date:20000823

Re: [Zope-dev] Xron and security

2000-08-23 Thread Steve Alexander


Loren Stafford wrote:
 
 Thanks, Steve.
 
 I have few questions below  8-) (I'm always better with questions than
 answers.)
 
 -- Loren
 
 From: "Steve Alexander" [EMAIL PROTECTED]
  Hi Loren,
 
   I'd be glad to listen to well considered proposals for how Xron should
   handle security.
 
  Consider this a "straw man".
 
 
  On installation, Xron creates a user in the root user folder called
  "XronUser".
 
  Xron is resonsible for setting this user's password. Therefore, it is
  known to both the Xron product, and also to the root user folder.
 
  When a Xron method is run, there is a property that indicates whether it
  is called anonymously, or authenticated as XronUser.
 
 Is there a good reason not to always pass authentication in the request? The
 authentication property would have to be stored in the Schedule catalog, and
 I'd like to keep the Schedule as small as possible.

I can't think of a concrete example of when I'd want to have a Xron
method called with no authentication, when authentication is available.

XronUser would be a privilaged user, and it might be useful to run
scheduled methods without using that privilage. However, in the 2.2
security model, you can drop privilage using proxy roles, so I don't
think your suggestion above is a limitation.

So, no, I can't see a good reason not to always pass authentication in
the request.


  The Xron product could change the password of XronUser every day to a
  new random value.
 
 That's more than folks do to maintain secrecy of the "superuser" password.
 Is the extra trouble worthwhile?

I put this in as an example to illustrate that only the Xron product,
and the Zope root user folder need to know the XronUser password. You're
right, it really doesn't need to change every day :-)

However, there should be manage_... method in Xron that will change the
password to a new random value. Then, if people wanted the password
changed every day, they could use a Xron DTML Method to do it :-)

Perhaps also a button somewhere in the Xron product, or in the Schedule,
to call the manage_resetXronPassword method.

  The domains associated with XronUser could be just localhost.localdomain
  (not sure about this). Or based on whatever the machine's host-name is
  (probably better).
 
 At a virtual-hosted site, how could Xron know what the host-name is?

Xron must know (in some sense) what the host name is now, in order to
use ZClient to call a Xron DTML Method. I guess this is because the URL
to use comes from absolute_url() in Zope.

I'm using Xron 0.0.9 on a virtual-hosted site, and it works.

However, restricting a User's domains doesn't work as I would expect.

The configuration is ZServer behind Apache+ProxyPass. If I put any value
in the "domains" field of a User, other than "127.0.0.1", that User
cannot log in at all. I haven't looked into this particularly yet.


In AccessControl/User.py, login restriction by domain works using
REMOTE_HOST and REMOTE_ADDR from the REQUEST.

I sent myself an email from a Xron DTML Method on two Zope 2.2.1b1
machines, one just running ZServer, the other virtual-hosted as
described above.

In the case of the virtual-hosted server, I get emailed REMOTE_ADDR
127.0.0.1

In the case of the bare ZServer, I get emailed REMOTE_ADDR
my_server's_ip_address

Also, for the virtual server, ZClient seems to choose an appropriate
HTTP_HOST.


So, it seems that the correct domain restriction to use depends on just
how you're using ZServer.

I can think of three ways around this:

  1: Don't bother restricting by domain for XronUser.

  2: Allow a Manager to configure what domains XronUser may log in from.

  3: Use ZClient to call a method in Xron. Xron inspects the REQUEST
passed
 for this method, extracts the REMOTE_ADDR and REMOTE_HOST, and uses
 one of these as the domain restriction.

If you go with 3, there will need to be some button in Xron's management
interface to re-determine the correct domain to use.

If I were writing the software, I'd choose 2, and let the Manager of a
site make the decision.

--
Steve Alexander
Software Engineer
Cat-Box ltd
http://www.cat-box.net

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Logs stamped with wrong time

2000-08-23 Thread Steve Alexander


Zope 2.2 CVS checkout August 21.

I'm in the BST timezone, which is GMT+1.

All the entries in Z2.log are one hour behind where they should be.

127.0.0.1: - - [23/Aug/2000:15:15:39 +0100] "POST
/fmr/mail_test/manage_edit HTTP/1.0" 200 10139
"http://zope.cat-box.net/fmr/mail_test/manage_main" "Mozilla/4.61 [en]
(WinNT; I)"

I was watching this in the log using "tail -f", and the time was 16:15
BST.


I also checked the time on the machine: 
$ date
Wed Aug 23 16:15:42 BST 2000

Something awry in the time formatting in ZServer/medusa/http_server.py

Line 260:

def log_date_string (self, when):
return time.strftime (
'%d/%b/%Y:%H:%M:%S ',
time.gmtime(when)
) + tz_for_log


This looks wrong -- it is formatting the time for GMT, but adding on a
spurious timezone to the end. I guess time.gmtime should become
time.localtime.

--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Logs stamped with wrong time

2000-08-23 Thread Steve Alexander


I've put this in the Collector:

  http://classic.zope.org:8080/Collector/1550/view

--
Steve Alexander
Software Engineer
Cat-Box limited
http://www.cat-box.net

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] problems

2000-08-23 Thread Sarciaux, Fabrice


hello

i recently came accross zope and decided to give it a try

installation went fine
when asked to start zope as a nt service, i answered yes
and check through the controlpanel-services that it was in fact up and
running

then, i used a bowser (ie) to go to http://localhost:8080/manage
but was left whith the following text:

Not Found 

i decided to stop the service and to start zope manually
i doubled clicked on start.bat and went back to the browser

for some reason, going to http://localhost:8080/manage
frooze the browser and the only thing left for me to do was to kill
start.bat


i am running win2000

please let me know what i might doing wrong or where could i get information
above the above problem?

thanks
fabrice

___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Fw: [Zope] copy / paste support

2000-08-23 Thread Andy McKay


I know some people have helped me on this thread before but Ive had chance
to look at this again and Im still stumped on this.

Newly created 2.2 objects still have a problem. Using custom class in Zope
2.2.0.

 Thanks.

 - Original Message -
 From: "Andy McKay" [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, August 15, 2000 11:05 AM
 Subject: [Zope] copy / paste support


  When trying to copy an item I get the following item on paste:
 
  One or more items referred to in the clipboard data was not found. The
 item
  may have been moved or deleted after you copied it.
 
  This is a custom python class which is catalogued. Ive no idea why this
is
  happening. Any ideas?
 
  --
   Andy McKay, Developer, ActiveState
   http://www.ActiveState.com
   Programming for the People
 
 
  ___
  Zope maillist  -  [EMAIL PROTECTED]
  http://lists.zope.org/mailman/listinfo/zope
  **   No cross posts or HTML encoding!  **
  (Related lists -
   http://lists.zope.org/mailman/listinfo/zope-announce
   http://lists.zope.org/mailman/listinfo/zope-dev )
 


 ___
 Zope maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope
 **   No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope-dev )



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

[Zope-dev] Product creation question

2000-08-23 Thread Daniel Rusch



I've created a product called BasicDocument. I've installed it and it works
great.
I've also created a folderish product. Installed. When a user selects
that product from the
available objects list, thus creating an instance of that product,
they have an option to
create sub folders which contain objects like dtml documents,
dtml methods, and my BasicDocument product
(very similar to what happens when you instantiate a folder object,
you can have a dtml method created in the new folder).

I am able to have the manage_addSimpleSite function to create DTMLDocument,
DTMLMethod and Folder objects but I am unable to have the function create
BasicDocuments (which live in the Products directory) additionally, I am
unbale to it create any Products from the Products directory,
such as Local File System?

The code below works great, I get a dtml document, two folders
each with a dtml method in them

HOW CAN I CREATE A LOCAL FILE SYSTEM OR ANY OTHER OBJECT FROM
THE
PRODUCTS DIRECTORY IN THIS MANAGE_ADD FUNCTION???
ob.manage_addBasicDocument(id='index_html', title='')
-- THISLINESGENERATESANERROR:
AttributeError: manage_addBasicDocument
ref the code below.
Please reply all if you are responding from the dev list
as I usually don't monitor the dev list.
Thanks,
Dan

def manage_addSimpleSite(self, id, title='',

createNewFolder=0,

createEditFolder=0,

REQUEST=None):
 """Add a new SimpleSite object with id *id*.

 If the 'createNewFolder' and 'createEditFolder'
parameters are set
to any true
 value, an 'New sub Folder' and an 'edit sub
Folder' objects are
created respectively
 in the new SimpleSite.
 """
 ob=SimpleSite()
 ob.id=id
 ob.title=title
 self._setObject(id, ob)
try: user=REQUEST['AUTHENTICATED_USER']
 except: user=None
 ob.manage_addBasicDocument(id='index_html',
title='') -- THISLINESGENERATESANERROR:
AttributeError: manage_addBasicDocument
 ob.manage_addDTMLDocument(id='index_html',
title='')
 if createNewFolder:
 if (user is not None)
and not (

user.has_permission('Add User SimpleSites', self)):

raise 'Unauthorized', (

'You are not authorized to add User SimpleSites.'

)
 ob.manage_addFolder(id='New'+id,
title='', createPublic=1)
 if createEditFolder:
 if (user is not None)
and not (

user.has_permission('Add Documents, Images, and Files',
self)):

raise 'Unauthorized', (

'You are not authorized to add DTML Documents.'

)
 ob.manage_addFolder(id='Edit'+id,
title='', createPublic=1)
 if REQUEST is not None:
 return self.manage_main(self,
REQUEST, update_menu=1

Re: [Zope-dev] Xron and security

[Zope-dev] Logs stamped with wrong time

[Zope-dev] Logs stamped with wrong time

[Zope-dev] problems

[Zope-dev] Fw: [Zope] copy / paste support

[Zope-dev] Product creation question

6 matches

Site Navigation

Mail list logo

Footer information