.
On Jun 30, 1:44 pm, elfuego1 elfue...@gmail.com
[web2py] db and variables
Hi,
I'm trying to write loops in db.py:
letters = ['a', 'b', 'c', 'd']
for i in range(len(letters)):
for j in range(len(letters)):
db.define_table('connection'+letters[i]+letters[j],
SQLField('smthng', db.???letters[i]))
What should I use instead of ??? to make the computer understand that
as db.a when i=0 and j=0?
Thanks in advance for help!
Re: [web2py] Re: What to Use... gluon.dal or gluon.sql ??
Ok , thanks massimo. On Wed, Jun 30, 2010 at 4:24 PM, mdipierro mdipie...@cs.depaul.edu wrote: gluon/sql.py dal.py is an experimental rewrite that is stuck because of lack of time. On 30 Giu, 10:55, Phyo Arkar phyo.arkarl...@gmail.com wrote: I am confused ... :?
[web2py] Re: web2py security - keep it up!
this is how I make my hmac_kay
import uuid
print 'sha512:'+str(uuid.uuid4())
web2py has a function in gluon/admin.py, app_create('name',request)
that clones welcome and replaces hmac_key='' with a random key
generated as above.
From a web2py shell you can also do
from gluon.admin import app_create
app_create('mynewapp',request)
I would not know how to make this transparent. If you have any idea
please let me know. I agree that this is undocumented.
On 30 Giu, 15:01, Yarko Tymciurak resultsinsoftw...@gmail.com wrote:
On Jun 30, 2:44 pm, Craig Younkins cyounk...@gmail.com wrote:
If you'd like this moved to the developers list, just approve my application
and reply there.
When I say that MD5 is the default that applies only to the case that
a hmac_key is not specified. This is 1) for backward compatibility; 2)
because without a key/salt sha512 and md5 are vulnerable to the same
dictionary attacks.
Hmm Well, I'm looking at the CRYPT class and it appears that in order to
use HMAC the *caller* needs to pass in the key parameter. Grepping the
source tree I've found a few places where the caller does not supply the
key:
applications/admin/models/access.py:55
applications/admin/controllers/default.py:78
gluon/main.py:480
gluon/main.py:495
gluon/validators.py:2344
I am of course unfamiliar with the internals of the project, but it would
appear to me that admin passwords are never HMAC'd. Can you confirm?
... interesting discussion Let me FIRST point out some things
Craig mentions which should not fall by the wayside:
1. -- There is no documented way to generate {an appropriate}
hmac_key:
== This is true; One major way to alleviate this would be to
have an admin function that could be called manually (take your pick:
to do the replacement, as gluon/admin.py:app_create() does, which
would need a search/replace --- or better, just give a popup with a
newly formed key an admin could readily copy/paste.
== This is also inconsistently applied --- for example, if you
pack welcome app, and then (as you might with apps from other
sites, such as web2py.com, or other users) install it as a newly
(re)named application, your key here persists. At the
surface, the same thing app_create() is doing could be done in
app_install(), but this too would be prone to inconsistencies (i.e.
the user you get an app from to test for them will have already
installed their own hmac_key, so the kind of replacement that
app_create() does - which depends on a magic string in the template
app, will fail.
A better solution would be to make this completely transparent --- a
little thinking about this should come to a solution (hmac_key is
currently persisted in a source file...)
... Good discussion, guys - lovely to see this!
- Yarko
I suggest that the key be pulled in from the configuration inside CRYPT so
that the caller isn't required to pass it in. I would also suggest that the
hash method be placed in configuration. Consolidating the configuration of
security mechanisms greatly aids in a security review. If it were
consolidated, a reviewer would only have to look at the default
configuration. In it's current state, a reviewer needs to look at all the
callers of CRYPT to determine the security of CRYPT.
I realize some of my suggestions may prove difficult to support backwards
compatibility. In many cases this can be worked around to implement and
start using newer, safer security controls while maintaining support for
older methods. In some cases it's more difficult than others.
If you use admin to create a new app, the 'your secret key' is
automatically replaced with something like
Thanks for clarifying! This works.
* Do not use cgi.escape for HTML escaping because it does not escape
single quotes and may lead to XSS - Seehttp://
www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss and
http://www.pythonsecurity.org/wiki/cgi/
I assume you refer to attribute escaping. When using helpers like
{{=A(link,_href=url)}} then link is escaped using cgi.escape but url
is escaped differently (quotes are escaped). The problem is that the
escape function does not know whether a variable is to be inserted in
html, css, js, attribute, a string in js, etc. etc. and therefore if
the function does know the context it is in it can never always escape
correcly. I do not believe there is a general solution to this
problem. web2py assumes {{=}} is escaping HTML/XML. If you need to
scape attributes we suggest using helpers. If you need to scape js
code or strings in js code, you may have to do it manually.
That's not quite what I was getting at. You're right about needing the
context in order to escape correctly though. I think the default escaping
should include single and double quotes. cgi.escape escapes double quotes
but not single quotes.
[web2py] Re: db and variables
What is connectionaa.smthng supposed to reference? You cannot
reference a table that is not yet defined.
Anyway
db.xxx is the same as db['xxx']
On 30 Giu, 13:48, Rick sababa.sab...@gmail.com wrote:
Hi,
I'm trying to write loops in db.py:
letters = ['a', 'b', 'c', 'd']
for i in range(len(letters)):
for j in range(len(letters)):
db.define_table('connection'+letters[i]+letters[j],
SQLField('smthng', db.???letters[i]))
What should I use instead of ??? to make the computer understand that
as db.a when i=0 and j=0?
Thanks in advance for help!
[web2py] Re: Accessing auth_user table
This should give you an error because the print(username) is outside
the funciton the function that defines username, after the function
returns. How are you passing the username to the ajax call? Did you
check with firebug that is calls the correct url?
On 30 Giu, 15:01, elfuego1 elfue...@gmail.com wrote:
There was NO error messages. The code just didn't work.
After inserting:
print repr(username) to default.py I got:
# -*- coding: utf-8 -*-
#
## This is a samples controller
## - index is the default action of any application
## - user is required for authentication and authorization
## - download is for downloading files uploaded in the db (does
streaming)
## - call exposes all registered services (none by default)
#
def index():
example action using the internationalization operator T and flash
rendered by views/default/index.html or views/generic.html
response.flash = T('Welcome to web2py')
return dict(message=T('Hello World'))
def user():
exposes:
http:///[app]/default/user/login
http:///[app]/default/user/logout
http:///[app]/default/user/register
http:///[app]/default/user/profile
http:///[app]/default/user/retrieve_password
http:///[app]/default/user/change_password
use @auth.requires_login()
@auth.requires_membership('group name')
@auth.requires_permission('read','table name',record_id)
to decorate functions that need access control
return dict(form=auth())
def download():
allows downloading of uploaded files
http:///[app]/default/download/[filename]
return response.download(request,db)
def call():
exposes services. for example:
http:///[app]/default/call/jsonrpc
decorate with @services.jsonrpc the functions to expose
supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
session.forget()
return service()
def page2():
name = request.vars.login
#db.auth_user.insert(name=name)
return dict(name=name)
def ajaxuserexist():
username = request.vars.values()[0]
return db(db.auth_user.login==username).count() and 'yes' or
'no'
print repr(username)
response._vars=response._caller(index)
On 30 Cze, 21:51, mdipierro mdipie...@cs.depaul.edu wrote:
You can simplify it a bit
def ajaxuserexist():
username = request.vars.values()[0]
return db(db.auth_user.login==username).count() and 'yes' or
'no'
although it will not solve your problem.
There is nothing special in table auth_user so the problem is
somewhere else.
I suggest you insert a print repr(username).
Do you get any thicket? What does it say?
massimo
On 30 Giu, 14:29, elfuego1 elfue...@gmail.com wrote:
During registration I want to check on the fly, if login chosen by the
user is already in use or is it not in db and available to be used.
def ajaxuserexist():
username = request.vars.values()[0]
query = (db.auth_user.login==username)
numres = db(query).count()
if numres 0 :
return 'yes'
else:
return 'no'
When I test it on any other table that doesn't have prefix auth_ then
the above code works, but unfortunatelly I need to test auth_user
table :-(
On 30 Cze, 21:19, Chris S sanders.ch...@gmail.com wrote:
Probably a dumb question, but what are you checking the user against?
Both my and your example above are checking for username and you
didn't define a username in your auth_user.
Your query then is not working as:
def userexist(emailcheck):
if db(db.auth_user.email==emailcheck).count() 0:
return 'yes'
else:
return 'no'
I know I've returned searches on auth_user it's no different than
other tables. Just gotta find whey your getting no results. Might
help if you post the exact search code that goes with the above
auth_user and the error message that's generated.
On Jun 30, 2:12 pm, elfuego1 elfue...@gmail.com wrote:
Since I had added some fields (and intend to customize it further) to
my auth_user table the code for auth_user in db.py looks like that:
from gluon.tools import *
auth=Auth(globals(),db)
db.define_table('auth_user',
SQLField('login', 'string', length=50, default=''),
SQLField('password', 'password', length=512, readable=False,
label='Password'),
SQLField('registration_key', length=512, default= '',
writable=False, readable=False),
SQLField('reset_password_key', length=512, default='',
writable=False, readable=False),
SQLField('first_name', length=128,default=''),
SQLField('last_name', length=128,default=''),
SQLField('email',
[web2py] Re: Accessing auth_user table
I hope I don't make your eyes bleed by puting all the code here but
there is no other way to show it to you.
I made change only in one place of the code to gather login value:
{login:value}
Oryginaly it was: {name:value}.
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
Below is the whole content of index.html
{{extend 'layout.html'}}
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html
head
meta http-equiv=Content-type content=text/html;
charset=utf-8
titleAjax User Validation with web2py by Martin Sagastume/
title
style type=text/css
!--
body { font-family:Arial,Verdana,Sans-serif; }
input[type=text]{
font-size:12px;
color:#66;
background-color:#ff;
padding-top:5px;
width:200px;
height:20px;
border:1px solid #99;
}
#resultbox { font-size:11px; }
.msg { color:blue; }
.success { color:green; }
.error { color:red; }
//--
/style
script type=text/javascript
src={{=URL(r=request,c='static',f='jquery.js')}}/script
script type=text/javascript
var submit = false;
$(document).ready(function(){
$(form).submit(function() {
return submit;
});
});
function getData(value){
if(value != ){
$
(#resultbox).removeClass().addClass('msg').text('Validating...').fadeIn(10);
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
if(result=='yes'){
$
(#resultbox).removeClass().addClass('error').text('Login already
taken').fadeTo(900,1);
submit = false;
}else{
$
(#resultbox).removeClass().addClass('success').text('Login is
available for registration!').fadeTo(900,1);
submit = true;
}
});
}else{
$(#resultbox).removeClass().addClass('msg').text('This
field is required');
}
}
/script
/head
body
form id=form1 method=post action=page2
label for=countryLogin:/labelbr /
input type=text id=login name=login
onblur=getData(this.value) /br /
div id=resultbox class=msg/divbr /
input type=submit id=bsubmit name=bsubmit
value=Submit /
/form
/body
/html
On 30 Cze, 22:12, mdipierro mdipie...@cs.depaul.edu wrote:
This should give you an error because the print(username) is outside
the funciton the function that defines username, after the function
returns. How are you passing the username to the ajax call? Did you
check with firebug that is calls the correct url?
On 30 Giu, 15:01, elfuego1 elfue...@gmail.com wrote:
There was NO error messages. The code just didn't work.
After inserting:
print repr(username) to default.py I got:
# -*- coding: utf-8 -*-
#
## This is a samples controller
## - index is the default action of any application
## - user is required for authentication and authorization
## - download is for downloading files uploaded in the db (does
streaming)
## - call exposes all registered services (none by default)
#
def index():
example action using the internationalization operator T and flash
rendered by views/default/index.html or views/generic.html
response.flash = T('Welcome to web2py')
return dict(message=T('Hello World'))
def user():
exposes:
http:///[app]/default/user/login
http:///[app]/default/user/logout
http:///[app]/default/user/register
http:///[app]/default/user/profile
http:///[app]/default/user/retrieve_password
http:///[app]/default/user/change_password
use @auth.requires_login()
@auth.requires_membership('group name')
@auth.requires_permission('read','table name',record_id)
to decorate functions that need access control
return dict(form=auth())
def download():
allows downloading of uploaded files
http:///[app]/default/download/[filename]
return response.download(request,db)
def call():
exposes services. for example:
http:///[app]/default/call/jsonrpc
decorate with @services.jsonrpc the functions to expose
supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
session.forget()
return service()
def page2():
name = request.vars.login
#db.auth_user.insert(name=name)
return dict(name=name)
def ajaxuserexist():
username = request.vars.values()[0]
return db(db.auth_user.login==username).count() and 'yes' or
'no'
print repr(username)
response._vars=response._caller(index)
On 30 Cze, 21:51,
[web2py] Re: Accessing auth_user table
I do not see anything wrong in this. Do you use firebug?
On 30 Giu, 15:18, elfuego1 elfue...@gmail.com wrote:
I hope I don't make your eyes bleed by puting all the code here but
there is no other way to show it to you.
I made change only in one place of the code to gather login value:
{login:value}
Oryginaly it was: {name:value}.
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
Below is the whole content of index.html
{{extend 'layout.html'}}
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html
head
meta http-equiv=Content-type content=text/html;
charset=utf-8
titleAjax User Validation with web2py by Martin Sagastume/
title
style type=text/css
!--
body { font-family:Arial,Verdana,Sans-serif; }
input[type=text]{
font-size:12px;
color:#66;
background-color:#ff;
padding-top:5px;
width:200px;
height:20px;
border:1px solid #99;
}
#resultbox { font-size:11px; }
.msg { color:blue; }
.success { color:green; }
.error { color:red; }
//--
/style
script type=text/javascript
src={{=URL(r=request,c='static',f='jquery.js')}}/script
script type=text/javascript
var submit = false;
$(document).ready(function(){
$(form).submit(function() {
return submit;
});
});
function getData(value){
if(value != ){
$
(#resultbox).removeClass().addClass('msg').text('Validating...').fadeIn(10);
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
if(result=='yes'){
$
(#resultbox).removeClass().addClass('error').text('Login already
taken').fadeTo(900,1);
submit = false;
}else{
$
(#resultbox).removeClass().addClass('success').text('Login is
available for registration!').fadeTo(900,1);
submit = true;
}
});
}else{
$(#resultbox).removeClass().addClass('msg').text('This
field is required');
}
}
/script
/head
body
form id=form1 method=post action=page2
label for=countryLogin:/labelbr /
input type=text id=login name=login
onblur=getData(this.value) /br /
div id=resultbox class=msg/divbr /
input type=submit id=bsubmit name=bsubmit
value=Submit /
/form
/body
/html
On 30 Cze, 22:12, mdipierro mdipie...@cs.depaul.edu wrote:
This should give you an error because the print(username) is outside
the funciton the function that defines username, after the function
returns. How are you passing the username to the ajax call? Did you
check with firebug that is calls the correct url?
On 30 Giu, 15:01, elfuego1 elfue...@gmail.com wrote:
There was NO error messages. The code just didn't work.
After inserting:
print repr(username) to default.py I got:
# -*- coding: utf-8 -*-
#
## This is a samples controller
## - index is the default action of any application
## - user is required for authentication and authorization
## - download is for downloading files uploaded in the db (does
streaming)
## - call exposes all registered services (none by default)
#
def index():
example action using the internationalization operator T and flash
rendered by views/default/index.html or views/generic.html
response.flash = T('Welcome to web2py')
return dict(message=T('Hello World'))
def user():
exposes:
http:///[app]/default/user/login
http:///[app]/default/user/logout
http:///[app]/default/user/register
http:///[app]/default/user/profile
http:///[app]/default/user/retrieve_password
http:///[app]/default/user/change_password
use @auth.requires_login()
@auth.requires_membership('group name')
@auth.requires_permission('read','table name',record_id)
to decorate functions that need access control
return dict(form=auth())
def download():
allows downloading of uploaded files
http:///[app]/default/download/[filename]
return response.download(request,db)
def call():
exposes services. for example:
http:///[app]/default/call/jsonrpc
decorate with @services.jsonrpc the functions to expose
supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
session.forget()
return service()
def page2():
name = request.vars.login
#db.auth_user.insert(name=name)
return
[web2py] Re: Caching downloads
I'm not sure I understand the comment. Following the link it says that Microsoft file formats can not be opened if the cache-control is set to no-cache. What I'm seeing is cache-control is *always* set to no-cache when I expected it to allow caching of files in /static. It seems that with the above support issue IE would be unable to open any Microsoft document served by Web2py because the cache-control is always being set to no-cache. Shouldn't files in static always be served with cache enabeled? On Jun 30, 3:01 pm, mdipierro mdipie...@cs.depaul.edu wrote: Unfortunately settings cache-control breaks IE with SSL http://support.microsoft.com/kb/316431 On 30 Giu, 13:57, Chris S sanders.ch...@gmail.com wrote: I've had this bookmarked and have been looking over it recently. I added a c_download (cached download) function as described above to allow local caching of files. The above code did not get me there though I ended up using: def c_download(): controller=request.vars.c file=request.vars.f response.headers['Cache-Control']='private' del response.headers['Content-Type'] del response.headers['Pragma'] del response.headers['Expires'] filename = os.path.join(request.folder,'static',controller,file) response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y %H: %M:%S +, time.localtime(os.path.getmtime(filename))) return response.stream(open(filename,'rb')) The key difference being I found I had to set the 'Cache-Control' header, just deleting it didn't do the trick. What I'm not clear on is why this is necessary. From the book: When static files are downloaded, web2py does not create a session, nor does it issue a cookie or execute the models. web2py always streams static files in chunks of 1MB, and sends PARTIAL CONTENT when the client sends a RANGE request for a subset of the file. web2py also supports the IF_MODIFIED_SINCE protocol, and does not send the file if it is already stored in the browser's cache and if the file has not changed since that version. Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD So then, if I serve a style.css file from static, or build a link from URL() to a file in static. Why do these files get downloaded every time the page is loaded? Here's an example. Usinghttp://127.0.0.1:8080/welcome/static/menu.gif running on the GAE development server I get: Header: HTTP/1.0 200 Server: Development/1.0 Date: Wed, 30 Jun 2010 18:37:05 GMT Content-Type: image/gif Cache-Control: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Content-Length: 264 Cache: Last Modified Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Last Fetched Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time) Data Size 264 Fetch Count 7 Device disk Is this working as intended? I *can* wrap every single download in a function call to c_download, but should that be necessary? Am I just missing a configuration option somewhere? I feel like I'm re- inventing the wheel since 'static' files were in my understanding not meant to change often anyway. On May 6, 8:15 am, mdipierro mdipie...@cs.depaul.edu wrote: Can you provide an example of code that causes cache failure? Remember that you cannot @cache def download because of range requests. On May 6, 2:49 am, Iceberg iceb...@21cn.com wrote: It seems Mariano's story has a happy ending. Congratulations. But on a second thought, can anyone explain why if you quickly reload pages, they fail in the very first caching-download version? Caching download can improve speed, can with a side effect of bypassing priviledge check, but no matter what, it shall not cause content fail to load. I remember I once tried @cache(...) but encounter similar problems, then I give up. :-( Nice to pick it up if someone can throw some light. Thanks! Regards, iceberg On May5, 11:39am, Mariano Reingart reing...@gmail.com wrote: .. after usingfast_download(changing headers and using stream) it runs really quickly! (I know, serving through apache would be even faster, but in this case I prefer portability and a easy configuration) You can see how it's running here: http://www.pyday.com.ar/rafaela2010/ (look at images at the sidebar) Thanks so much, Mariano On May 4, 9:04 pm, Mariano Reingart reing...@gmail.com wrote: I thought so, I had to modify mydownload so browsers do client-side caching, speeding up the web-page load: deffast_download(): # very basic security: if not request.args(0).startswith(sponsor.logo): return download() # remove/add headers that prevent/favors caching del
[web2py] Re: Doctests keep getting stuck
I ran the admin application's test page for my controller (i.e.
http://127.0.0.1:8000/admin/default/test/std/etc.py) through firebug,
and it looks like it is an issue with the xml produced by web2py. The
parser fails and the page is never updated (i.e. keeps flashing
please wait) but the response is received.
Error reads:
XML Parsing Error: junk after document element Location: moz-
nullprincipal:{2bf026d5-ea46-4b0a-9bdd-21128033bf26} Line Number 1,
Column 47:
h2Testing controller etc.py ... done./h2br/
--^
Here is the problem, ./gluon/compileapp.py, lines 55-56:
html = 'h2Testing controller %s.py ... done./h2br/\n' \
% request.controller
I think starting with h2 as the root element is the cause.
So really, no one else?
On Jun 30, 9:26 pm, Kerem Eryılmaz keryil...@gmail.com wrote:
Hi all,
I wonder if anyone encountered similar problems with doctests. I have
a couple of controllers (default.py and etc.py), and a single function
(__addTLI__) in etc.py that has a doctest. When I try to run the tests
through the admin app, default.py passes fine (since it has no tests),
but etc.py just hangs. I have confirmed that there is a line in my
code that determines whether etc.py will hang or return successfully,
however I do not see how it is possible that the specific piece of
code determines anything (basically it produces an xml file through
some db interaction). I tried the same testing code in a function,
opened it up on a browser and it ran fine, error-free. I also
checkedhttp://127.0.0.1:8000/std/etc/_TESTfor raw test data, but it also
surprisingly revealed that __addTLI__ had actually passed.
Is it possible for a test to hang even though all subtests pass?
BTW, I use version 1.79.2
Cheers,
Kerem.
Re: [web2py] Re: Anvanced applications in gae
Hi, i was trying this technique but i'm getting this traceback when using gae_google_account: Traceback (most recent call last): File /Users/lauer/web2py/gluon/restricted.py, line 178, in restricted exec ccode in environment File /Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user, line 56, in module File /Users/lauer/web2py/gluon/globals.py, line 96, in lambda self._caller = lambda f: f() File /Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user, line 35, in user File /Users/lauer/web2py/gluon/tools.py, line 966, in __call__ return self.login() File /Users/lauer/web2py/gluon/tools.py, line 1419, in login self.log_event(log % self.user) File /Users/lauer/web2py/gluon/tools.py, line 1180, in log_event origin=origin, user_id=user_id) File /Users/lauer/web2py/gluon/contrib/gql.py, line 281, in insert self._last_reference = tmp File /Users/lauer/web2py/gluon/sql.py, line 1611, in __setattr__ raise SyntaxError, 'Object exists and cannot be redefined: %s' % key SyntaxError: Object exists and cannot be redefined: _last_reference On Mon, Jun 28, 2010 at 7:04 AM, dlypka dly...@gmail.com wrote: OK I downloaded the trunk and tested this mod. myParent = db.ParentTable.insert(name='Bill') myParentNativeRef = myParent._table._last_reference works Thanks again. On Jun 27, 3:28 pm, mdipierro mdipie...@cs.depaul.edu wrote: Maybe just add a new property dynamically to the row We could call it 'nativeRef' Would it be something like: self.nativeRef = tmp # Python can add new properties 'on-the-fly', right? as the new 2nd last statement of insert()? If that is useful we can do it. I just did it in trunk so you can test it but I called self._last_reference to avoid possible naming conflicts. Massimo Any thoughts?
[web2py] Re: Caching downloads
I may have sent the wrong link. There are two issues: 1) we tried to set a cache for static files in the past and we run into problems with ssl and ie. This was discussed at lenght in an old thread but I cannot find it now. 2) It is unclear whether serving static content should cache. In a production environment with apache yes. I am in favor of caching as long as the expire time is small since we do not have a mechanism for setting it. If you send me a patch and we try on different browsers with and without ssl, than we can include it. On 30 Giu, 15:25, Chris S sanders.ch...@gmail.com wrote: I'm not sure I understand the comment. Following the link it says that Microsoft file formats can not be opened if the cache-control is set to no-cache. What I'm seeing is cache-control is *always* set to no-cache when I expected it to allow caching of files in /static. It seems that with the above support issue IE would be unable to open any Microsoft document served by Web2py because the cache-control is always being set to no-cache. Shouldn't files in static always be served with cache enabeled? On Jun 30, 3:01 pm, mdipierro mdipie...@cs.depaul.edu wrote: Unfortunately settings cache-control breaks IE with SSL http://support.microsoft.com/kb/316431 On 30 Giu, 13:57, Chris S sanders.ch...@gmail.com wrote: I've had this bookmarked and have been looking over it recently. I added a c_download (cached download) function as described above to allow local caching of files. The above code did not get me there though I ended up using: def c_download(): controller=request.vars.c file=request.vars.f response.headers['Cache-Control']='private' del response.headers['Content-Type'] del response.headers['Pragma'] del response.headers['Expires'] filename = os.path.join(request.folder,'static',controller,file) response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y %H: %M:%S +, time.localtime(os.path.getmtime(filename))) return response.stream(open(filename,'rb')) The key difference being I found I had to set the 'Cache-Control' header, just deleting it didn't do the trick. What I'm not clear on is why this is necessary. From the book: When static files are downloaded, web2py does not create a session, nor does it issue a cookie or execute the models. web2py always streams static files in chunks of 1MB, and sends PARTIAL CONTENT when the client sends a RANGE request for a subset of the file. web2py also supports the IF_MODIFIED_SINCE protocol, and does not send the file if it is already stored in the browser's cache and if the file has not changed since that version. Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD So then, if I serve a style.css file from static, or build a link from URL() to a file in static. Why do these files get downloaded every time the page is loaded? Here's an example. Usinghttp://127.0.0.1:8080/welcome/static/menu.gif running on the GAE development server I get: Header: HTTP/1.0 200 Server: Development/1.0 Date: Wed, 30 Jun 2010 18:37:05 GMT Content-Type: image/gif Cache-Control: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Content-Length: 264 Cache: Last Modified Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Last Fetched Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time) Data Size 264 Fetch Count 7 Device disk Is this working as intended? I *can* wrap every single download in a function call to c_download, but should that be necessary? Am I just missing a configuration option somewhere? I feel like I'm re- inventing the wheel since 'static' files were in my understanding not meant to change often anyway. On May 6, 8:15 am, mdipierro mdipie...@cs.depaul.edu wrote: Can you provide an example of code that causes cache failure? Remember that you cannot @cache def download because of range requests. On May 6, 2:49 am, Iceberg iceb...@21cn.com wrote: It seems Mariano's story has a happy ending. Congratulations. But on a second thought, can anyone explain why if you quickly reload pages, they fail in the very first caching-download version? Caching download can improve speed, can with a side effect of bypassing priviledge check, but no matter what, it shall not cause content fail to load. I remember I once tried @cache(...) but encounter similar problems, then I give up. :-( Nice to pick it up if someone can throw some light. Thanks! Regards, iceberg On May5, 11:39am, Mariano Reingart reing...@gmail.com wrote: .. after usingfast_download(changing headers and using stream) it runs really quickly! (I know, serving through apache
[web2py] Re: Doctests keep getting stuck
The test controller generates h2/h2 and that is a piece of
html received via ajax, not xml. It should be valid.
On 30 Giu, 15:25, Kerem Eryılmaz keryil...@gmail.com wrote:
I ran the admin application's test page for my controller
(i.e.http://127.0.0.1:8000/admin/default/test/std/etc.py) through firebug,
and it looks like it is an issue with the xml produced by web2py. The
parser fails and the page is never updated (i.e. keeps flashing
please wait) but the response is received.
Error reads:
XML Parsing Error: junk after document element Location: moz-
nullprincipal:{2bf026d5-ea46-4b0a-9bdd-21128033bf26} Line Number 1,
Column 47:
h2Testing controller etc.py ... done./h2br/
--^
Here is the problem, ./gluon/compileapp.py, lines 55-56:
html = 'h2Testing controller %s.py ... done./h2br/\n' \
% request.controller
I think starting with h2 as the root element is the cause.
So really, no one else?
On Jun 30, 9:26 pm, Kerem Eryılmaz keryil...@gmail.com wrote:
Hi all,
I wonder if anyone encountered similar problems with doctests. I have
a couple of controllers (default.py and etc.py), and a single function
(__addTLI__) in etc.py that has a doctest. When I try to run the tests
through the admin app, default.py passes fine (since it has no tests),
but etc.py just hangs. I have confirmed that there is a line in my
code that determines whether etc.py will hang or return successfully,
however I do not see how it is possible that the specific piece of
code determines anything (basically it produces an xml file through
some db interaction). I tried the same testing code in a function,
opened it up on a browser and it ran fine, error-free. I also
checkedhttp://127.0.0.1:8000/std/etc/_TESTforraw test data, but it also
surprisingly revealed that __addTLI__ had actually passed.
Is it possible for a test to hang even though all subtests pass?
BTW, I use version 1.79.2
Cheers,
Kerem.
[web2py] Re: Caching downloads
I'll take a look and see what I can do. Can you point me to where this is happening? I see a streamer.py but no where does it set Cache-Control = no-cache. Where is that decision being made? I'm assuming in the same gluon module I'll find the logic behind the auto-stream of /static/filename? On Jun 30, 3:35 pm, mdipierro mdipie...@cs.depaul.edu wrote: I may have sent the wrong link. There are two issues: 1) we tried to set a cache for static files in the past and we run into problems with ssl and ie. This was discussed at lenght in an old thread but I cannot find it now. 2) It is unclear whether serving static content should cache. In a production environment with apache yes. I am in favor of caching as long as the expire time is small since we do not have a mechanism for setting it. If you send me a patch and we try on different browsers with and without ssl, than we can include it. On 30 Giu, 15:25, Chris S sanders.ch...@gmail.com wrote: I'm not sure I understand the comment. Following the link it says that Microsoft file formats can not be opened if the cache-control is set to no-cache. What I'm seeing is cache-control is *always* set to no-cache when I expected it to allow caching of files in /static. It seems that with the above support issue IE would be unable to open any Microsoft document served by Web2py because the cache-control is always being set to no-cache. Shouldn't files in static always be served with cache enabeled? On Jun 30, 3:01 pm, mdipierro mdipie...@cs.depaul.edu wrote: Unfortunately settings cache-control breaks IE with SSL http://support.microsoft.com/kb/316431 On 30 Giu, 13:57, Chris S sanders.ch...@gmail.com wrote: I've had this bookmarked and have been looking over it recently. I added a c_download (cached download) function as described above to allow local caching of files. The above code did not get me there though I ended up using: def c_download(): controller=request.vars.c file=request.vars.f response.headers['Cache-Control']='private' del response.headers['Content-Type'] del response.headers['Pragma'] del response.headers['Expires'] filename = os.path.join(request.folder,'static',controller,file) response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y %H: %M:%S +, time.localtime(os.path.getmtime(filename))) return response.stream(open(filename,'rb')) The key difference being I found I had to set the 'Cache-Control' header, just deleting it didn't do the trick. What I'm not clear on is why this is necessary. From the book: When static files are downloaded, web2py does not create a session, nor does it issue a cookie or execute the models. web2py always streams static files in chunks of 1MB, and sends PARTIAL CONTENT when the client sends a RANGE request for a subset of the file. web2py also supports the IF_MODIFIED_SINCE protocol, and does not send the file if it is already stored in the browser's cache and if the file has not changed since that version. Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD So then, if I serve a style.css file from static, or build a link from URL() to a file in static. Why do these files get downloaded every time the page is loaded? Here's an example. Usinghttp://127.0.0.1:8080/welcome/static/menu.gif running on the GAE development server I get: Header: HTTP/1.0 200 Server: Development/1.0 Date: Wed, 30 Jun 2010 18:37:05 GMT Content-Type: image/gif Cache-Control: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Content-Length: 264 Cache: Last Modified Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Last Fetched Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time) Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time) Data Size 264 Fetch Count 7 Device disk Is this working as intended? I *can* wrap every single download in a function call to c_download, but should that be necessary? Am I just missing a configuration option somewhere? I feel like I'm re- inventing the wheel since 'static' files were in my understanding not meant to change often anyway. On May 6, 8:15 am, mdipierro mdipie...@cs.depaul.edu wrote: Can you provide an example of code that causes cache failure? Remember that you cannot @cache def download because of range requests. On May 6, 2:49 am, Iceberg iceb...@21cn.com wrote: It seems Mariano's story has a happy ending. Congratulations. But on a second thought, can anyone explain why if you quickly reload pages, they fail in the very first caching-download version? Caching download can improve speed, can with a side effect of bypassing priviledge check, but no matter
[web2py] How may I do that
Hello,
How may I pass the id of my entered record to an other function??
def atable_create():
if auth.has_membership(auth.id_group('group1')):
form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form
accepted'))
elif form.errors:
response.flash = T('form has errors')
else:
response.flash = T('please fill out the form')
return dict(form=form)
def atable_read(...):
form=crud.read(db.atable,4)
return dict(form=form)
Thanks
Jonhy
[web2py] Re: Caching downloads
If I understand you talk about normal static files. That is done in
gluon/main.py
static_file = parse_url(request, environ)
if static_file:
if request.env.get('query_string', '')[:10] ==
'attachment':
response.headers['Content-Disposition'] =
'attachment'
response.stream(static_file, request=request)
On 30 Giu, 15:42, Chris S sanders.ch...@gmail.com wrote:
I'll take a look and see what I can do.
Can you point me to where this is happening? I see a streamer.py but
no where does it set Cache-Control = no-cache.
Where is that decision being made?
I'm assuming in the same gluon module I'll find the logic behind the
auto-stream of /static/filename?
On Jun 30, 3:35 pm, mdipierro mdipie...@cs.depaul.edu wrote:
I may have sent the wrong link. There are two issues:
1) we tried to set a cache for static files in the past and we run
into problems with ssl and ie. This was discussed at lenght in an old
thread but I cannot find it now.
2) It is unclear whether serving static content should cache. In a
production environment with apache yes. I am in favor of caching as
long as the expire time is small since we do not have a mechanism for
setting it.
If you send me a patch and we try on different browsers with and
without ssl, than we can include it.
On 30 Giu, 15:25, Chris S sanders.ch...@gmail.com wrote:
I'm not sure I understand the comment. Following the link it says
that Microsoft file formats can not be opened if the cache-control is
set to no-cache.
What I'm seeing is cache-control is *always* set to no-cache when I
expected it to allow caching of files in /static.
It seems that with the above support issue IE would be unable to open
any Microsoft document served by Web2py because the cache-control is
always being set to no-cache.
Shouldn't files in static always be served with cache enabeled?
On Jun 30, 3:01 pm, mdipierro mdipie...@cs.depaul.edu wrote:
Unfortunately settings cache-control breaks IE with SSL
http://support.microsoft.com/kb/316431
On 30 Giu, 13:57, Chris S sanders.ch...@gmail.com wrote:
I've had this bookmarked and have been looking over it recently. I
added a c_download (cached download) function as described above to
allow local caching of files. The above code did not get me there
though I ended up using:
def c_download():
controller=request.vars.c
file=request.vars.f
response.headers['Cache-Control']='private'
del response.headers['Content-Type']
del response.headers['Pragma']
del response.headers['Expires']
filename = os.path.join(request.folder,'static',controller,file)
response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y
%H:
%M:%S +, time.localtime(os.path.getmtime(filename)))
return response.stream(open(filename,'rb'))
The key difference being I found I had to set the 'Cache-Control'
header, just deleting it didn't do the trick.
What I'm not clear on is why this is necessary. From the book:
When static files are downloaded, web2py does not create a session,
nor does it issue a cookie or execute the models. web2py always
streams static files in chunks of 1MB, and sends PARTIAL CONTENT when
the client sends a RANGE request for a subset of the file. web2py
also supports the IF_MODIFIED_SINCE protocol, and does not send the
file if it is already stored in the browser's cache and if the file
has not changed since that version.
Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD
So then, if I serve a style.css file from static, or build a link from
URL() to a file in static. Why do these files get downloaded every
time the page is loaded?
Here's an example. Usinghttp://127.0.0.1:8080/welcome/static/menu.gif
running on the GAE development server I get:
Header:
HTTP/1.0 200
Server: Development/1.0
Date: Wed, 30 Jun 2010 18:37:05 GMT
Content-Type: image/gif
Cache-Control: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Length: 264
Cache:
Last Modified Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
Time)
Last Fetched Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
Time)
Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time)
Data Size 264
Fetch Count 7
Device disk
Is this working as intended? I *can* wrap every single download in a
function call to c_download, but should that be necessary? Am I just
missing a configuration option somewhere? I feel like I'm re-
inventing the wheel since 'static' files were in my understanding not
meant to change often anyway.
On May 6, 8:15 am, mdipierro mdipie...@cs.depaul.edu wrote:
Re: [web2py] Re: Anvanced applications in gae
Now is working. Thanks, let's continue testing... On Wed, Jun 30, 2010 at 10:39 PM, mdipierro mdipie...@cs.depaul.edu wrote: You are right... fixing it in trunk..1..2..3..done. Please check it. Massimo On 30 Giu, 15:25, Carles Gonzalez carle...@gmail.com wrote: Hi, i was trying this technique but i'm getting this traceback when using gae_google_account: Traceback (most recent call last): File /Users/lauer/web2py/gluon/restricted.py, line 178, in restricted exec ccode in environment File /Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user, line 56, in module File /Users/lauer/web2py/gluon/globals.py, line 96, in lambda self._caller = lambda f: f() File /Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user, line 35, in user File /Users/lauer/web2py/gluon/tools.py, line 966, in __call__ return self.login() File /Users/lauer/web2py/gluon/tools.py, line 1419, in login self.log_event(log % self.user) File /Users/lauer/web2py/gluon/tools.py, line 1180, in log_event origin=origin, user_id=user_id) File /Users/lauer/web2py/gluon/contrib/gql.py, line 281, in insert self._last_reference = tmp File /Users/lauer/web2py/gluon/sql.py, line 1611, in __setattr__ raise SyntaxError, 'Object exists and cannot be redefined: %s' % key SyntaxError: Object exists and cannot be redefined: _last_reference On Mon, Jun 28, 2010 at 7:04 AM, dlypka dly...@gmail.com wrote: OK I downloaded the trunk and tested this mod. myParent = db.ParentTable.insert(name='Bill') myParentNativeRef = myParent._table._last_reference works Thanks again. On Jun 27, 3:28 pm, mdipierro mdipie...@cs.depaul.edu wrote: Maybe just add a new property dynamically to the row We could call it 'nativeRef' Would it be something like: self.nativeRef = tmp # Python can add new properties 'on-the-fly', right? as the new 2nd last statement of insert()? If that is useful we can do it. I just did it in trunk so you can test it but I called self._last_reference to avoid possible naming conflicts. Massimo Any thoughts?
[web2py] Re: How may I do that
it is in form.vars.id. You can also use a shotcut:
form=crud.create(db.atable,next='atable_read/[id]')
On 30 Giu, 15:52, Jean-Guy jean...@gmail.com wrote:
Hello,
How may I pass the id of my entered record to an other function??
def atable_create():
if auth.has_membership(auth.id_group('group1')):
form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form
accepted'))
elif form.errors:
response.flash = T('form has errors')
else:
response.flash = T('please fill out the form')
return dict(form=form)
def atable_read(...):
form=crud.read(db.atable,4)
return dict(form=form)
Thanks
Jonhy
[web2py] Re: Accessing auth_user table
I have firebug installed. What do you want me to look for?
You want to see some firebug output?
On 30 Cze, 22:25, mdipierro mdipie...@cs.depaul.edu wrote:
I do not see anything wrong in this. Do you use firebug?
On 30 Giu, 15:18, elfuego1 elfue...@gmail.com wrote:
I hope I don't make your eyes bleed by puting all the code here but
there is no other way to show it to you.
I made change only in one place of the code to gather login value:
{login:value}
Oryginaly it was: {name:value}.
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
Below is the whole content of index.html
{{extend 'layout.html'}}
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html
head
meta http-equiv=Content-type content=text/html;
charset=utf-8
titleAjax User Validation with web2py by Martin Sagastume/
title
style type=text/css
!--
body { font-family:Arial,Verdana,Sans-serif; }
input[type=text]{
font-size:12px;
color:#66;
background-color:#ff;
padding-top:5px;
width:200px;
height:20px;
border:1px solid #99;
}
#resultbox { font-size:11px; }
.msg { color:blue; }
.success { color:green; }
.error { color:red; }
//--
/style
script type=text/javascript
src={{=URL(r=request,c='static',f='jquery.js')}}/script
script type=text/javascript
var submit = false;
$(document).ready(function(){
$(form).submit(function() {
return submit;
});
});
function getData(value){
if(value != ){
$
(#resultbox).removeClass().addClass('msg').text('Validating...').fadeIn(10);
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
if(result=='yes'){
$
(#resultbox).removeClass().addClass('error').text('Login already
taken').fadeTo(900,1);
submit = false;
}else{
$
(#resultbox).removeClass().addClass('success').text('Login is
available for registration!').fadeTo(900,1);
submit = true;
}
});
}else{
$(#resultbox).removeClass().addClass('msg').text('This
field is required');
}
}
/script
/head
body
form id=form1 method=post action=page2
label for=countryLogin:/labelbr /
input type=text id=login name=login
onblur=getData(this.value) /br /
div id=resultbox class=msg/divbr /
input type=submit id=bsubmit name=bsubmit
value=Submit /
/form
/body
/html
On 30 Cze, 22:12, mdipierro mdipie...@cs.depaul.edu wrote:
This should give you an error because the print(username) is outside
the funciton the function that defines username, after the function
returns. How are you passing the username to the ajax call? Did you
check with firebug that is calls the correct url?
On 30 Giu, 15:01, elfuego1 elfue...@gmail.com wrote:
There was NO error messages. The code just didn't work.
After inserting:
print repr(username) to default.py I got:
# -*- coding: utf-8 -*-
#
## This is a samples controller
## - index is the default action of any application
## - user is required for authentication and authorization
## - download is for downloading files uploaded in the db (does
streaming)
## - call exposes all registered services (none by default)
#
def index():
example action using the internationalization operator T and flash
rendered by views/default/index.html or views/generic.html
response.flash = T('Welcome to web2py')
return dict(message=T('Hello World'))
def user():
exposes:
http:///[app]/default/user/login
http:///[app]/default/user/logout
http:///[app]/default/user/register
http:///[app]/default/user/profile
http:///[app]/default/user/retrieve_password
http:///[app]/default/user/change_password
use @auth.requires_login()
@auth.requires_membership('group name')
@auth.requires_permission('read','table name',record_id)
to decorate functions that need access control
return dict(form=auth())
def download():
allows downloading of uploaded files
http:///[app]/default/download/[filename]
return response.download(request,db)
def call():
exposes services. for example:
[web2py] Re: Accessing auth_user table
I'd like to know if the console reports any error when the ajax
request is executed.
On 30 Giu, 15:31, elfuego1 elfue...@gmail.com wrote:
I have firebug installed. What do you want me to look for?
You want to see some firebug output?
On 30 Cze, 22:25, mdipierro mdipie...@cs.depaul.edu wrote:
I do not see anything wrong in this. Do you use firebug?
On 30 Giu, 15:18, elfuego1 elfue...@gmail.com wrote:
I hope I don't make your eyes bleed by puting all the code here but
there is no other way to show it to you.
I made change only in one place of the code to gather login value:
{login:value}
Oryginaly it was: {name:value}.
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
Below is the whole content of index.html
{{extend 'layout.html'}}
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html
head
meta http-equiv=Content-type content=text/html;
charset=utf-8
titleAjax User Validation with web2py by Martin Sagastume/
title
style type=text/css
!--
body { font-family:Arial,Verdana,Sans-serif; }
input[type=text]{
font-size:12px;
color:#66;
background-color:#ff;
padding-top:5px;
width:200px;
height:20px;
border:1px solid #99;
}
#resultbox { font-size:11px; }
.msg { color:blue; }
.success { color:green; }
.error { color:red; }
//--
/style
script type=text/javascript
src={{=URL(r=request,c='static',f='jquery.js')}}/script
script type=text/javascript
var submit = false;
$(document).ready(function(){
$(form).submit(function() {
return submit;
});
});
function getData(value){
if(value != ){
$
(#resultbox).removeClass().addClass('msg').text('Validating...').fadeIn(10);
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
if(result=='yes'){
$
(#resultbox).removeClass().addClass('error').text('Login already
taken').fadeTo(900,1);
submit = false;
}else{
$
(#resultbox).removeClass().addClass('success').text('Login is
available for registration!').fadeTo(900,1);
submit = true;
}
});
}else{
$(#resultbox).removeClass().addClass('msg').text('This
field is required');
}
}
/script
/head
body
form id=form1 method=post action=page2
label for=countryLogin:/labelbr /
input type=text id=login name=login
onblur=getData(this.value) /br /
div id=resultbox class=msg/divbr /
input type=submit id=bsubmit name=bsubmit
value=Submit /
/form
/body
/html
On 30 Cze, 22:12, mdipierro mdipie...@cs.depaul.edu wrote:
This should give you an error because the print(username) is outside
the funciton the function that defines username, after the function
returns. How are you passing the username to the ajax call? Did you
check with firebug that is calls the correct url?
On 30 Giu, 15:01, elfuego1 elfue...@gmail.com wrote:
There was NO error messages. The code just didn't work.
After inserting:
print repr(username) to default.py I got:
# -*- coding: utf-8 -*-
#
## This is a samples controller
## - index is the default action of any application
## - user is required for authentication and authorization
## - download is for downloading files uploaded in the db (does
streaming)
## - call exposes all registered services (none by default)
#
def index():
example action using the internationalization operator T and flash
rendered by views/default/index.html or views/generic.html
response.flash = T('Welcome to web2py')
return dict(message=T('Hello World'))
def user():
exposes:
http:///[app]/default/user/login
http:///[app]/default/user/logout
http:///[app]/default/user/register
http:///[app]/default/user/profile
http:///[app]/default/user/retrieve_password
http:///[app]/default/user/change_password
use @auth.requires_login()
@auth.requires_membership('group name')
@auth.requires_permission('read','table name',record_id)
to decorate functions that need access control
return dict(form=auth())
def download():
[web2py] Re: How may I do that
From the book: next is the URL to redirect to after success. If the
URL contains the substring [id] this will be replaced by the id of
the record currently created/updated.
While I haven't used that specifically I would say:
form=crud.create(db.atable,next=URL(r=request,f='atable_read',args=['[id]']),message=T('form
accepted'))
It's my understanding that it will generate the URL:
Since [id] is replaced with the ID you should be able to access it
with: request.args[0]
Depending on what you're doing you might also look at the onaccept
parameter of CRUD. I use that to run a function and fill out some
custom auth_user fields after a new user is created.
On Jun 30, 3:52 pm, Jean-Guy jean...@gmail.com wrote:
Hello,
How may I pass the id of my entered record to an other function??
def atable_create():
if auth.has_membership(auth.id_group('group1')):
form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form
accepted'))
elif form.errors:
response.flash = T('form has errors')
else:
response.flash = T('please fill out the form')
return dict(form=form)
def atable_read(...):
form=crud.read(db.atable,4)
return dict(form=form)
Thanks
Jonhy
[web2py] web2py freezing
I am using web2py in my organization for internal applications. One of the applications uses dedicated instance of web2py (v1.78.1) running on dedicated ubuntu server. It connects to our SQL Server 2005 database via freetds. It runs with the following parameters: python web2py.py -i ... -p ... -a ... -n 100 -q 100 The application uses connection pool with 50 connections. Recently it has started freezing occasionally. The weird thing is that the whole web2py server freezes and basically stops responding, so not only you cannot access the app, you cannot even open the admin console. Sometimes it starts working again after a few minutes, sometimes I have to restart web2py. I suspect it has something to with either web server threads not getting released or databases connections not getting returned to the pool (the latter would not explain why I cannot access admin console though). Has anyone had similar issues? Any suggestions on how to troubleshoot the problem? Any input would be highly appreciated.
[web2py] Re: web2py with AppStats
I just edited the blog post cos i had forgot the appengine_config.py (thanx mdmcginn) On 30 Ιούν, 13:06, mdmcginn michael.d.mcgin...@gmail.com wrote: I've added a appengine_config.py file in a comment to that blog post, since AppStats didn't work for me without it. Guido van Rossum (who wrote AppStats) says, it adds some overhead to your application. On Jun 29, 8:27 pm, Richard richar...@gmail.com wrote: neat! Does AppStats add much overhead? If not it would be good to commit that gaehandler.py change to trunk. On Jun 30, 3:30 am, PanosJee panos...@gmail.com wrote: if you are on GAE it s to have AppStats on it s quite easyhttp://blog.socialcaddy.com/appstats-for-web2py-0
Re: [web2py] Re: Anvanced applications in gae
Sorry, but I've encontured another error.
The relevant part of my code is following:
if request.env.web2py_runtime_gae:# if running on Google App Engine
from gluon.contrib.login_methods.gae_google_account import GaeGoogleAccount
auth.settings.login_form = GaeGoogleAccount()
from gluon.contrib.gql import gae
auth.define_tables() # creates all needed tables
db.define_table('todos', Field('name','string'),
Field(gae.ReferenceProperty(auth_user, required=True,
collection_name='todos'))
)
And the traceback is this:
Traceback (most recent call last):
File /Users/lauer/web2py/gluon/restricted.py, line 178, in restricted
exec ccode in environment
File /Users/lauer/web2py/applications/web2pytodo/models/db.py,
line 76, in module
Field(gae.ReferenceProperty(auth_user, required=True,
NameError: name 'auth_user' is not defined
Maybe the entity class is not defined at the time of the reference? I
created an user, but still isn't working.
When this mini-project is finished I plan to release the source. I
think that a working example of this technique woukd be interesting
for reference.
On Wed, Jun 30, 2010 at 10:56 PM, Carles Gonzalez carle...@gmail.com wrote:
Now is working. Thanks, let's continue testing...
On Wed, Jun 30, 2010 at 10:39 PM, mdipierro mdipie...@cs.depaul.edu wrote:
You are right... fixing it in trunk..1..2..3..done. Please check it.
Massimo
On 30 Giu, 15:25, Carles Gonzalez carle...@gmail.com wrote:
Hi, i was trying this technique but i'm getting this traceback when
using gae_google_account:
Traceback (most recent call last):
File /Users/lauer/web2py/gluon/restricted.py, line 178, in restricted
exec ccode in environment
File
/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user,
line 56, in module
File /Users/lauer/web2py/gluon/globals.py, line 96, in lambda
self._caller = lambda f: f()
File
/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user,
line 35, in user
File /Users/lauer/web2py/gluon/tools.py, line 966, in __call__
return self.login()
File /Users/lauer/web2py/gluon/tools.py, line 1419, in login
self.log_event(log % self.user)
File /Users/lauer/web2py/gluon/tools.py, line 1180, in log_event
origin=origin, user_id=user_id)
File /Users/lauer/web2py/gluon/contrib/gql.py, line 281, in insert
self._last_reference = tmp
File /Users/lauer/web2py/gluon/sql.py, line 1611, in __setattr__
raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
SyntaxError: Object exists and cannot be redefined: _last_reference
On Mon, Jun 28, 2010 at 7:04 AM, dlypka dly...@gmail.com wrote:
OK I downloaded the trunk and tested this mod.
myParent = db.ParentTable.insert(name='Bill')
myParentNativeRef = myParent._table._last_reference
works
Thanks again.
On Jun 27, 3:28 pm, mdipierro mdipie...@cs.depaul.edu wrote:
Maybe just add a new property dynamically to the row
We could call it 'nativeRef'
Would it be something like:
self.nativeRef = tmp # Python can add new properties
'on-the-fly', right?
as the new 2nd last statement of insert()?
If that is useful we can do it. I just did it in trunk so you can test
it but I called self._last_reference to avoid possible naming
conflicts.
Massimo
Any thoughts?
Re: [web2py] Re: How may I do that
I had to figure (remember my read) out how to call the id in my other
function, but I got it to work.
Here is my working functions :
def atable_create():
if auth.has_membership(auth.id_group('group1')):
form=crud.create(db.atable,next='atable_read/[id]',message=T('form
accepted'))
elif form.errors:
response.flash = T('form has errors')
else:
response.flash = T('please fill out the form')
return dict(form=form)
def atable_read():
form=crud.read(db.atable,request.args[0])
return dict(form=form)
Thank you...
Jonhy
On 2010-06-30 16:58, mdipierro wrote:
it is in form.vars.id. You can also use a shotcut:
form=crud.create(db.atable,next='atable_read/[id]')
On 30 Giu, 15:52, Jean-Guyjean...@gmail.com wrote:
Hello,
How may I pass the id of my entered record to an other function??
def atable_create():
if auth.has_membership(auth.id_group('group1')):
form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form
accepted'))
elif form.errors:
response.flash = T('form has errors')
else:
response.flash = T('please fill out the form')
return dict(form=form)
def atable_read(...):
form=crud.read(db.atable,4)
return dict(form=form)
Thanks
Jonhy
[web2py] Re: simplejson -- wasn't this resolved?
Hello. Problem with simplejson is that it's originally trying to load c module (_speedups.so), but web2py version of simplejson is python only. So when decoder.py, encoder.py and scanner.py trying to load c modules find it in global namespace...: try: from simplejson._speedups import encode_basestring_ascii as c_encode_basestring_ascii except ImportError: c_encode_basestring_ascii = None Workaround is switching to relative imports (tested on python 2.5): try: from .. simplejson._speedups import encode_basestring_ascii as c_encode_basestring_ascii except ImportError: c_encode_basestring_ascii = None -- Zahariash
[web2py] Re: elFinder-web2py , Filemanager for Web2py!
I've looked though your code and I like idea to put POST/GET and json outside the connector itself. I'll start contributing your code right now because my main goal for next release is to make python connector usable in frameworks without (if this is possible) modifications. About speed of directory search - we know this issue. md5 hash will be replaced by some encryption, so hash can be decrypted and there will be no need to search for directory. If you want to keep track of elfinder source update use feed http://elrte.ru/redmine/projects/elfinder/repository/revisions.atom On Jun 30, 10:18 pm, Phyo Arkar phyo.arkarl...@gmail.com wrote: Hello Torex Welcome to Web2py Group! Thats very good to have you here! I am trying to make elfinder work for web2py , please feel free to reuse my work in your release. Here is the Connector initiation: http://code.google.com/p/elfinder-web2py/source/browse/filemanager/co... Check inside function elcon . and here is elFinder Backend Class http://code.google.com/p/elfinder-web2py/source/browse/filemanager/mo... Currently it is working partially (atleast for me) Please review and test , we can work together on this. On Wed, Jun 30, 2010 at 11:59 AM, Troex Nevelin tr...@fury.scancode.ruwrote: Hello, I'm author of elFinder.py In about a month we plan to release new version of elFinder, mostly bugfixes but I also plan to rewrite python version to be more library like. I know there are problems integrating elfinder with different frameworks on python, current version was written for use under pure CGI. This is my first major experience with python and so I have many questions about the right way how to write connector so it can be easy to integrate and write plugins. The biggest question to me is how to implement handling POST and GET data, I've seen many different ways how it is done in different frameworks. Currently this is done using: import cgi self._form = cgi.FieldStorage() Maybe I should put this outside elFinder.py and only pass parameters to connector? Feedback is welcome. On Jun 24, 5:47 am, Phyo Arkar phyo.arkarl...@gmail.com wrote: Finally after 2 days of hacking elfinder backend for Django fromhttp:// www.elrte.ru/redmine/issues/128 http://www.google.com/url?sa=Dq=http://www.elrte.ru/redmine/issues/1... , i have managed to get elFinder working (about 90% of features) Attached is elFinder-web2py , still alot of improvement needed. -Downloading files is not working yet but should be easy to fix. -Help me make it more integrated into web2py -Their method of DIrectory scanning is so slow , going to replace with os.walk. Please note that this is not for Production use. I started a project , download and test there. Note URL (Both in View and web2py_elcon) need to be change to your host:port (i did with port 8080) http://code.google.com/p/elfinder-web2py/downloads/list
[web2py] Re: web2py security - keep it up!
I disagree but probably I did not explain this very well. web2py has
two things it calls session. One is the general session managed via
cookie session_id. One is the authentication session stored into the
general session file. When a user logs out the authentication session
information into the general session is deleted. If an attacker where
to intercept the cookie session_id and try to use it to gain access to
the system, it would not work. The session_id is used for the general
session and it does not expire because when the user logs in again, if
the user had a state stored in the session file, you want that state
to be retrieved.
Well, this is my point of view:
I don't know if i'm wrong. If i understanded it well, this concept
could be classified as a design concept, do you agree?
design flaws are the most complex aspect of security
personally I am doubtful about the explanation above, maybe I don't
understand very well
anyway it's the game of I can't find any flaw at this moment, but you
can't demonstrate it hasn't
Vulns like SQL injection could be enumerated and tested by a computer
in a lot of possibilities, but design flaws couldn't, since lies on
human logic
History is full of stories about design flaws. The following is a
representative case.
http://www.seattlepi.com/local/373426_insecure04.html
Sorry, I am very paranoid ^^
On 30 jun, 22:06, mdipierro mdipie...@cs.depaul.edu wrote:
this is how I make my hmac_kay
import uuid
print 'sha512:'+str(uuid.uuid4())
web2py has a function in gluon/admin.py, app_create('name',request)
that clones welcome and replaces hmac_key='' with a random key
generated as above.
From a web2py shell you can also do
from gluon.admin import app_create
app_create('mynewapp',request)
I would not know how to make this transparent. If you have any idea
please let me know. I agree that this is undocumented.
On 30 Giu, 15:01, Yarko Tymciurak resultsinsoftw...@gmail.com wrote:
On Jun 30, 2:44 pm, Craig Younkins cyounk...@gmail.com wrote:
If you'd like this moved to the developers list, just approve my
application
and reply there.
When I say that MD5 is the default that applies only to the case that
a hmac_key is not specified. This is 1) for backward compatibility; 2)
because without a key/salt sha512 and md5 are vulnerable to the same
dictionary attacks.
Hmm Well, I'm looking at the CRYPT class and it appears that in order
to
use HMAC the *caller* needs to pass in the key parameter. Grepping the
source tree I've found a few places where the caller does not supply the
key:
applications/admin/models/access.py:55
applications/admin/controllers/default.py:78
gluon/main.py:480
gluon/main.py:495
gluon/validators.py:2344
I am of course unfamiliar with the internals of the project, but it would
appear to me that admin passwords are never HMAC'd. Can you confirm?
... interesting discussion Let me FIRST point out some things
Craig mentions which should not fall by the wayside:
1. -- There is no documented way to generate {an appropriate}
hmac_key:
== This is true; One major way to alleviate this would be to
have an admin function that could be called manually (take your pick:
to do the replacement, as gluon/admin.py:app_create() does, which
would need a search/replace --- or better, just give a popup with a
newly formed key an admin could readily copy/paste.
== This is also inconsistently applied --- for example, if you
pack welcome app, and then (as you might with apps from other
sites, such as web2py.com, or other users) install it as a newly
(re)named application, your key here persists. At the
surface, the same thing app_create() is doing could be done in
app_install(), but this too would be prone to inconsistencies (i.e.
the user you get an app from to test for them will have already
installed their own hmac_key, so the kind of replacement that
app_create() does - which depends on a magic string in the template
app, will fail.
A better solution would be to make this completely transparent --- a
little thinking about this should come to a solution (hmac_key is
currently persisted in a source file...)
... Good discussion, guys - lovely to see this!
- Yarko
I suggest that the key be pulled in from the configuration inside CRYPT so
that the caller isn't required to pass it in. I would also suggest that
the
hash method be placed in configuration. Consolidating the configuration of
security mechanisms greatly aids in a security review. If it were
consolidated, a reviewer would only have to look at the default
configuration. In it's current state, a reviewer needs to look at all the
callers of CRYPT to determine the security of CRYPT.
I realize some of my suggestions may prove difficult to support backwards
compatibility. In many cases this can be worked around to
[web2py] facebook oauth test on GAE
Hi, You can test the facebook OAuth code on GAE: http://grafbook.appspot.com/helloFacebook Code of application will be available soon after some cleanup! tnx michele
[web2py] GAE precompilation
http://googleappengine.blogspot.com/2010/06/app-engine-sdk-135-released-with-new.html in this release we’ve also added support for precompilation of Python source files to match the same feature we launched for Java last year. For Python, you can now use precompilation to speed up application loading time and to reduce CPU usage for new app instances. You can enable precompilation by including the following lines in your app.yaml file: derived_file_type: - python_precompiled This will start offline precompilation of Python modules used by your app when you deploy your application. Currently precompliation is off by default for Python applications, but it will be enabled by default in some future release. (Java precompilation has been enabled by default since the release of 1.3.1.) To give you a taste of what this feature is like, we tested this on a modified version of Rietveld (which included a copy of Django 1.0.4 in the app directory, and which did not use the datastore in its base url). The latency and CPU usage results for the initial load of the application, after uploading a new version of the app and requesting the homepage, were: Before precompilation enabled: Test 1: 1450ms 1757cpu_ms Test 2: 1298ms 1523cpu_ms Test 3: 1539ms 1841cpu_ms After precompilation enabled: Test 1: 805ms 669cpu_ms Test 2: 861ms 702cpu_ms Test 3: 921ms 803cpu_ms anyone tested this with web2py?
[web2py] Re: How to enable request_reset_password function?
http://code.google.com/p/web2py/source/browse/gluon/tools.py At line 1866 of gluon/tools.py you will find: if not self.settings.mailer: response.flash = self.messages.function_disabled return '' which means you will need to enable mail to get this working. Richard On Jun 26, 6:59 am, elfuego1 elfue...@gmail.com wrote: Hello, I try to enable request_reset_password function but every time I enter this page:http://127.0.0.1:8000/project/default/user/request_reset_passwordI receive message that the function is disabled. Can you please tell me what should I do and where to get it working? Thank you in advance, Andrew.
[web2py] Re: sql.py error?
For the moment, I suggest you simply remove the stmt: self._last_reference = tmp I can assure you that it is not needed for any existing applications. It is intended as a future feature to support native Google App Engine code within web2py. _last_reference is a dynamically added attribute to the instance, but somehow the error suggests the code is passing through that statement twice on the same self instance. Perhaps a del self._last_reference in front would help, but I need to really find the the root cause of the bug. - Dave Lypka. On Jun 30, 2:33 pm, dlypka dly...@gmail.com wrote: I will have a look at this tonight, using the WING IDE debugger, because _last_reference was a new property added at my suggestion, so I am somewhat familiar with it Looks like somehow the same SQL Row instance is being 'reused' for creating a new row which I would not expect to happen. - Dave Lypka. On Jun 30, 1:03 am, Yarko Tymciurak resultsinsoftw...@gmail.com wrote: On Jun 29, 3:27 pm, Chris S sanders.ch...@gmail.com wrote: I'm actually not sure how to set break points. I'm using Eclipse so I'm sure there's a way but while I'm educating myself. A bit of an aside, but for completeness: Not sure about Eclipse... maybe this will help:http://pydev.org/manual_adv_debugger.html It sort of looks familiar - like winpdb (which is a free windowed --- NOT windows --- debugger for python; you could get that separate). I would (of course) do this with local gae environment. An alternative is to get a 30-day eval of WingIDE, and debug with that either should be fine. - Yarko Here's all you should need to know if the above isn't descriptive enough. In db.py: auth = Auth(globals(),db) # authentication/authorization auth.define_tables() # creates all needed tables Using Appadmin -Add a user to auth_users -Create group 'admin' in auth_groups -Make the user a member of admin in auth_memberships In the application: def add(): Debug Function group=db(db.auth_group.role=='admin').select()[0] auth.add_permission(group.id,'access','mystuff') auth.add_permission(group.id,'access','myotherstuff') redirect(URL(request.application,request.controller,'index')) Call /application/controller/add In appadmin view the auth_permissions table. You should see two entries one with the group.id for Admin, access, and table of 'mystuff'. one with the group.id for Admin, access, and table of 'myotherstuff'. Instead you'll get the above error and only mystuff is added to the auth_permissions. You can comment out either line and add them one at a time with no errors. In fact you can add the same permission several times and you'll see duplicate enteries. You can not however, have both of the above added in a single function call. This use to work but no longer does. When I get some time maybe I can test which revision broke this but my guess is it's 650:7c531beb7820 with comment self._last_reference, thanks Dave. Sorry I'm not more help. Wish I could just patch this but I'm still learning python/web2py and this one's a bit above me. On Jun 29, 3:01 pm, Yarko Tymciurak resultsinsoftw...@gmail.com wrote: can you give a complete example necessary to reproduce? Alternatively, you can debug yourself: set a breakpoint at gluon/ tools.py::Auth:add_permission() and analyze what's going on... - Yarko On Jun 29, 2:13 pm, Chris S sanders.ch...@gmail.com wrote: Crap that should read: To reproduce: def test(): auth.add_permission(id,'name','table1') auth.add_permission(id,'name','table2') return I'm trying to assign two different permissions to the same group in a single function to get the error. On Jun 29, 2:11 pm, Chris S sanders.ch...@gmail.com wrote: Actually, that's not exactly what's happening. The error is produced when trying to make two calls back to back to auth.add_permission(). Single calls still create duplicate enteries but back to back calls error on the 2nd call never creating an entry. To reproduce: def test(): auth.add_permission(id,'name','table1') auth.add_permission(id,'name','table1') return Either one of the above can be run by itself, but both in the same controller will fail with the above error on the 2nd permission. On Jun 29, 1:35 pm, Chris S sanders.ch...@gmail.com wrote: I think the most recent update to trunk I've found a spot in sql.py where functionality is different though it might be intended. In the last stable release you could make a call: auth.add_permission(group.id,'name','table_name') You could do this with out first checking for it's existence already. A new
[web2py] Re: elFinder-web2py , Filemanager for Web2py!
Hello Troex Welcome to web2py group! Your arrival could not be more timely I am working on elfinder and web2py integration. You are in the right place to be helped with python and websites. This google group is very helpful. I'd like to contribute too. My spoken English is limited to express complex ideas. I wonder if you speak Spanish, as I see it sounds ElDorado elfinder and Spanish, and the finder website is in Spanish. I'm from Spain. The best way to start a project in python is google groups. Why not create a group so that we can discuss elfinder? About elfinder compatible with other Python frameworks, what are the frameworks that interest you most? Web2py is especially easy to manage files, since all transfers are streaming automatically. In matters of compatibility and data management will be happy to help. To be compatible with various frameworks is not necessarily limited by CGI. The only justification for using CGI are the restrictions of the web server. It is possible to make it compatible without having to change anything. But maybe then squandered advantage of some frameworks, as in the case of streaming files web2py automatic. About elRTE, do you plan to integrate it with elfinder and python as well? On 1 jul, 02:11, Troex Nevelin tr...@fury.scancode.ru wrote: I've looked though your code and I like idea to put POST/GET and json outside the connector itself. I'll start contributing your code right now because my main goal for next release is to make python connector usable in frameworks without (if this is possible) modifications. About speed of directory search - we know this issue. md5 hash will be replaced by some encryption, so hash can be decrypted and there will be no need to search for directory. If you want to keep track of elfinder source update use feedhttp://elrte.ru/redmine/projects/elfinder/repository/revisions.atom On Jun 30, 10:18 pm, Phyo Arkar phyo.arkarl...@gmail.com wrote: Hello Torex Welcome to Web2py Group! Thats very good to have you here! I am trying to make elfinder work for web2py , please feel free to reuse my work in your release. Here is the Connector initiation: http://code.google.com/p/elfinder-web2py/source/browse/filemanager/co... Check inside function elcon . and here is elFinder Backend Class http://code.google.com/p/elfinder-web2py/source/browse/filemanager/mo... Currently it is working partially (atleast for me) Please review and test , we can work together on this. On Wed, Jun 30, 2010 at 11:59 AM, Troex Nevelin tr...@fury.scancode.ruwrote: Hello, I'm author of elFinder.py In about a month we plan to release new version of elFinder, mostly bugfixes but I also plan to rewrite python version to be more library like. I know there are problems integrating elfinder with different frameworks on python, current version was written for use under pure CGI. This is my first major experience with python and so I have many questions about the right way how to write connector so it can be easy to integrate and write plugins. The biggest question to me is how to implement handling POST and GET data, I've seen many different ways how it is done in different frameworks. Currently this is done using: import cgi self._form = cgi.FieldStorage() Maybe I should put this outside elFinder.py and only pass parameters to connector? Feedback is welcome. On Jun 24, 5:47 am, Phyo Arkar phyo.arkarl...@gmail.com wrote: Finally after 2 days of hacking elfinder backend for Django fromhttp:// www.elrte.ru/redmine/issues/128 http://www.google.com/url?sa=Dq=http://www.elrte.ru/redmine/issues/1... , i have managed to get elFinder working (about 90% of features) Attached is elFinder-web2py , still alot of improvement needed. -Downloading files is not working yet but should be easy to fix. -Help me make it more integrated into web2py -Their method of DIrectory scanning is so slow , going to replace with os.walk. Please note that this is not for Production use. I started a project , download and test there. Note URL (Both in View and web2py_elcon) need to be change to your host:port (i did with port 8080) http://code.google.com/p/elfinder-web2py/downloads/list
[web2py] Re: Caching downloads
Got it. That was driving me nuts.
By default the static folder is handled by App.yaml on GAE. But no
expiration date was set in the default file provided with web2py.
Adding an expiration date causes static files to start properly
caching again. I also tested removing the static section of
app.yaml and that allows web2py to handle the files if you prefer.
I've e-mailed this to Mdipierro, but here's what it looks like for
anyone that wants to enable the caching on their current GAE
applications.
This is from the thread on the message group Caching downloads
Apparently on GAE if an expiration date is not set, it defaults Cache-
Control: no-cache.
I wasn't sure how you prefer an update like this be submitted so
here's a patch file from Mercural text form below. All I did was set
a default expiration (90days) for the static folder.
Now on the 2nd load of a page all static files are recognized and load
times are significantly faster.
You really just need to add an expiration time, here I've chosen 90
days.
--Patch---
diff -r a7af8604b5e4 app.yaml
--- a/app.yamlTue Jun 29 17:13:00 2010 -0500
+++ b/app.yamlWed Jun 30 23:22:58 2010 -0500
@@ -9,6 +9,7 @@
static_files: applications/\1/static/\2
upload: applications/(.+?)/static/(.+)
secure: optional
+ expiration: 90d
- url: /admin-gae/.*
script: $PYTHON_LIB/google/appengine/ext/admin
-/Patch---
On Jun 30, 3:56 pm, mdipierro mdipie...@cs.depaul.edu wrote:
If I understand you talk about normal static files. That is done in
gluon/main.py
static_file = parse_url(request, environ)
if static_file:
if request.env.get('query_string', '')[:10] ==
'attachment':
response.headers['Content-Disposition'] =
'attachment'
response.stream(static_file, request=request)
On 30 Giu, 15:42, Chris S sanders.ch...@gmail.com wrote:
I'll take a look and see what I can do.
Can you point me to where this is happening? I see a streamer.py but
no where does it set Cache-Control = no-cache.
Where is that decision being made?
I'm assuming in the same gluon module I'll find the logic behind the
auto-stream of /static/filename?
On Jun 30, 3:35 pm, mdipierro mdipie...@cs.depaul.edu wrote:
I may have sent the wrong link. There are two issues:
1) we tried to set a cache for static files in the past and we run
into problems with ssl and ie. This was discussed at lenght in an old
thread but I cannot find it now.
2) It is unclear whether serving static content should cache. In a
production environment with apache yes. I am in favor of caching as
long as the expire time is small since we do not have a mechanism for
setting it.
If you send me a patch and we try on different browsers with and
without ssl, than we can include it.
On 30 Giu, 15:25, Chris S sanders.ch...@gmail.com wrote:
I'm not sure I understand the comment. Following the link it says
that Microsoft file formats can not be opened if the cache-control is
set to no-cache.
What I'm seeing is cache-control is *always* set to no-cache when I
expected it to allow caching of files in /static.
It seems that with the above support issue IE would be unable to open
any Microsoft document served by Web2py because the cache-control is
always being set to no-cache.
Shouldn't files in static always be served with cache enabeled?
On Jun 30, 3:01 pm, mdipierro mdipie...@cs.depaul.edu wrote:
Unfortunately settings cache-control breaks IE with SSL
http://support.microsoft.com/kb/316431
On 30 Giu, 13:57, Chris S sanders.ch...@gmail.com wrote:
I've had this bookmarked and have been looking over it recently. I
added a c_download (cached download) function as described above to
allow local caching of files. The above code did not get me there
though I ended up using:
def c_download():
controller=request.vars.c
file=request.vars.f
response.headers['Cache-Control']='private'
del response.headers['Content-Type']
del response.headers['Pragma']
del response.headers['Expires']
filename = os.path.join(request.folder,'static',controller,file)
response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y
%H:
%M:%S +, time.localtime(os.path.getmtime(filename)))
return response.stream(open(filename,'rb'))
The key difference being I found I had to set the 'Cache-Control'
header, just deleting it didn't do the trick.
What I'm not clear on is why this is necessary. From the book:
When static files are downloaded, web2py does not create a session,
nor does it issue a cookie or execute the models. web2py always
streams static files in chunks of 1MB, and sends PARTIAL CONTENT
when
the client sends a RANGE request for
[web2py] Re: Caching downloads
Got it. That was driving me nuts.
By default the static folder is handled by App.yaml on GAE. But no
expiration date was set in the default file provided with web2py.
Adding an expiration date causes static files to start properly
caching again. I also tested removing the static section of
app.yaml and that allows web2py to handle the files if you prefer.
I've e-mailed this to Mdipierro, but here's what it looks like for
anyone that wants to enable the caching on their current GAE
applications.
You really just need to add an expiration time, here I've chosen 90
days.
--Patch---
diff -r a7af8604b5e4 app.yaml
--- a/app.yamlTue Jun 29 17:13:00 2010 -0500
+++ b/app.yamlWed Jun 30 23:22:58 2010 -0500
@@ -9,6 +9,7 @@
static_files: applications/\1/static/\2
upload: applications/(.+?)/static/(.+)
secure: optional
+ expiration: 90d
- url: /admin-gae/.*
script: $PYTHON_LIB/google/appengine/ext/admin
-/Patch---
On Jun 30, 3:56 pm, mdipierro mdipie...@cs.depaul.edu wrote:
If I understand you talk about normal static files. That is done in
gluon/main.py
static_file = parse_url(request, environ)
if static_file:
if request.env.get('query_string', '')[:10] ==
'attachment':
response.headers['Content-Disposition'] =
'attachment'
response.stream(static_file, request=request)
On 30 Giu, 15:42, Chris S sanders.ch...@gmail.com wrote:
I'll take a look and see what I can do.
Can you point me to where this is happening? I see a streamer.py but
no where does it set Cache-Control = no-cache.
Where is that decision being made?
I'm assuming in the same gluon module I'll find the logic behind the
auto-stream of /static/filename?
On Jun 30, 3:35 pm, mdipierro mdipie...@cs.depaul.edu wrote:
I may have sent the wrong link. There are two issues:
1) we tried to set a cache for static files in the past and we run
into problems with ssl and ie. This was discussed at lenght in an old
thread but I cannot find it now.
2) It is unclear whether serving static content should cache. In a
production environment with apache yes. I am in favor of caching as
long as the expire time is small since we do not have a mechanism for
setting it.
If you send me a patch and we try on different browsers with and
without ssl, than we can include it.
On 30 Giu, 15:25, Chris S sanders.ch...@gmail.com wrote:
I'm not sure I understand the comment. Following the link it says
that Microsoft file formats can not be opened if the cache-control is
set to no-cache.
What I'm seeing is cache-control is *always* set to no-cache when I
expected it to allow caching of files in /static.
It seems that with the above support issue IE would be unable to open
any Microsoft document served by Web2py because the cache-control is
always being set to no-cache.
Shouldn't files in static always be served with cache enabeled?
On Jun 30, 3:01 pm, mdipierro mdipie...@cs.depaul.edu wrote:
Unfortunately settings cache-control breaks IE with SSL
http://support.microsoft.com/kb/316431
On 30 Giu, 13:57, Chris S sanders.ch...@gmail.com wrote:
I've had this bookmarked and have been looking over it recently. I
added a c_download (cached download) function as described above to
allow local caching of files. The above code did not get me there
though I ended up using:
def c_download():
controller=request.vars.c
file=request.vars.f
response.headers['Cache-Control']='private'
del response.headers['Content-Type']
del response.headers['Pragma']
del response.headers['Expires']
filename = os.path.join(request.folder,'static',controller,file)
response.headers['Last-Modified'] = time.strftime(%a, %d %b %Y
%H:
%M:%S +, time.localtime(os.path.getmtime(filename)))
return response.stream(open(filename,'rb'))
The key difference being I found I had to set the 'Cache-Control'
header, just deleting it didn't do the trick.
What I'm not clear on is why this is necessary. From the book:
When static files are downloaded, web2py does not create a session,
nor does it issue a cookie or execute the models. web2py always
streams static files in chunks of 1MB, and sends PARTIAL CONTENT
when
the client sends a RANGE request for a subset of the file. web2py
also supports the IF_MODIFIED_SINCE protocol, and does not send the
file if it is already stored in the browser's cache and if the file
has not changed since that version.
Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD
So then, if I serve a style.css file from static, or build a link
from
URL() to a file in static. Why do these files
[web2py] Re: web2py security - keep it up!
I'm still thinking about it. I was raised a small question regarding
the cooperation of applications (page 126 of book).
The applications can share tables, sessions, files, import modules
from other applications, call other's applications actions with
exec_environment ...
Is there a way to prevent my application to share this information?
If an application poorly designed is vulnerable ¿can others
applications protect against this?
I have not very clear whether a web2py installation is designed to be
programmed by a single development team, or if possible more than one
webmaster at the same time.
Let's say we have a system with multiple applications such as wikis T3-
like, where each wiki has its own administrator.
Is web2py not intended for that?
On 1 jul, 02:15, GoldenTiger goldenboy...@gmail.com wrote:
I disagree but probably I did not explain this very well. web2py has
two things it calls session. One is the general session managed via
cookie session_id. One is the authentication session stored into the
general session file. When a user logs out the authentication session
information into the general session is deleted. If an attacker where
to intercept the cookie session_id and try to use it to gain access to
the system, it would not work. The session_id is used for the general
session and it does not expire because when the user logs in again, if
the user had a state stored in the session file, you want that state
to be retrieved.
Well, this is my point of view:
I don't know if i'm wrong. If i understanded it well, this concept
could be classified as a design concept, do you agree?
design flaws are the most complex aspect of security
personally I am doubtful about the explanation above, maybe I don't
understand very well
anyway it's the game of I can't find any flaw at this moment, but you
can't demonstrate it hasn't
Vulns like SQL injection could be enumerated and tested by a computer
in a lot of possibilities, but design flaws couldn't, since lies on
human logic
History is full of stories about design flaws. The following is a
representative case.http://www.seattlepi.com/local/373426_insecure04.html
Sorry, I am very paranoid ^^
On 30 jun, 22:06, mdipierro mdipie...@cs.depaul.edu wrote:
this is how I make my hmac_kay
import uuid
print 'sha512:'+str(uuid.uuid4())
web2py has a function in gluon/admin.py, app_create('name',request)
that clones welcome and replaces hmac_key='' with a random key
generated as above.
From a web2py shell you can also do
from gluon.admin import app_create
app_create('mynewapp',request)
I would not know how to make this transparent. If you have any idea
please let me know. I agree that this is undocumented.
On 30 Giu, 15:01, Yarko Tymciurak resultsinsoftw...@gmail.com wrote:
On Jun 30, 2:44 pm, Craig Younkins cyounk...@gmail.com wrote:
If you'd like this moved to the developers list, just approve my
application
and reply there.
When I say that MD5 is the default that applies only to the case that
a hmac_key is not specified. This is 1) for backward compatibility; 2)
because without a key/salt sha512 and md5 are vulnerable to the same
dictionary attacks.
Hmm Well, I'm looking at the CRYPT class and it appears that in
order to
use HMAC the *caller* needs to pass in the key parameter. Grepping the
source tree I've found a few places where the caller does not supply the
key:
applications/admin/models/access.py:55
applications/admin/controllers/default.py:78
gluon/main.py:480
gluon/main.py:495
gluon/validators.py:2344
I am of course unfamiliar with the internals of the project, but it
would
appear to me that admin passwords are never HMAC'd. Can you confirm?
... interesting discussion Let me FIRST point out some things
Craig mentions which should not fall by the wayside:
1. -- There is no documented way to generate {an appropriate}
hmac_key:
== This is true; One major way to alleviate this would be to
have an admin function that could be called manually (take your pick:
to do the replacement, as gluon/admin.py:app_create() does, which
would need a search/replace --- or better, just give a popup with a
newly formed key an admin could readily copy/paste.
== This is also inconsistently applied --- for example, if you
pack welcome app, and then (as you might with apps from other
sites, such as web2py.com, or other users) install it as a newly
(re)named application, your key here persists. At the
surface, the same thing app_create() is doing could be done in
app_install(), but this too would be prone to inconsistencies (i.e.
the user you get an app from to test for them will have already
installed their own hmac_key, so the kind of replacement that
app_create() does - which depends on a magic string in the template
app,
[web2py] Re: Accessing auth_user table
OK. Now I can see an error:
POST http://127.0.0.1:8000/myapplication/default/ajaxuserexist 500
INTERNAL SERVER ERROR
There is also information about issued ticet but I can't open it in
web browser, so I paste it below:
(dp1
S'output'
p2
S''
sS'layer'
p3
S'F:\\Programy\\web2py\\applications\\myapplication/controllers/
default.py'
p4
sS'code'
p5
S'# -*- coding: utf-8 -*-\n
\n#
\n## This is a samples controller\n## - index is the default action of
any application\n## - user is required for authentication and
authorization\n## - download is for downloading files uploaded in the
db (does streaming)\n## - call exposes all registered services (none
by default)
\n#
\n\ndef index():\n\nexample action using the
internationalization operator T and flash\nrendered by views/
default/index.html or views/generic.html\n\nresponse.flash
= T(\'Welcome to web2py\')\nreturn dict(message=T(\'Hello World\'))
\n\n\ndef user():\n\nexposes:\n
http:///[app]/default/user/login\n
http:///[app]/default/user/logout\n
http:///[app]/default/user/register\n
http:///[app]/default/user/profile\n
http:///[app]/default/user/retrieve_password\n
http:///[app]/default/user/change_password\nuse
@auth.requires_login()\n@auth.requires_membership(\'group name
\')\n@auth.requires_permission(\'read\',\'table name
\',record_id)\nto decorate functions that need access control\n
\nreturn dict(form=auth())\n\n\ndef download():\n\n
allows downloading of uploaded files\n
http:///[app]/default/download/[filename]\n
\nreturn response.download(request,db)\n\n\ndef call():\n
\nexposes services. for example:\n
http:///[app]/default/call/jsonrpc\n
decorate with @services.jsonrpc the functions to expose\nsupports
xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv\n\n
session.forget()\nreturn service()\n\n\n\ndef page2():\nname =
request.vars.login\n#db.auth_user.insert(name=name)\nreturn
dict(name=name)\n\ndef ajaxuserexist():\n username =
request.vars.values()[0]\n return
db(db.auth_user.login==username).count() and \'yes\' or \'no\'\n\n
\nresponse._vars=response._caller(ajaxuserexist)\n'
p6
sS'traceback'
p7
S'Traceback (most recent call last):\n File gluon/restricted.py,
line 178, in restricted\n File F:\\Programy\\web2py\\applications\
\myapplication/controllers/default.py, line 67, in module\n File
gluon/globals.py, line 96, in lambda\n File F:\\Programy\\web2py\
\applications\\myapplication/controllers/default.py, line 64, in
ajaxuserexist\n File gluon/sql.py, line 1329, in __getattr__
\nKeyError: \'auth_user\'\n'
p8
s.
On 30 Cze, 22:59, mdipierro mdipie...@cs.depaul.edu wrote:
I'd like to know if the console reports any error when the ajax
request is executed.
On 30 Giu, 15:31, elfuego1 elfue...@gmail.com wrote:
I have firebug installed. What do you want me to look for?
You want to see some firebug output?
On 30 Cze, 22:25, mdipierro mdipie...@cs.depaul.edu wrote:
I do not see anything wrong in this. Do you use firebug?
On 30 Giu, 15:18, elfuego1 elfue...@gmail.com wrote:
I hope I don't make your eyes bleed by puting all the code here but
there is no other way to show it to you.
I made change only in one place of the code to gather login value:
{login:value}
Oryginaly it was: {name:value}.
$.post({{=URL(r=request,c='default',f='ajaxuserexist')}},
{login:value},function(result){
Below is the whole content of index.html
{{extend 'layout.html'}}
!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Strict//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd;
html
head
meta http-equiv=Content-type content=text/html;
charset=utf-8
titleAjax User Validation with web2py by Martin Sagastume/
title
style type=text/css
!--
body { font-family:Arial,Verdana,Sans-serif; }
input[type=text]{
font-size:12px;
color:#66;
background-color:#ff;
padding-top:5px;
width:200px;
height:20px;
border:1px solid #99;
}
#resultbox { font-size:11px; }
.msg { color:blue; }
.success { color:green; }
.error { color:red; }
//--
/style
script type=text/javascript
src={{=URL(r=request,c='static',f='jquery.js')}}/script
script type=text/javascript
var submit = false;
$(document).ready(function(){
$(form).submit(function() {
return submit;
});
});
function getData(value){
if(value != ){
$
(#resultbox).removeClass().addClass('msg').text('Validating...').fadeIn(10);
[web2py] Re: web2py freezing
Can you check memory usage when it freezes? Is there anything in the db log about too many connections? On 30 Giu, 16:06, Candid roman.bat...@gmail.com wrote: I am using web2py in my organization for internal applications. One of the applications uses dedicated instance of web2py (v1.78.1) running on dedicated ubuntu server. It connects to our SQL Server 2005 database via freetds. It runs with the following parameters: python web2py.py -i ... -p ... -a ... -n 100 -q 100 The application uses connection pool with 50 connections. Recently it has started freezing occasionally. The weird thing is that the whole web2py server freezes and basically stops responding, so not only you cannot access the app, you cannot even open the admin console. Sometimes it starts working again after a few minutes, sometimes I have to restart web2py. I suspect it has something to with either web server threads not getting released or databases connections not getting returned to the pool (the latter would not explain why I cannot access admin console though). Has anyone had similar issues? Any suggestions on how to troubleshoot the problem? Any input would be highly appreciated.
[web2py] Re: Anvanced applications in gae
I think,
Field(gae.ReferenceProperty(auth_user,...)
should be
Field(gae.ReferenceProperty(db.auth_user._tableobj,)
On 30 Giu, 16:15, Carles Gonzalez carle...@gmail.com wrote:
Sorry, but I've encontured another error.
The relevant part of my code is following:
if request.env.web2py_runtime_gae: # if running on Google App
Engine
from gluon.contrib.login_methods.gae_google_account import
GaeGoogleAccount
auth.settings.login_form = GaeGoogleAccount()
from gluon.contrib.gql import gae
auth.define_tables() # creates all needed tables
db.define_table('todos', Field('name','string'),
Field(gae.ReferenceProperty(auth_user, required=True,
collection_name='todos'))
)
And the traceback is this:
Traceback (most recent call last):
File /Users/lauer/web2py/gluon/restricted.py, line 178, in restricted
exec ccode in environment
File /Users/lauer/web2py/applications/web2pytodo/models/db.py,
line 76, in module
Field(gae.ReferenceProperty(auth_user, required=True,
NameError: name 'auth_user' is not defined
Maybe the entity class is not defined at the time of the reference? I
created an user, but still isn't working.
When this mini-project is finished I plan to release the source. I
think that a working example of this technique woukd be interesting
for reference.
On Wed, Jun 30, 2010 at 10:56 PM, Carles Gonzalez carle...@gmail.com wrote:
Now is working. Thanks, let's continue testing...
On Wed, Jun 30, 2010 at 10:39 PM, mdipierro mdipie...@cs.depaul.edu wrote:
You are right... fixing it in trunk..1..2..3..done. Please check it.
Massimo
On 30 Giu, 15:25, Carles Gonzalez carle...@gmail.com wrote:
Hi, i was trying this technique but i'm getting this traceback when
using gae_google_account:
Traceback (most recent call last):
File /Users/lauer/web2py/gluon/restricted.py, line 178, in restricted
exec ccode in environment
File
/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user,
line 56, in module
File /Users/lauer/web2py/gluon/globals.py, line 96, in lambda
self._caller = lambda f: f()
File
/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user,
line 35, in user
File /Users/lauer/web2py/gluon/tools.py, line 966, in __call__
return self.login()
File /Users/lauer/web2py/gluon/tools.py, line 1419, in login
self.log_event(log % self.user)
File /Users/lauer/web2py/gluon/tools.py, line 1180, in log_event
origin=origin, user_id=user_id)
File /Users/lauer/web2py/gluon/contrib/gql.py, line 281, in insert
self._last_reference = tmp
File /Users/lauer/web2py/gluon/sql.py, line 1611, in __setattr__
raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
SyntaxError: Object exists and cannot be redefined: _last_reference
On Mon, Jun 28, 2010 at 7:04 AM, dlypka dly...@gmail.com wrote:
OK I downloaded the trunk and tested this mod.
myParent = db.ParentTable.insert(name='Bill')
myParentNativeRef = myParent._table._last_reference
works
Thanks again.
On Jun 27, 3:28 pm, mdipierro mdipie...@cs.depaul.edu wrote:
Maybe just add a new property dynamically to the row
We could call it 'nativeRef'
Would it be something like:
self.nativeRef = tmp # Python can add new properties
'on-the-fly', right?
as the new 2nd last statement of insert()?
If that is useful we can do it. I just did it in trunk so you can test
it but I called self._last_reference to avoid possible naming
conflicts.
Massimo
Any thoughts?
[web2py] Re: simplejson -- wasn't this resolved?
Is this supported in 2.4? On 30 Giu, 18:12, zahariash karra...@gmail.com wrote: Hello. Problem with simplejson is that it's originally trying to load c module (_speedups.so), but web2py version of simplejson is python only. So when decoder.py, encoder.py and scanner.py trying to load c modules find it in global namespace...: try: from simplejson._speedups import encode_basestring_ascii as c_encode_basestring_ascii except ImportError: c_encode_basestring_ascii = None Workaround is switching to relative imports (tested on python 2.5): try: from .. simplejson._speedups import encode_basestring_ascii as c_encode_basestring_ascii except ImportError: c_encode_basestring_ascii = None -- Zahariash
[web2py] Re: facebook oauth test on GAE
:-) just in time, I need it. On 30 Giu, 20:27, mcm michele.comit...@gmail.com wrote: Hi, You can test the facebook OAuth code on GAE: http://grafbook.appspot.com/helloFacebook Code of application will be available soon after some cleanup! tnx michele
