[Zope] no accounts in root user folder?
Hello, I have a zope app in a folder and have an exUserFolder in there to authenticate the app's users. The app is working fine and i get authenticated by the exUserFolder and everything works. I tried to delete the single admin account (with Manager privileges) from the root standard user folder and the app breaks with: Unauthorized: You are not allowed to access 'call_backend' in this context where 'call_backend' is an External Method called by a Python Script. All objects in zope are owned by the admin. Could this be causing the problem? Thnx for any help, Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Chris Withers wrote: Have a look at the ZSQL methods code, I remember this being pretty old and convoluted :-( Ok, thanks! I take a look. Well, i am running zope under root privileges in read-only mode. What does this mean? I am opening the ZODB in read-only, using the appropriate parameter in the conf file. What are you seeking to do or prevent? I want a number of external methods to run with root privileges for performing specific tasks (older thread, root privileges required, 27/7/2004) If there is a Zope break-in, What does that mean? I think of it as a break-in in the ZMI. i want to minimize interference with the database. Which database? I use a MySQL database for storing some info. Also, since this will be a commercial product, keeping most of the code in compiled python scripts is meaningful. As Jens already explained, .pyc's and pyo's can be decompiled in a matter of minutes, so you're getting nothing for this worry other than finding debugging a pain ;-) Yes, i fully understand the disadvantages, but i have dealt with the debugging with some custom exception handling/tracing. And, believe me, i don't have illusions about the secrecy offered by compiled python scripts. :-) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Chris Withers wrote: Vangelis Mihalopoulos wrote: [zope - ] (which btw i believe to be very secure) The why do you consider it a risk? I don't really. But when i present my security assessment report saying Zope has never had a compomising security issue. i'll get the (expected) answer Sooner or later, everything gets broken. and i will have to additionally demonstrate why compomising zope (in term of accessing the ZMI) will have minimum effect on the overall system operation. i don't want him to be able to directly access (read/write) the database i am using. *AFAIK*, ZSQLMethods won't do for this. Then put constraints in on your database, or make the whole connection read-only. I want to have full access rights on the database through the external methods. You're really buying nothing with all this other than wasting a lot of your time... I really hope i don't! :-) As Dieter said, my application is not a conventional Zope application. I could say that, for this project, i am using Zope: - as a much safer alternative to CGI - for its templating machinery - because it is built on Python and the project is based on Python - i like Zope :-) Thanks for your comments! Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Tino Wildenhain wrote: I want to have full access rights on the database through the external methods. Usually you dont want that. Yes, usually i don't. Sane security constrains on database save you a lot mistakes if done right. You can also use views and stored functions to further tighten your security. Really, this reasoning may apply on regular projects. For my case, let me explain: - Say, you want to read/write a DB through Zope. - You have a read-only ZODB, so you cannot change anything. - The user-folder is based on an external authentication mechanism. - A Zope security hole comes up, which gives you all permissions within Zope. - You want to minimize the casualties of this attack. I think database constrains are not applicable for this scenario. Also, i don't want any application logic within the database, so stored procedures are not an option either. I believe that using ZSQLmethods for this setup will/might allow an attacker to: - retrieve information about the database (schema-wise) [ - not so important] - retrieve/modify records [ - much more important ] I (maybe falsely) think Zope as a sandbox environment. I cannot operate as root within this sandbox, so i need external methods. Why not moving all my non-restricting/privileged actions outside this sandbox, so that if someone breaks-in the sandbox i might stand a better chance to keep him there for a while longer? Following this reasoning, i created a single external method [a true SPOF :-) ] which does all the dirty work. Bad done external methods are more likely to open security holes. Of course! I trust the Zope developers to be much more of a coder than me! :-) I really hope i don't! :-) As Dieter said, my application is not a conventional Zope application. What is it instead? :) Got you intrigued huh?? :-) It is a webmin/usermin-like suite for Linux. The approach is quite different, both commercially and architecturally. I am pretty sure it is probably the most unconventional use of Zope up to now. :-) I could say that, for this project, i am using Zope: - as a much safer alternative to CGI but not if compromized :) Indeed!! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] database connections from external method
Tino Wildenhain wrote: The threading is handled by the ZDA, so you can use query() or what the method actually is. I couldn't find a method like that... any hints? Otoh, what do you think you gain from circumventing ZSQL Methods? Well, i am running zope under root privileges in read-only mode. If there is a Zope break-in, i want to minimize interference with the database. Also, since this will be a commercial product, keeping most of the code in compiled python scripts is meaningful. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] Pass index in a TAL path expr
Hello, if data is a tuple (or list), how can directly access it's contents using path expressions, like in: -- script s: return context.t(data=(one, two, three)) -- template t htmlbody span tal:replace=options/data/0/span /body/html The above example give out a TypeError for the index... options/data/0 is not correct. What should i set the path to? ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] DTML namespace problem (was: dtml-tree issue)
Just added__allow_access_to_unprotected_subobjects__=1as an
attribute of my class defined in an external python script and it works
fine.
Thanks Tino!
Tino Wildenhain wrote:
Hi,
Am Montag, den 11.04.2005, 14:08 +0300 schrieb Vangelis Mihalopoulos:
Andreas Jung wrote:
You should *not* define classes inside PythonScripts. PythonScripts
are stricted
and don't provide the full functionality. Either use filesystem based
code (Zope
Product) or use simple Python datatypes as dictionaries in this case.
An External Method behaves exactly the same. I have not yet involved in
writting even the simpler Product and i will not do it now for such a
trivial issue.
I tried to return a dictionary,
- return {'a':1, 'b':2, 'c':3} --
but it the DTML Doc fails with a KeyError.
Use a dict and if you really need DTML... see the keyword
mapping for dtml-with and dtml-in tags.
If you want to return custom class objects into untrusted
code (e.g. from external methods) you need to set security
declarations on them - at least add the attribute:
__allow_access_to_unprotected_subobjects=1
(from top of head - just grep -r zopes source
for the actual name)
HTH
Tino
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] DTML namespace problem (was: dtml-tree issue)
Hello, i have focused my problem on this: having a Python Script testScript: class obj: a = 1 b = 2 c = 3 return obj() and a DTML Document testWith: --- dtml-with testScript dtml-var a /dtml-with --- when i try to view the DTML Document, i get an Unauthorized Exception. I believe this has something to do with the security mechanism of Zope. What must i return from the Python Script in order for the DTML Document to work? Thanks for any help ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] DTML namespace problem (was: dtml-tree issue)
Andreas Jung wrote:
You should *not* define classes inside PythonScripts. PythonScripts
are stricted
and don't provide the full functionality. Either use filesystem based
code (Zope
Product) or use simple Python datatypes as dictionaries in this case.
An External Method behaves exactly the same. I have not yet involved in
writting even the simpler Product and i will not do it now for such a
trivial issue.
I tried to return a dictionary,
- return {'a':1, 'b':2, 'c':3} --
but it the DTML Doc fails with a KeyError.
I was wondering if there was some Zopish way to do it i don't
know. i kinda desperate here :-)
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
[Zope] dtml-tree issue
Hello, I want to use dtml-tree. I want to populate this tree using an external method that like this one: getChildren(parent_id) = [child, child, child, ..] where parent_id is a string and each child is a node (python object). My problem is what kind of object must each node be, in order for the dtml-tree to work properly... The dtml-method is like this (example, hierarchy of links): dtml-tree id=LINK braches_expr=getChildren(LINK) a href=dtml-var LINKdtml-var TITLE/a /dtml-tree I tried a dictionary, but i cannot retrieve the LINK in the branches_expr. I made a class in the External Method with attributes LINK and TITLE, but i get unauthorized exceptions... Thanks for any help, Vangelis ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] script python error
Maybe using quotese.g.
RESP.redirect('/store_nic/consumables/test')
prabuddha ray wrote:
wats wrong with the given puthon script
request = container.REQUEST
RESP = request.RESPONSE
passwd = context.request.password1
user = context.request.username,
if(container.chkpwd(uname=user,pwd=passwd)):
RESP.redirect(/store_nic/consumables/test) // syntax errror.
else:
RESP.redirect(/store_nic/consumables/index_html)
On Tue, 29 Mar 2005 19:07:00 +0200, Andreas Pakulat [EMAIL PROTECTED] wrote:
On 29.Mär 2005 - 05:39:42, prabuddha ray wrote:
Danke Jürgen,
one tip i'm lookin for is how to cal pyhton scripts on any form
event,
ie. like we call javascripts on the onclick or onsubmit or onchange
events?
thanks again.
You can't. Python and JavaScript are completely different things.
JavaScript runs on the client side, whereas Python runs on the server.
However, you probably can use your JavaScript to call a python Script,
but I wouldn't suspect that it works the same as with JavaScript
alone. Python Scripts are executed when you send them a Request or by
calling them from within another python script (or TAL or DTML
statement)
Andreas
--
You have an ambitious nature and may make a name for yourself.
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
--
Share the vision of difference with ME
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
