Re: [Zope-dev] Xron and security
Loren Stafford wrote: Thanks, Steve. I have few questions below 8-) (I'm always better with questions than answers.) -- Loren From: "Steve Alexander" [EMAIL PROTECTED] Hi Loren, I'd be glad to listen to well considered proposals for how Xron should handle security. Consider this a "straw man". On installation, Xron creates a user in the root user folder called "XronUser". Xron is resonsible for setting this user's password. Therefore, it is known to both the Xron product, and also to the root user folder. When a Xron method is run, there is a property that indicates whether it is called anonymously, or authenticated as XronUser. Is there a good reason not to always pass authentication in the request? The authentication property would have to be stored in the Schedule catalog, and I'd like to keep the Schedule as small as possible. I can't think of a concrete example of when I'd want to have a Xron method called with no authentication, when authentication is available. XronUser would be a privilaged user, and it might be useful to run scheduled methods without using that privilage. However, in the 2.2 security model, you can drop privilage using proxy roles, so I don't think your suggestion above is a limitation. So, no, I can't see a good reason not to always pass authentication in the request. The Xron product could change the password of XronUser every day to a new random value. That's more than folks do to maintain secrecy of the "superuser" password. Is the extra trouble worthwhile? I put this in as an example to illustrate that only the Xron product, and the Zope root user folder need to know the XronUser password. You're right, it really doesn't need to change every day :-) However, there should be manage_... method in Xron that will change the password to a new random value. Then, if people wanted the password changed every day, they could use a Xron DTML Method to do it :-) Perhaps also a button somewhere in the Xron product, or in the Schedule, to call the manage_resetXronPassword method. The domains associated with XronUser could be just localhost.localdomain (not sure about this). Or based on whatever the machine's host-name is (probably better). At a virtual-hosted site, how could Xron know what the host-name is? Xron must know (in some sense) what the host name is now, in order to use ZClient to call a Xron DTML Method. I guess this is because the URL to use comes from absolute_url() in Zope. I'm using Xron 0.0.9 on a virtual-hosted site, and it works. However, restricting a User's domains doesn't work as I would expect. The configuration is ZServer behind Apache+ProxyPass. If I put any value in the "domains" field of a User, other than "127.0.0.1", that User cannot log in at all. I haven't looked into this particularly yet. In AccessControl/User.py, login restriction by domain works using REMOTE_HOST and REMOTE_ADDR from the REQUEST. I sent myself an email from a Xron DTML Method on two Zope 2.2.1b1 machines, one just running ZServer, the other virtual-hosted as described above. In the case of the virtual-hosted server, I get emailed REMOTE_ADDR 127.0.0.1 In the case of the bare ZServer, I get emailed REMOTE_ADDR my_server's_ip_address Also, for the virtual server, ZClient seems to choose an appropriate HTTP_HOST. So, it seems that the correct domain restriction to use depends on just how you're using ZServer. I can think of three ways around this: 1: Don't bother restricting by domain for XronUser. 2: Allow a Manager to configure what domains XronUser may log in from. 3: Use ZClient to call a method in Xron. Xron inspects the REQUEST passed for this method, extracts the REMOTE_ADDR and REMOTE_HOST, and uses one of these as the domain restriction. If you go with 3, there will need to be some button in Xron's management interface to re-determine the correct domain to use. If I were writing the software, I'd choose 2, and let the Manager of a site make the decision. -- Steve Alexander Software Engineer Cat-Box ltd http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Logs stamped with wrong time
Zope 2.2 CVS checkout August 21. I'm in the BST timezone, which is GMT+1. All the entries in Z2.log are one hour behind where they should be. 127.0.0.1: - - [23/Aug/2000:15:15:39 +0100] "POST /fmr/mail_test/manage_edit HTTP/1.0" 200 10139 "http://zope.cat-box.net/fmr/mail_test/manage_main" "Mozilla/4.61 [en] (WinNT; I)" I was watching this in the log using "tail -f", and the time was 16:15 BST. I also checked the time on the machine: $ date Wed Aug 23 16:15:42 BST 2000 Something awry in the time formatting in ZServer/medusa/http_server.py Line 260: def log_date_string (self, when): return time.strftime ( '%d/%b/%Y:%H:%M:%S ', time.gmtime(when) ) + tz_for_log This looks wrong -- it is formatting the time for GMT, but adding on a spurious timezone to the end. I guess time.gmtime should become time.localtime. -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Logs stamped with wrong time
I've put this in the Collector: http://classic.zope.org:8080/Collector/1550/view -- Steve Alexander Software Engineer Cat-Box limited http://www.cat-box.net ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] problems
hello i recently came accross zope and decided to give it a try installation went fine when asked to start zope as a nt service, i answered yes and check through the controlpanel-services that it was in fact up and running then, i used a bowser (ie) to go to http://localhost:8080/manage but was left whith the following text: Not Found i decided to stop the service and to start zope manually i doubled clicked on start.bat and went back to the browser for some reason, going to http://localhost:8080/manage frooze the browser and the only thing left for me to do was to kill start.bat i am running win2000 please let me know what i might doing wrong or where could i get information above the above problem? thanks fabrice ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Fw: [Zope] copy / paste support
I know some people have helped me on this thread before but Ive had chance to look at this again and Im still stumped on this. Newly created 2.2 objects still have a problem. Using custom class in Zope 2.2.0. Thanks. - Original Message - From: "Andy McKay" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 15, 2000 11:05 AM Subject: [Zope] copy / paste support When trying to copy an item I get the following item on paste: One or more items referred to in the clipboard data was not found. The item may have been moved or deleted after you copied it. This is a custom python class which is catalogued. Ive no idea why this is happening. Any ideas? -- Andy McKay, Developer, ActiveState http://www.ActiveState.com Programming for the People ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Product creation question
I've created a product called BasicDocument. I've installed it and it works great. I've also created a folderish product. Installed. When a user selects that product from the available objects list, thus creating an instance of that product, they have an option to create sub folders which contain objects like dtml documents, dtml methods, and my BasicDocument product (very similar to what happens when you instantiate a folder object, you can have a dtml method created in the new folder). I am able to have the manage_addSimpleSite function to create DTMLDocument, DTMLMethod and Folder objects but I am unable to have the function create BasicDocuments (which live in the Products directory) additionally, I am unbale to it create any Products from the Products directory, such as Local File System? The code below works great, I get a dtml document, two folders each with a dtml method in them HOW CAN I CREATE A LOCAL FILE SYSTEM OR ANY OTHER OBJECT FROM THE PRODUCTS DIRECTORY IN THIS MANAGE_ADD FUNCTION??? ob.manage_addBasicDocument(id='index_html', title='') -- THISLINESGENERATESANERROR: AttributeError: manage_addBasicDocument ref the code below. Please reply all if you are responding from the dev list as I usually don't monitor the dev list. Thanks, Dan def manage_addSimpleSite(self, id, title='', createNewFolder=0, createEditFolder=0, REQUEST=None): """Add a new SimpleSite object with id *id*. If the 'createNewFolder' and 'createEditFolder' parameters are set to any true value, an 'New sub Folder' and an 'edit sub Folder' objects are created respectively in the new SimpleSite. """ ob=SimpleSite() ob.id=id ob.title=title self._setObject(id, ob) try: user=REQUEST['AUTHENTICATED_USER'] except: user=None ob.manage_addBasicDocument(id='index_html', title='') -- THISLINESGENERATESANERROR: AttributeError: manage_addBasicDocument ob.manage_addDTMLDocument(id='index_html', title='') if createNewFolder: if (user is not None) and not ( user.has_permission('Add User SimpleSites', self)): raise 'Unauthorized', ( 'You are not authorized to add User SimpleSites.' ) ob.manage_addFolder(id='New'+id, title='', createPublic=1) if createEditFolder: if (user is not None) and not ( user.has_permission('Add Documents, Images, and Files', self)): raise 'Unauthorized', ( 'You are not authorized to add DTML Documents.' ) ob.manage_addFolder(id='Edit'+id, title='', createPublic=1) if REQUEST is not None: return self.manage_main(self, REQUEST, update_menu=1