Re: [Zope] Re: login page problem
> Use SimpleUserFolder and CookieCrumbler, and cut out the cute > abbreviations like "n" and "d" while you're at it. I second that! I have started hitting the delete button rather than engage in the mental translation. Cliff Chris Withers wrote: prabuddha ray wrote: now my problem how n where do i check d pwd n redirect to the next zpt or the previous one if its wrong. i've a zsql method giving me the pwd for the user param passed. i wanted to kno if i can call this method on d onsubmit event? kindly gimme solns u've in mind. Use SimpleUserFolder and CookieCrumbler, and cut out the cute abbreviations like "n" and "d" while you're at it. Chris ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] role, user defined roles, and inclusion
Dieter Maurer wrote: robert wrote at 2005-3-31 07:22 +0200: Is my assumption that granting a permission to Anonymous means granting it to anybody correct? Correct. Actually, I don't think that is strictly true! And it reminds me of a period of confusion I went through a few months ago, when I was convinced that either I did not understand how roles were supposed to work or that there were bugs in the implementation. It turned out that I had cut and paste a folder with its own own View permissions into another folder with incompatible View permissions. I have forgotten the exact details but I think I had the Manager role in the outer folder but only the Authenticated role in the inner folder. I had totally forgotten that I had been fiddling with the View permissions days or weeks before. So for the original questioner: check that you have not shot yourself in the foot too! Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: login page problem
Customisation of the login sequence is quite difficult for Newbies because there are lots of different ways to approach the problem - you have already tried some. I suspect that trying to match what was done in PHP may be part of your problem. It would be helpful to know if your lists of users are coming from one source, like a database table, or multiple sources, like multiple tables or different databases, and whether users are unique in each district. From there you decide your zope folder structure. It could be like this: site_home |__acl_users |__district1 |__district2 or like this: site_home |__district1 ||__acl_users |__district2 ||__acl_users In the second case you would not have to worry about asking the user for the district name. In the first case you would get a district name or a user defined role for that district from a supplementary data source, like a database. A combination of exUserFolder and MySQL would do. You can get information on the logged in user (Username and Roles) from the User object, so you don't need to expicitly use sessions at this stage. You should certainly not store passwords - that would be a serious breach of confidentiality. Maybe you should say what you do with the District parameter after the user has logged in. Giving advice or examples on ZPT and Python for an approach that is probably wrong is just too time-consuming. Cliff prabuddha ray wrote: Its been very kind of u all to be critical about a newbie like me. I'll definitely lookout for those ettiquetes. My python script error got solved as i missed the silly ' ' in the response.redirect statemnet. I set the user and pwd request vars in sesson var. Tried cookie crumbler and MysqlUserFolder and UserFolder also but they all need to changed much and my requirements are diffrent. I'm building a trial govt. site for stores management which was built previously in ASP. The login page takes the districtname , username and passwd . according to the type of user different menus are displayed. For this i need to have the districtname , username and passwd carried on throughout the session. my current requirement is to pass the session vars through the python script which is the action of the login form. I've gone through the zopebook but dint find much help there. can u plz tell me where do i get to know about pythopn scripting done in zope n ZPT examples. i'm really sorry for my erronous language. please dont overlook theese humble requests. On Fri, 1 Apr 2005 23:07:38 +0200, Dieter Maurer <[EMAIL PROTECTED]> wrote: prabuddha ray wrote at 2005-3-30 23:50 -0800: ... now my problem how n where do i check d pwd n redirect to the next zpt or the previous one if its wrong. Apparently, you need some background reading... Especially, you need to understand that HTTP is a stateless protocol and *EACH* request must somehow perform its own authentication. That's why usually login information is (somehow) coded in a cookie. You really should follow the advice to look at an existing UserFolder (they are responsible for authentication). You may need to adapt/extend an existing UserFolder. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: login page problem
I have been trying to think of ways of providing specific pointers, So, assuming you have a custom login page and a custom python script that processes that page: In the Python script you could set a cookie for the District: context.REQUEST.RESPONSE.setCookie('District', district) where district is the name of the District field in the form. The District parameter is then always available to your page templates and scripts in the REQUEST object. At the end of your login script you would typically redirect to some specific page like this: return context.REQUEST.RESPONSE.redirect('aURL') in exUserFolder you don't have to do anything else - the login works by magic, which is very confusing. Now for the problems: If the login is wrong the system will call /standard_error_message, so you have to customise that to send the user back to the login form with a Login failed message. If the user bookmarks a protected page and tries to jump to it without being logged in, the system will call the login sequence starting in acl_users, so you have to customise that to call your own login page. After the user has logged in, whenever you need to get the Username you would typically use a python script like this: from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() HTH Cliff prabuddha ray wrote: Its been very kind of u all to be critical about a newbie like me. I'll definitely lookout for those ettiquetes. My python script error got solved as i missed the silly ' ' in the response.redirect statemnet. I set the user and pwd request vars in sesson var. Tried cookie crumbler and MysqlUserFolder and UserFolder also but they all need to changed much and my requirements are diffrent. I'm building a trial govt. site for stores management which was built previously in ASP. The login page takes the districtname , username and passwd . according to the type of user different menus are displayed. For this i need to have the districtname , username and passwd carried on throughout the session. my current requirement is to pass the session vars through the python script which is the action of the login form. I've gone through the zopebook but dint find much help there. can u plz tell me where do i get to know about pythopn scripting done in zope n ZPT examples. i'm really sorry for my erronous language. please dont overlook theese humble requests. On Fri, 1 Apr 2005 23:07:38 +0200, Dieter Maurer <[EMAIL PROTECTED]> wrote: prabuddha ray wrote at 2005-3-30 23:50 -0800: ... now my problem how n where do i check d pwd n redirect to the next zpt or the previous one if its wrong. Apparently, you need some background reading... Especially, you need to understand that HTTP is a stateless protocol and *EACH* request must somehow perform its own authentication. That's why usually login information is (somehow) coded in a cookie. You really should follow the advice to look at an existing UserFolder (they are responsible for authentication). You may need to adapt/extend an existing UserFolder. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: login page problem
I am abstracting bits of your email below in case anyone else wants to join in. > I dint want to built customized login page in 1st place. Actually this > is a Govt. stores management site used in my state only bulit all in > ASP. I 've to convert this into a Zope and Plone version. > So i wanted to get it converted with minimun changes. If you are going to use Plone I can't offer advice - I have looked at Plone on three separate occasions, and recently read The Definitive Guide to Plone, and have stil decided not to use it. I only say this to make it clear that many applications are built without CMS and Plone. > 1> the district name and their users come from 2 seperate Mysql > tables. the users are unique in each district. Two separate tables with User information is awkward! The user folders I know of expect user information to come from one source. So you either have to create two folders, each with its own acl_users (provided by one of the User Folder Products), or you have to hack the User Folder product to put in a Union select statement in place of a simple Select. > Now the qusetion is how do build this district user folder structure > using the database? > Hope not manually, because there are 22 districts and about 15 users > in each of them pluys head quarters. You have not said whether the people in the different districts do completely different things with different forms, or identical things but specifying the district. If the former then it is no big deal to create the folders manually, although it can be done programmtically. You could set a Local Role equal to the district name and get that role for users from the database. That way, users can only enter their own district folder. If the latter, then you could retrieve the Username and District from the User object for use in the forms (include the District as a role). > i dint get to know much about coding ZPT's and Script(Python) for > them, from the ZPT refs and Zopebook. So wanted some simple working > examples. Try working on the rest of your application to build up ZPT and Python experience. As I said, managing users is tricky. Also, be aware that Zope experts advise developers to produce file system based Products. There are lots of simple Products that you can use and browse the code to see how they work. Cliff _ prabuddha ray wrote: Hi list, never before i got such a holistic advice. thanks so much Cliff. About the 1st mail, On Sat, 02 Apr 2005 17:03:56 +0100, Cliff Ford <[EMAIL PROTECTED]> wrote: Customisation of the login sequence is quite difficult for Newbies because there are lots of different ways to approach the problem - you have already tried some. I suspect that trying to match what was done in PHP may be part of your problem. It would be helpful to know if your lists of users are coming from one source, like a database table, or multiple sources, like multiple tables or different databases, and whether users are unique in each district I dint want to built customized login page in 1st place. Actually this is a Govt. stores management site used in my state only bulit all in ASP. I 've to convert this into a Zope and Plone version. So i wanted to get it converted with minimun changes. But now as you say i think I should go the way Zope does it . only that i'm finding it hard to customize it in Zope. 1> the district name and their users come from 2 seperate Mysql tables. the users are unique in each district. From there you decide your zope folder structure. It could be like this: site_home |__acl_users |__district1 |__district2 or like this: site_home |__district1 ||__acl_users |__district2 ||__acl_users In the second case you would not have to worry about asking the user for the district name. In the first case you would get a district name or a user defined role for that district from a supplementary data source, like a database. So i think 2nd structure is abetter fit. Now the qusetion is how do build this district user folder structure using the database? Hope not manually, because there are 22 districts and about 15 users in each of them pluys head quarters. A combination of exUserFolder and MySQL would do. i don know about them, something like mysqluserfolder or simpleuserfolder components ? You can get information on the logged in user (Username and Roles) from the User object, so you don't need to expicitly use sessions at this stage. You should certainly not store passwords - that would be a serious breach of confidentiality. Maybe you should say what you do with the District parameter after the user has logged in. I dont need the password but do need the username and district for following pages to decide the access rights and the stores available inthe districts , also for some report labels. Giving advice or e
Re: [Zope] Set MIME type using ZPT
srikanth wrote: Hi, I am using an external method to load an Image from the harddrive. The external method is as follows: from email.MIMEImage import MIMEImage ##parameters=filename def getDocument(filename): fname = '/mnt/'+filename; input = open(fname,'r') content = MIMEImage( input.read( ) ) input.close( ) return content When I try to display the content in the webpage what I actually got is all raw data of the file rather the image. So how can I convert the raw data to be dispalyed as image in the webpage. I am using ZPT to display the web page (image). If its dtml I could have used tag is there any equivalent to that in ZPT. Any suggestion would be a gr8 help. It is not clear exactly how you are using the Page Template. Typically the page would have an img tag that calls a python script that calls the External Method. Remember the web browser fetches the image separately after the html has been received - so your img tag might look like this: and your getImage python script would look like this: (type, encoding) = context.getMimeType(context.REQUEST.filename) context.REQUEST.RESPONSE.setHeader('Content-Type', type) context.REQUEST.RESPONSE.setHeader('Content-Disposition', 'inline; return context.getDocumentCall(context.REQUEST.filename) where getDocumentCall is the name of your External Method that calls the getDocument External Method and getMimeType is another External Method that looks like this: import mimetypes def getMimeType(filename): return mimetypes.guess_type(filename) and your own external method would look like this: > ##parameters=filename > def getDocument(filename): > fname = '/mnt/'+filename; >input = open(fname,'r') >content = input.read( ) >input.close( ) >return content At the moment you seem to have skipped a step. HTH Cliff Ta. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Set MIME type using ZPT
srikanth wrote: Hi, I tried this one. But the html page takes the parameter as a string but doenst Execute the pyhton function. I got all the functions (External methods) all set. The img tag I used is: Have a look at the generated html source. You have not said wither the probem is a mal-formed image tag, or the image tag failing to fetch the image. Also, pay attention to Tino's comments on seurity. I only ever use a Serial Number, not Filename - that comes from a database. Don't forget that image tags should have width, height and alt attributes. Cliff Because I am getting the filename from the resultset. Once again thanks for all your time and patience. Any help would be gr8. Ta. Srikanth. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cliff Ford Sent: Monday, April 04, 2005 11:15 PM Cc: zope@zope.org Subject: Re: [Zope] Set MIME type using ZPT srikanth wrote: Hi, I am using an external method to load an Image from the harddrive. The external method is as follows: from email.MIMEImage import MIMEImage ##parameters=filename def getDocument(filename): fname = '/mnt/'+filename; input = open(fname,'r') content = MIMEImage( input.read( ) ) input.close( ) return content When I try to display the content in the webpage what I actually got is all raw data of the file rather the image. So how can I convert the raw data to be dispalyed as image in the webpage. I am using ZPT to display the web page (image). If its dtml I could have used tag is there any equivalent to that in ZPT. Any suggestion would be a gr8 help. It is not clear exactly how you are using the Page Template. Typically the page would have an img tag that calls a python script that calls the External Method. Remember the web browser fetches the image separately after the html has been received - so your img tag might look like this: and your getImage python script would look like this: (type, encoding) = context.getMimeType(context.REQUEST.filename) context.REQUEST.RESPONSE.setHeader('Content-Type', type) context.REQUEST.RESPONSE.setHeader('Content-Disposition', 'inline; return context.getDocumentCall(context.REQUEST.filename) where getDocumentCall is the name of your External Method that calls the getDocument External Method and getMimeType is another External Method that looks like this: import mimetypes def getMimeType(filename): return mimetypes.guess_type(filename) and your own external method would look like this: > ##parameters=filename > def getDocument(filename): > fname = '/mnt/'+filename; > input = open(fname,'r') > content = input.read( ) > input.close( ) > return content At the moment you seem to have skipped a step. HTH Cliff Ta. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] "segregated" users
It is possible, I have done something similar. My solution involves giving users a Local Role in a folder to which access is to be granted. I built a small utility (with ZClasses - doh) to make it easy for the Administrators to add users from a database. Cliff Tim Evans wrote: I apologize if this issue is something that has been discussed before, but I searched the archives to no avail. I'm evaluating zope for a project, and I have some questions regarding the extensibility of the user security model. The company I work for would like to provide documents to clients via the web, and only allow one particular client (or group of users from the same client) access to those documents. I don't want any user to be able to detect the presence of any other user. I essentially want several "sites", one for each client, with a group of administrative users responsible for maintaining these sites and publishing content to all of them. What this would require is a group of administrators that can see all sites, as well as restricted users with privileges to exactly one site. I'd also like to avoid having a role for each site, as that could get ugly for almost 1000 clients. It would also be great if we could designate a user to administer only one site, so that they could only publish data to one client. I guess I want "zope-level" users and "application-level" users. Is this something that sane people do? I don't really need a step-by-step, just a "yes, that is possible" or a "no, you're an idiot" before I start digging in to try and do it. Tim ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: login page problem
I am not sure I have much to add. I have been concerned about your product architecture and unusual login procedure, but that is really non of my business. Some of what you say below is inconsistent: > One problem that concerns next query is that it took only one table > for user details whereas i had one more table for district. ... > userdetail table is linked using this district code. From this, and what you said previously, I presume you have login working but for only the half of the users in one of the two User tables. I already suggested alternative ways of handling this. If your folders are going to be Districts consider giving users who need to fill out forms in one District a Local Role in that District, and users who need access to many districts a Local Role in the Districts parent folder. This correspondence is too long for anyone else to follow. Next time, may I suggest come back to the list with a new question in a new thread. Cliff prabuddha ray wrote: HI Cliff, I was hoping another reply eagerly. hope you dint give up on me. I've got some clarifications given below. On Mon, 04 Apr 2005 16:08:50 +0100, Cliff Ford <[EMAIL PROTECTED]> wrote: I am abstracting bits of your email below in case anyone else wants to join in. If you are going to use Plone I can't offer advice - I have looked at Plone on three separate occasions, and recently read The Definitive Guide to Plone, and have stil decided not to use it. I only say this to make it clear that many applications are built without CMS and Plone. I had no idea about this. i knew that zope acts as a app server and plone is the front end tool. In fact I'm building the store's site as a plone site in zope. As a matter of fact i've not done much specific in plone . just built 2 tabpanes. I configured the exUserFolder using the mysql database and as expected it built up a seperate login system. so i believe it'll work on itself without plone. One problem that concerns next query is that it took only one table for user details whereas i had one more table for district. Two separate tables with User information is awkward! The user folders I know of expect user information to come from one source. So you either have to create two folders, each with its own acl_users (provided by one of the User Folder Products), or you have to hack the User Folder product to put in a Union select statement in place of a simple Select. d quarters. let me explain the login page flow. a dropdown list of districts is available on load. on selecting a district the page reloads and the available users are listed in 2nd dropdown list. after selecting the user the password is to be given. So that way i need both the 'district' and the 'userdetail' table. actually the district table has district code ,name and other stores related nfo. userdetail table is linked using this district code. You have not said whether the people in the different districts do completely different things with different forms, or identical things but specifying the district. If the former then it is no big deal to create the folders manually, although it can be done programmtically. You could set a Local Role equal to the district name and get that role for users from the database. That way, users can only enter their own district folder. If the latter, then you could retrieve the Username and District from the User object for use in the forms (include the District as a role). users are of different level like store-in-charge, sys mgmt group, vendors and normal users. they are in all the districts. so depending on the user level diffrent set of menu page are to be generated ie. users of same level in diferent districts do same thing. In earlier ASP version I handled this in the login page handler ASP page and wanted to use the same logic here. district shouldn't be the user role , 'userlevel' will act as user role here. but the folders would be districtwise, I suppose. honestly I'm little bogged out by the exuserFolder feature, its using Dtml all the way and I'm sticking to ZPTs and script pythons. Try working on the rest of your application to build up ZPT and Python experience. As I said, managing users is tricky. Also, be aware that Zope experts advise developers to produce file system based Products. There are lots of simple Products that you can use and browse the code to see how they work. Cliff I completely understand this. but the problem remains the same . how do i customise these products acccording to my needs. hope this helps you in helping me. waiting for your reply. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope/python: downloading images from the web and add them to Zope]
[EMAIL PROTECTED] wrote: I would like to know how to add image file from an URL. I created a form with to pissibilities: add an image from a local file , and a image from an url You can get an image from a url with an External Method: # Get an image using the original url. import urllib def getImage(url): f = urllib.urlopen(url) data = f.read() f.close() return data Hope this is enough to put you on track. Cliff here is my form: get from disk: get from the internethttp://www.monsite.fr/monimage.jpg"; disabled="disabled"> This form call a python script: if REQUEST.sourcePict=="file": pathImgs.manage_addProduct['OFSP'].manage_addImage("pict_"+id, REQUEST.pict_file, title="pictogramme metier", precondition="", content_type="") else: pathImgs.manage_addProduct['OFSP'].manage_addImage("pict_"+id, REQUEST.pict_internet, title="pictogramme metier", precondition="", content_type="") With a locl file it works (case sourcePict=file), but when I want to add images from an url, it doesn't work. I suppose that the second parameter of manage_addImage must be a file type.In the first case, it works , but in the second, the parameter passed is a string (complete url of the image). so how to do? thanks for your answers and excuse me for the lack in English (I'm french) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] developer docs
Milos Prudek wrote: What are the best documents for creating Zope products? I know Zope Book very well and I write TTW scripts. I need to convert a bunch of ZClasses into Products. ZDG seems very outdated. Should I start with mxmEasyProduct and then read ZDG? Is there a book available in bookshops that is better than ZDG and contains all required information for building products? I don't know about best documents! There is a minimal Product How To: http://www.zope.org/Members/maxm/HowTo/minimal_01/ Faced with the same problem (conversion of ZClasses to file system Products), I decided to have a look at Zope3X. There are a couple of good new books with worked examples - but as soon as I stepped off the guided path I found myself struggling. Still, I think I can see how to go from 2.7 to 3 and not bother with ZClasses. Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] newbie:cookie expiry problem
prabuddha ray wrote: This may be very silly plz help I gave this cookie expiry statement in a python script: RESPONSE.expireCookie('login') return context.REQUEST.RESPONSE.redirect('index_html') but when i checked the cookie values in request page, it wasn't removed. the last redirect still worked. when i put an if like this : if (RESPONSE.expireCookie('login')) return context.REQUEST.RESPONSE.redirect('index_html') redirect didn't work. where am i wrong? all the files are in same folder I set a cookie to indicate a user is in Edit mode. The script that unsets Edit mode looks like this: RESPONSE.expireCookie('editMode', path='/') RESPONSE.redirect(REQUEST.HTTP_REFERER) Logout is different in my case because the cookie is set by exUserFolder. I put this in the logout script: context.acl_users.logout(context.REQUEST) I have no idea (now) why it works. HTH Cliff Nice short question! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZPT list is dead... zpt nav question
Your code works OK for me - I see a list of links: URL URL URL URL URL and each one links to a folder only. You did not say what was wrong with your output. Were you forgetting to set tal:content to the title of the listed folder to appear in place of URL: URL Cliff Norbert Ray-Goldman wrote: so I am posting this here. I would like my zpt to list only folders in a director - essentially filtering out all other meta_type(s)... can you tell me where I am going wrong with the filtering here ? The title TITLE OR ID URL ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] [Zope/DTML] accessing PARENTS url with dtml tag ???
Try this construction: Object: url: Cliff [EMAIL PROTECTED] wrote: I have found a similar problem at this url: http://mail.zope.org/pipermail/zope/2000-August/115809.html I want to do the same a Kapil, but in DTML. I tried different solutions: 1) 2) but I still have the problem. I wannt to display (in DTML) the absolute URL of the parent, but it doesn't work: it displays the absolute url of the CURRENT object. could you help me to find the solution please? thanks (and excuse for my lack in english) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Adding Carriage return/line feed to a text field
If you are using a textarea field for input you could also use a text area field for display, useful if the input might contain html tags. Therwise wrap the display in tags. Cliff MCDONNELL, LARRY wrote: Hi, I have a form that the field length for that element is set to 65k in the database. Using a textbox, the person can enter their information. I now want to view the text. I can again use a text box but what I want to do is this - If I use this format, the text is one line. Are there arguments or a script that will add carriage return/line feed after you set the parameters? Thanks, Larry McDonnell Coordinator of Educational Technology New Haven Public Schools 54 Meadow Street New Haven, CT 06519 [EMAIL PROTECTED] (203) 946-2440 ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] problems rendering objects stored in the local file system
You have at least two choices: 1. Use apache and don't fetch index.html and the images through zope. Most installations use apache in front of zope, so this is just a matter of rewrite rules. 2. Use an External Method and make each image src attribute a function call, passing the image url as a paramter, for example: If you do that, make sure you include code to check that a malicious user cannot fetch any file from your file system. There have been some recent (this year) posts of example code you can google for. Cliff Dennis Allison wrote: I am having trouble figuring out how to get Zope to access and render html and images files properly in the following context: In the local file system (that is, the Linux file system to be explicit) I have a collection of directories each containing an index.html file consisting of HTML and a collection of image files (*.jpg, *.gif, *.swf) referenced by the HTML. From a DTML object in the ZODB, I want to render the index.html and have it properly access the local image files. Calling the file "index.html" may be a bad name choice because it may be interpreted especially. In fact, what I really would like to be able to do is to reference all files relatively and allow internal directories and the like. We've been using the LocalFS product, mostly with great success, but this has got me stumped. Any suggestions? hints? pointers? ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Which sound I learn?
I produced a heavily customised site with Zope 2 that I am currently rebuilding in Zope 3. Even so, I feel hesitant to advise. I guess, with the advent of Five, then Zope 3 is the way to go if you are familiar with Python and xml. There are two recent, good Zope 3 books you can work through. I have found learning how to do things that are not in the Zope 3 books time-consuming, fortunately not an issue for me, but I think it will all work out with less code that is easier to maintain. Cliff Ryan Smiderle wrote: I'm planning on making a website with Zope, and plan to do a lot of custumization. Should I learn Zope 2 or Zope 3? Thanks, -Ryan ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Adding zclass inside folder with python
A couple of lines at the bottom show one way to create a folder and an object inside that folder... Anthu Nguyen wrote: Hi, I've tried everything I can think of and am probably missing something obvious - help... I'm trying to (1) Create a folder, then (2) Add a new zclass inside that folder. Instead, the zclass is being added in the same space as the folder: - What I want: New Folder New ZClass - What's happening: New Folder New ZClass === The code that doesn't work: request = context.REQUEST pbuildid = request.pbuildid # Add a new folder with id=pbuildid context.manage_addFolder(id=pbuildid) # Add a new instance of the ZClass inside new folder instance = context.pbuild.createInObjectManager(request['id'], request) instance.propertysheets.pbuild_properties.manage_editProperties(request) context.manage_addProduct['OFSP'].manage_addFolder(REQUEST.Filename, REQUEST.Title) # create an index_html DTML document context[REQUEST.Filename].manage_addProduct['OFSP'].manage_addDTMLMethod('index_html', title="", file="Initial content") HTH Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] newbie Simple WebSite Construction Using Zope and Search
Hello Matt, I did something similar a few years ago when we had to merge a number of web-sites, and needed to enable content providers who could not be expected to cope with much more than heading and paragraph tags. The users are very pleased with the site functionality - but the implementation displays my then inexperience with Python and Zope, so could not be packaged for others to use. So I have been working on a Zope 3 implementation, which I hope to make available within a couple of weeks. You can have a look at the Zope 2 site I created (for whatever reason I did not what to use CMS or Plone): http://www.geos.ed.ac.uk/ And this is a screen grab of the Zope 3 package with similar functionality as it stands at the moment: http://www.geos.ed.ac.uk/homes/ceford/zope3/ So I can't answer your questions directly, but: My Zope 2 site used a lot of dtml documents as page components. In Zope 3 I have only used Page Templates. In my Zope 2 site searches also find dtml documents, so I provide a custom display that puts in links to the pages that put the dtml in the right context. E.g. if a search finds a dtml document called page.bdy the link displayed is page.html. Best regards Cliff Ford Matt Slavin wrote: Hi, I am trying to use Zope to create a very simple company website (about 40 pages, or so) with the intention of having the flexibility to expand functionality etc in due course. I have very little Python / DTML experience, but have managed to set up the site using includes on the main index page and then use aquisition to provide the content within each section. I'm not sure if this is a safe - or correct way of going about it, but it seems ideal for our purposes. The navigational menus dynamically include a link to each sub folder - ie website/services/ - and navigating to a section, index_html is automatically shown. The "mainContent" variable is then dynamically placed into index_html. (So there are separate mainContent dtmlDocuments in About Us, Services etc..) This means we can keep the content completely separate, and do not have to include headers, footers and other includes within the mainContent variable. Brilliant. However, when using the search script - http://www.zope.org/Members/Ioan/SiteSearch - results return a link back to the dtml_Document file mainContent, which gets displayed without any of the header of footer information. Is there any way to render the page with header and footer info? (By, I guess, redirecting the page to the containing folder, so that it pulls out index_html instead...) Any thoughts on this would be gratefully received - as I'm not sure this is the best way of using Zope, but it seems so much better than using plain old included variables. kind regards, Matt - Yahoo! Cars NEW - sell your car and browse thousands of new and used cars online search now - ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] filtering results
This is my implementation of an external method that calls HTML Tidy. I hope it is of some use. This is a fragment of a form processing script that calls an External Method, passing the body content of a html page: if request.submit == 'Tidy': (messages, buffer) = context.calltidy(body) request.set('messages', messages) request.set('body', buffer) return The body and any HTML Tidy messages are passed back to the form for display. The external method module name is caltidy and the function name is tidy. This is the external method that calls HTML Tidy. It prepends a suitable head and appends a suitable tail to the body (shich happens to be part of a table) to make a valid html document, then chops them off the result for return to the caller: # call htmltidy import os import string # path to executable #exe = '/usr/local/zopeinst/Extensions/htmltidy/tidy' exe = '/disk/home/www/zopeinst/Extensions/htmltidy/tidy' # path to HTML Tidy configuration file #config = '/usr/local/zopeinst/Extensions/htmltidy/config.txt' config = '/disk/home/www/zopeinst/Extensions/htmltidy/config.txt' errors = '' # dummyhead = """ "http://www.w3.org/TR/html4/loose.dtd";> Testing """ dummytail = """ . """ parsefailed = """ Tidy has not changed the source. This will happen if the input contains any tags not recognised by the html specification. Do not use Tidy on pages containing dtml! Correct only the errors listed below and then run Tidy again. Tidy will convert font tags to style classes, which will be ignored unless you create a local style sheet. Tidy will also correct many other faults that lead to the warnings below. The first line of your text is line 11. """ def tidy(input): combo = dummyhead + input + dummytail command = "%s -config %s 2>&1 << .\n%s" % (exe, config, combo) buffer = '' # get results from tidy into buffer for line in os.popen(command).readlines(): buffer += line # if anything goes wrong with the tidy call the line count is zero try: # chop the dummy head (head, buffer) = string.split(buffer, '') # keep the warnings part of the head (head, tail) = string.split(head, '') return (head, buffer) except: return (parsefailed + buffer, input) Cliff gf wrote: Hi, I am a Zope newbie. I apologize if the terminology I use below is not correct, but I hope that you get the gist of what I am about to ask. I would like to be able to 'filter' results before returning them to the user. In other words, if a user requests a given object, it is passed through a filter before being passed on to him or her. As a simple example, I may want to tidy the html before the user sees it, or eliminate or add certain tags or words. I have put together a simple 'html tidy' external method that takes raw html and produces a tidied version, but I don't know how I can apply it. Thank you for any comments, suggestions, or simple examples you may be able to provide. Best Regards, gyro ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] LAST INSERT ID driving me crazy
This is how it works for MySQL: insert into table_name ( ItemID, ItemDate, etc ) values ( , , etc ) select LAST_INSERT_ID() as BaptismID You have to have the select LAST_INSERT_ID call in the same query as the insert, and you have to have the sql_delimiter. I have a vague recollection that LAST_INSERT_ID is MySQL specific. Cliff Alric Aneron wrote: Hi guys, HOW HOW HOW HOW!!! Do I get at the last_insert_id() function, this is driving me absolutely crazy!! Zope docs say use "select last_insert_id()" but it doesn't work, gives me an error about bad SQL syntax around "LIMIT 1000". I tried googling it, I tried searching through other docs. And it just won't do it! I would like to make a separate ZSQL Method that will return to me the last insert id. Any help would be appreciated. Thank you. - Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] strange behaviour:can not access source-view.gif but a copy of it
Your second example below never terminates for me, and neither does http://www.ersigen.ch/garbage/view-source.gif I have seen hanging with malformed apache rewrite rules involving http/https protocols. I would check the Apache rewrite rules. Cliff robert rottermann wrote: thanks for the answer. what I meant is that I only can access the trough its "normal" url (using apache) www.ersigen.ch/view-source.gif never terminates, whereas www.ersigen.ch/ersiweb/ersiweb/view-source.gif immediately returns correctly (/ersiweb/ersiweb is where apache redirects to). www.ersigen.ch/copy_of_view-source.gif works fine also. this is using a copy of the same image. This Problem we do have on a number of sites (running different versions of plone, on different machines). thanks again robert Dieter Maurer wrote: robert rottermann wrote at 2006-5-2 07:18 +0200: ... in a plone site (but I see nothing plone related with my problem) I can not access an image with the id view-source.gif (it is used by kupu). What does "cannot access" mean precisely? Try "wget -S " and see (report) what happens. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] [ANN] Zope 2.9.3 released
Not so long ago I installed Zope-2.9.2 and as I remember it all worked fine. This morning, with Zope-2.9.3 I get this: bash Zope-2.9.3: make /usr/local/bin/python install.py -q build Dependencies/AccessControl-Zope-2.9.3/AccessControl/cAccessControl.c: In function ‘module_aq_validate’: Dependencies/AccessControl-Zope-2.9.3/AccessControl/cAccessControl.c:2155: warning: ‘obj’ may be used uninitialized in this function Dependencies/AccessControl-Zope-2.9.3/AccessControl/cAccessControl.c:2155: warning: ‘name’ may be used uninitialized in this function Dependencies/AccessControl-Zope-2.9.3/AccessControl/cAccessControl.c:2155: warning: ‘v’ may be used uninitialized in this function Dependencies/AccessControl-Zope-2.9.3/AccessControl/cAccessControl.c:2155: warning: ‘inst’ may be used uninitialized in this function Dependencies/AccessControl-Zope-2.9.3/AccessControl/cAccessControl.c:2155: warning: ‘validate’ may be used uninitialized in this function bash Zope-2.9.3: Which I thought meant it did not work. This is with Fedora Core 5 and Python 2.4.3. I went through the whole process again (this time specifying the install folder) and did not get any warnings or OK messages: bash Zope-2.9.3: ./configure /usr/local/Zope-2.9.3 bash Zope-2.9.3: make /usr/local/bin/python install.py -q build bash Zope-2.9.3: make install /usr/local/bin/python install.py -q build /usr/local/bin/python install.py -q install --skip-build --home "/usr/local/Zope-2.9.3" bash Zope-2.9.3: The installation seems to work? Should I worry about the Dependencies messages? Cliff Andreas Jung wrote: From: Andreas Jung <[EMAIL PROTECTED]> Hi all, on behalf of Zope Corporation and the Zope community I am pleased to announce the release of Zope 2.9.3. You can download it from http://www.zope.org/Products/Zope/2.9.3/ Some new features of Zope 2.9: - ZODB 3.6 - Five 1.3 - integration for Zope 3 events for object creation and deletion - Zope 3 i18n integration for page templates For more information on what is new in this release, see the CHANGES.txt files for the release: http://www.zope.org/Products/Zope/2.9.3/CHANGES.txt Please bring all the bugs you have found to the Zope bugtracker: "http://collector.zope.org/Zope":http://collector.zope.org/Zope For more information on the available Zope releases, guidance for selecting the right distribution and installation instructions, please see: http://www.plope.com/Books/2_7Edition/InstallingZope.stx Support Python versions: Zope 2.9 requires Python 2.4.3 (Python 2.4.1, 2.4.2 are still acceptable). Older Python versions are no longer supported. Thanks to all being involved in this release. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] REMOTE_USER Security Issue
My people want to adopt a single sign-on system for web applications that is based on the REMOTE_USER environment variable. I have tried out RemoteUserFolder and also adapted exUserFolder to work similarly. My problem is that I figured out how a user who has permission to create python scripts (might work with dtml and page templates too) could access otherwise forbidden content by making calls that pretend to come from another user. Has any one else come across this problem and devised a solution, either in software or organisation? Problem verified with Zope 2.9.2 and latest RemoteUserFolder. Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: REMOTE_USER Security Issue
Hmmm, it was request.environ['REMOTE_USER'] that I found a way to hack. However, your comment has caused me to realise that when not logged in, Apache is not setting the REMOTE_USER environment variable, so a script can set it (in environ). So if I get the Apache boss to set REMOTE_USER to None that should fix it? Subtle. Thanks for making me think. Cliff Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cliff Ford wrote: My people want to adopt a single sign-on system for web applications that is based on the REMOTE_USER environment variable. I have tried out RemoteUserFolder and also adapted exUserFolder to work similarly. My problem is that I figured out how a user who has permission to create python scripts (might work with dtml and page templates too) could access otherwise forbidden content by making calls that pretend to come from another user. Has any one else come across this problem and devised a solution, either in software or organisation? Problem verified with Zope 2.9.2 and latest RemoteUserFolder User folders who care need to look at the request's 'environ' dict, e.g.:: remote_user = request.environ['REMOTE_USER'] # not hackable rather than the default one where untrusted code can scribble:: remote_user = request['REMOTE_USER'] # hackable Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn lPXu2KJoCLtTOSTyUJTIJ24= =3r0r -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Re: REMOTE_USER Security Issue
I have done some more testing, and despite being told that request.environ['REMOTE_USER'] is not hackable I have hacked it and can use the hack to get at otherwise forbidden content. For testing I have set REMOTE_USER in the zope.conf cgi-environment variable, so I can quickly change from being one user to another. I have read the RemoteUserFolder source code - that is what led me to the hack. The hack allows a user who can write a python script in his own folder to use it to hack the entire site. So I still wonder if anyone who is ising the REMOTE_USER environment variable is aware of a problem and has a solution. Cliff Tres Seaver wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cliff Ford wrote: My people want to adopt a single sign-on system for web applications that is based on the REMOTE_USER environment variable. I have tried out RemoteUserFolder and also adapted exUserFolder to work similarly. My problem is that I figured out how a user who has permission to create python scripts (might work with dtml and page templates too) could access otherwise forbidden content by making calls that pretend to come from another user. Has any one else come across this problem and devised a solution, either in software or organisation? Problem verified with Zope 2.9.2 and latest RemoteUserFolder User folders who care need to look at the request's 'environ' dict, e.g.:: remote_user = request.environ['REMOTE_USER'] # not hackable rather than the default one where untrusted code can scribble:: remote_user = request['REMOTE_USER'] # hackable Tres. - -- === Tres Seaver +1 202-558-7113 [EMAIL PROTECTED] Palladion Software "Excellence by Design"http://palladion.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEaMVi+gerLs4ltQ4RAqUIAJsHpcPQTX7jv+db+DRG9TApaIImVQCgqCZn lPXu2KJoCLtTOSTyUJTIJ24= =3r0r -END PGP SIGNATURE- ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] REMOTE_USER Security Issue
This is just to report that this issue is resolved (for me). Tres Seaver kindly provided a patch for HTTPRequest.py that makes the environ dictionary immutable (appended below for those in a similar position). This may have adverse consequences for applications that rely on existing behaviour and Tres has recommended that it would be better to harden the User Folder code. In our case we might also be able to encrypt the remote Username. Once again, thanks to Tres and other list members, who are a wonderful resource. Cliff Cliff Ford wrote: My people want to adopt a single sign-on system for web applications that is based on the REMOTE_USER environment variable. I have tried out RemoteUserFolder and also adapted exUserFolder to work similarly. My problem is that I figured out how a user who has permission to create python scripts (might work with dtml and page templates too) could access otherwise forbidden content by making calls that pretend to come from another user. Has any one else come across this problem and devised a solution, either in software or organisation? Problem verified with Zope 2.9.2 and latest RemoteUserFolder. Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) The Patch: Index: lib/python/ZPublisher/HTTPRequest.py === --- lib/python/ZPublisher/HTTPRequest.py(revision 68139) +++ lib/python/ZPublisher/HTTPRequest.py(working copy) @@ -63,6 +63,16 @@ class NestedLoopExit( Exception ): pass +class ReadOnlyDict(dict): +def __setitem__(self, key, value): +raise TypeError, 'Immutable' +def __delitem__(self, key): +raise TypeError, 'Immutable' +def update(self, other): +raise TypeError, 'Immutable' +def clear(self): +raise TypeError, 'Immutable' + class HTTPRequest(BaseRequest): """\ Model HTTP request data. @@ -252,7 +262,7 @@ del environ['HTTP_AUTHORIZATION'] self.stdin=stdin -self.environ=environ +self.environ=ReadOnlyDict(environ) have_env=environ.has_key get_env=environ.get self.response=response Index: lib/python/ZPublisher/tests/testHTTPRequest.py === --- lib/python/ZPublisher/tests/testHTTPRequest.py (revision 68139) +++ lib/python/ZPublisher/tests/testHTTPRequest.py (working copy) @@ -684,7 +684,23 @@ req.close() self.assertEqual(start_count, sys.getrefcount(s)) # The test +def test_environ_is_immutable(self): +from StringIO import StringIO +s = StringIO(TEST_FILE_DATA) +env = TEST_ENVIRON.copy() +env['to_replace'] = 'to_replace' +env['to_remove'] = 'to_remove' +from ZPublisher.HTTPRequest import HTTPRequest +req = HTTPRequest(s, env, None) +self.assertRaises(TypeError, req.environ.__setitem__, +'hacked', 'hacked') +self.assertRaises(TypeError, req.environ.__setitem__, +'to_replace', 'replaced') +self.assertRaises(TypeError, req.environ.__delitem__, 'to_remove') +self.assertRaises(TypeError, req.environ.update, {'hacked': 'hacked'}) +self.assertRaises(TypeError, req.environ.clear) + def test_suite(): suite = unittest.TestSuite() suite.addTest(unittest.makeSuite(AuthCredentialsTestsa, 'test')) Index: lib/python/OFS/tests/testRanges.py === --- lib/python/OFS/tests/testRanges.py (revision 68139) +++ lib/python/OFS/tests/testRanges.py (working copy) @@ -59,6 +59,9 @@ r['Application'] = a self.root = a self.app = makerequest(self.root, stdout=self.responseOut) +# 'environ' is now immutable, so replace it to allow scribbling +# in tests +self.app.REQUEST.environ = dict(self.app.REQUEST.environ) try: self.app._delObject(TESTFOLDER_NAME) except AttributeError: pass manage_addFolder(self.app, TESTFOLDER_NAME) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Internet Explorer does not follows redirect, while Firefox does
I have forgotten the exact details, but some time back I found it necessary to pad out the body of the redirect page in order to make IE perform as intended. It may have been for an older version of IE, and the padding just needed to be a certain number of bytes. I think I came across a later reference to the problem. Have you googled for info? Padding follows. Cliff Marco Bizzarri wrote: Ok, I've been able to experiment. All my pages have the following in the section: Also, I added, before every redirect, the following: request.get('RESPONSE').setHeader('pragma', 'no-cache') Any suggestion? On 5/31/06, Kees de Brabander <[EMAIL PROTECTED]> wrote: Either or or both in the head section of your page will do the trick. cb - Original Message - From: "Marco Bizzarri" <[EMAIL PROTECTED]> To: "Zope Users Mailing List" Sent: Wednesday, May 31, 2006 7:33 AM Subject: [Zope] Internet Explorer does not follows redirect,while Firefox does > Hi all. > > I don't think this is a specific Zope problem. However, I'm > experiencing it in a Zope context, and this is why I'm here asking. > > In a custom Zope application, we have a problem with Internet Explorer. > > The application follows a "page -> submit -> redirect -> page" cycle. > > To state more clearly: the page presented to the user can have a link. > When the user clicks on the link, something is done, and eventually > the user is redirected to the same page which will display different > data based on the results of its previous click. > > The problem is that when IE sees that the result page has the same URL > as the first page it does not reload the page and instead shows me > the cached version. > > The problem is not shown with Firefox. > > As far as I can understand, this is an HTTP header issue, but I would > like to know if anyone already has experienced this problem, and has > some solution about it. > > Regards > Marco > -- > Marco Bizzarri > http://notenotturne.blogspot.com/ > ___ > Zope maillist - Zope@zope.org > http://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > http://mail.zope.org/mailman/listinfo/zope-announce > http://mail.zope.org/mailman/listinfo/zope-dev ) > ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] acl_users in MySQL
Suggestion: have a look at exUserFolder. It has a MySQL Authentication Source. The minimum requirement is a table with Username, Password and Roles fields. Cliff Luiz Fernando B. Ribeiro wrote: Hello, I've been searching for a solution on how to integrate my actual database of users (in MySQL) with the Zope authentications machinery. I found some old instructions (2001) using LoginManager and zPatterns but I would like to hear from you about the alternatives. Currently I'm using my own authentication method but with this I'm loosing a lot of Zope features. Zope 2.9 MySQl 4.1 Using reverse proxy with Pound Any suggestions? Thanks in advance. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZSQL Method Question
This is how it works for MySQL: insert into org (org_name, org_phone) values ('x', 'y') select LAST_INSERT_ID() as org_id You have to have the select LAST_INSERT_ID call in the same query as the insert, and you have to have the sql_delimiter. I assume you know that the x and y values should be types. Cliff Benjamin Menking wrote: New to python/Zope, old-timer on PHP I'm using MySQL and a ZSQL method to insert data into the database. ex: insert into org (org_name, org_phone) values ('x', 'y') What I'm trying to figure out is that org_id (also part of the org table, but not specified in the sql statement) is an auto_increment primary key field and in PHP I can use mysql_insert_id() to find out what org_id was set to after the mysql_query() call. Is there a way to retrieve that value with ZSQL method, or must I use some other mechanism? Thanks! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] ZSQL Method Question
Comment on Peter's suggestion: I am no expert on these things, but it is my understanding that for MySQL LAST_INSERT_ID() fetches the last autoincrement value made by the current insert, so the outcome is not affected by virtually simultaneous requests. And I don't think MySQL accepts a value for the autoincrement key. I am a bit surprised that the code you quote is reliable - surely there is a possibility of an insert after calling GetNextID and before calling SQLInsert in the python code? Comment on Tino's suggestion: I think that LAST_INSERT_ID() is MySQL specific and I guess CURRVAL() is Postgres specific. But the principle is the same: calling within the same Z SQL Method ought to be safe. Anyway, I hope John has had is question answered. Cliff Tino Wildenhain wrote: Peter Bengtsson wrote: What if you have 1,000,000 requests/sec? What if between the INSERT and the LAST_INSERT_ID() another INSERT is made? I use PostgreSQL and with postgres you can always ask the sequence what the next id is going to be. It goes something like this:: next_id = context.GetNextId()[0].next_id context.SQLInsertUser(uid=next_id, name='Peter') where 'GetNextId' is a ZSQL method that looks like this:: SELECT NEXTVAL('users_uid_seq') AS next_id Its even easier: one ZSQL Method: INSERT INTO foo (foo_id,blah,bar) VALUES (nextval('foo_foo_id_seq'), ... ); SELECT CURRVAL('foo_foo_id_seq') as foo_id; But your above solution is valid too. Regards Tino ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] autorefresh a web page every x minutes
This is "Client-Pull" web question, not Zope related. Here is an example of what needs to be in the of the page: http://www.foo.com/foo.html";> where 5 is seconds, so 300 would be 5 minutes, and the URL is the next url, leave out URL=http://www.foo.com/foo.html to refresh the same page. Cliff Alan wrote: Dears, Is there a way of doing a particular page template (ZPT) keeping reloading/refreshing itself every x minute? I hope so. Any help would be very appreciate. Many thinks in advance. Cheers, Alan ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] insert_id with MySQL an Z SQL Method
Search the mailing list archives for July - there were several contributions to this question. Roughly: insert ... select LAST_INSERT_ID() as table_id_seq Cliff Ferhat Ayaz wrote: Hi, I have a Z SQL Method with an insert expression. To the inserted row will be assigned an auto_increment id. How can I get the last inserted id? I tryed the following both commands in one Z SQL method. Unfortunatly this produces an error. insert into categories (parent_id,logo,active) values ( , , , ); SELECT currval('table_id_seq'); Thanks for your helps Greets, Ferhat __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Zope Calendar Product?
Hello friends, I have been away from Zope for a while. I have a Zope 2.9.3 installation (no CMS or Plone) for which someone has requested a Calendar application. From the Zope sites it is not clear whether any suitable product is available. Could anyone recommend something? Alternatively, might it be an idea to use a stand-alone Calendar application and plug it into an I-frame? Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Zope Calendar Product?
Thank you Giampiero, Your answer made me realise I had asked the wrong question. I am really looking for something to coordinate personal diaries for meetings and events. I know this is a big, complicated field that teams work on for years. Do I expect too much? Cliff Giampiero Benvenuti wrote: Hi there, I 'm using "Calendar Tag". It does work fine for my needs: http://www.zope.org/Members/teyc/CalendarTag Ciao, Giampiero On Feb 22, 2008, at 6:20 AM, Cliff Ford wrote: Hello friends, I have been away from Zope for a while. I have a Zope 2.9.3 installation (no CMS or Plone) for which someone has requested a Calendar application. From the Zope sites it is not clear whether any suitable product is available. Could anyone recommend something? Alternatively, might it be an idea to use a stand-alone Calendar application and plug it into an I-frame? Cliff ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists -http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )