IRC log of #zope3-dev for Thursday, 2005-03-10

*** bskahan has quit IRC00:10
*** BjornT has quit IRC00:11
*** bradb has quit IRC00:17
*** jdz_ has quit IRC00:18
*** mgedmin has quit IRC00:22
*** srichter has quit IRC00:23
*** bskahan has joined #zope3-dev00:45
*** GaryPoster has quit IRC00:49
*** Aiste has quit IRC00:54
*** Theuni has quit IRC00:56
*** hazmat has quit IRC00:59
*** deo|food is now known as deo00:59
*** srichter has joined #zope3-dev01:08
*** ChanServ sets mode: +o srichter01:09
*** BjornT has joined #zope3-dev01:13
*** jhauser_ has joined #zope3-dev01:20
*** alga has quit IRC01:25
*** stub has joined #zope3-dev01:36
*** jhauser has quit IRC01:36
*** philiKON has joined #zope3-dev01:36
*** philiKON has quit IRC01:42
*** benji_york has quit IRC01:53
*** niemeyer has quit IRC01:58
*** hazmat has joined #zope3-dev02:03
*** tarek__ has quit IRC02:12
*** tarek_ has joined #zope3-dev02:19
*** ignas has quit IRC02:22
*** ignas_ is now known as ignas02:22
*** ignas_ has joined #zope3-dev02:22
*** J1m has quit IRC02:32
*** hazmat has quit IRC02:38
*** hazmat has joined #zope3-dev03:03
*** WebMaven_ has quit IRC03:16
*** GaryPoster has joined #zope3-dev03:27
*** GaryPoster has quit IRC03:30
*** GaryPoster has joined #zope3-dev03:55
*** GaryPoster has quit IRC04:06
*** BjornT has quit IRC05:31
*** bradb has joined #zope3-dev06:25
*** srichter has quit IRC06:30
*** srichter has joined #zope3-dev07:24
*** bskahan has quit IRC07:51
*** d2m has quit IRC08:15
*** Fosten has joined #zope3-dev08:43
*** Fosten has left #zope3-dev08:43
*** d2m has joined #zope3-dev08:48
*** `anthony has quit IRC08:50
*** hdima has joined #zope3-dev09:23
*** Theuni has joined #zope3-dev10:07
*** sashav has joined #zope3-dev10:14
*** tarek_ has quit IRC10:16
*** Aiste has joined #zope3-dev10:40
*** tav|offline has quit IRC10:48
*** tav|offline has joined #zope3-dev10:49
projekt01Is anybody using the PAU and has a setup with sites and subsites?11:12
projekt01I think there is now way to login to a subsite I the first site denies the zope.View.11:13
projekt01The first site is allways offering the login even if I point to the subsites URL11:14
projekt01Is this correct?11:14
projekt01It's not the PAU which forces this, it's the ZopePublication. This means it's the default way.11:16
projekt01My question, what can I do if I like to offer a login directly an the subsite?11:17
*** MalcolmC has joined #zope3-dev11:25
*** Aiste has quit IRC11:31
*** SteveA has quit IRC11:41
*** stub has left #zope3-dev11:43
*** SteveA has joined #zope3-dev11:44
*** Aiste has joined #zope3-dev11:51
*** __gotcha has joined #zope3-dev11:54
*** __gotchaway has quit IRC11:55
*** Aiste has quit IRC11:59
*** sashav has quit IRC12:06
*** dlk has joined #zope3-dev12:09
*** ignas has quit IRC12:27
*** ignas has joined #zope3-dev12:28
*** ignas has quit IRC12:28
*** ignas_ is now known as ignas12:28
*** ignas_ has joined #zope3-dev12:28
*** ChanServ sets mode: +o srichter12:36
*** j-w has joined #zope3-dev12:38
*** watzo has joined #zope3-dev12:38
*** admp has joined #zope3-dev12:46
*** tarek_ has joined #zope3-dev13:03
*** SteveA has quit IRC13:08
*** SteveA has joined #zope3-dev13:17
*** sashav has joined #zope3-dev13:34
*** watzo has quit IRC13:34
*** bradb has quit IRC13:34
*** tvon has quit IRC13:34
*** watzo has joined #zope3-dev13:36
*** bradb has joined #zope3-dev13:36
*** tvon has joined #zope3-dev13:36
*** admp has quit IRC13:40
*** bradb has quit IRC13:40
*** Aiste has joined #zope3-dev13:43
*** mgedmin has joined #zope3-dev13:45
*** sashav_ has joined #zope3-dev13:46
*** dlk has left #zope3-dev13:51
*** sashav has quit IRC13:53
*** BjornT has joined #zope3-dev13:56
*** bradb has joined #zope3-dev13:56
*** MrTopf has joined #zope3-dev14:08
srichterMrTopf: hi, long time, no see :-)14:27
srichterI will be back online in 30-40 mins14:27
*** srichter has quit IRC14:27
*** __gotcha has quit IRC14:49
*** SteveA__ has joined #zope3-dev15:01
*** SteveA__ is now known as SteveA_15:02
*** SteveA has quit IRC15:02
*** SteveA_ is now known as SteveA15:02
*** srichter has joined #zope3-dev15:04
*** ChanServ sets mode: +o srichter15:06
*** `anthony has joined #zope3-dev15:06
*** sashav_ has quit IRC15:07
*** stub has joined #zope3-dev15:11
projekt01srichter, Do you have time to answer a conceptual question?15:15
projekt01I will write a mail to the zope3-dev list15:16
projekt01It's about traverser and subsites.15:16
projekt01Should arrive15:18
ignaswhat is the common speed of processing contributors agreement ?15:19
ignasi have sent one like 2 weeks ago ...15:20
projekt01ignas, I think jim is very bussy, Did you send it him directly?15:20
ignasby email15:20
projekt01Oh, did you send it to jim at zope dot com15:21
ignasjim ar zope org15:21
projekt01Try at zope.com15:21
srichteryeah. is the right onwe15:22
srichterhe will do it almost immediately, so it only should take a couple of hours, once he is in the office in about an hour15:22
ignaswon't he be angry about geting the scan twice ? (it's heavy)15:22
srichterdo a lower res scan15:23
srichteror make it a gray scale image, which should make it small15:23
ignassrichter, it's indexed png already15:24
ignasjust sent it so it's too late for pngcrush15:25
*** niemeyer has joined #zope3-dev15:31
*** deo has quit IRC15:33
*** stub has left #zope3-dev15:52
*** SureshZ has joined #zope3-dev15:57
*** J1m has joined #zope3-dev16:01
*** SteveA__ has joined #zope3-dev16:21
projekt01srichter, did you understand the problem I described in the mail?16:22
srichterI have not looked; I thought you changed your mind16:22
srichterhold on16:23
projekt01Ok, thanks16:23
*** vlado has joined #zope3-dev16:25
*** mkerrin has joined #zope3-dev16:26
srichterprojekt01: your analysis is very good; I just do not have an answer16:27
srichterJ1m is the security expert16:27
projekt01There are many other problems in the situation right now16:28
srichtermmh, this is really tricky too16:28
projekt01We have a Allow/Deny concept whcih doesn't work with subsites16:28
projekt01Once you denied you get restricted the the parent site's PAU login concept16:29
projekt01An hang arround there16:29
srichterJ1m: have you looked at Roger's traversal question mail? It raises a very interesting security issue; I do not know the answer16:29
projekt01But your login info is below16:29
projekt01Yu never reach the subsites Pau again16:29
mgedminprojekt01, I have a real-world metaphor for your situation16:29
mgedminimagine a building with a locked door16:29
mgedminimagine an office inside the building, with another locked door16:29
mgedminto get into the office, you need two keys16:30
mgedminin your example, you need to log into the outer site, and then into the inner site16:30
srichtermgedmin: very good anology16:30
mgedminI think you can grant the necessary permissions to make the outer site traversable by anonymous users16:30
mgedmin(leave the main building door unlocked)16:30
J1mThis is right16:31
mgedminI think you should be able to grant those permissions while denying anonymous users view access to the outer site16:31
J1mYou can grant access to the traversal adapters.16:32
J1mThat should be enough.16:32
projekt01Which traversal adapter? All?16:33
J1mJusr the publication traversal adapters.16:33
projekt01In the core?16:33
* J1m looking it up16:34
projekt01Why not use trusted ITraversal adapters?16:34
J1m  <adapter16:35
J1m      for="
J1m           zope.publisher.interfaces.browser.IBrowserRequest"16:35
J1m      provides="zope.publisher.interfaces.browser.IBrowserPublisher"16:35
J1m      factory=""16:35
J1m      permission="zope.Public"16:35
J1m      trusted='1'16:35
J1m      />16:35
J1m  <adapter16:35
J1m      for="
J1m           zope.publisher.interfaces.browser.IBrowserRequest"16:35
J1m      provides="zope.publisher.interfaces.browser.IBrowserPublisher"16:35
J1m      factory=""16:35
J1m      permission="zope.Public"16:35
J1m      trusted='1'16:35
J1m      />16:35
J1mYou do this in an overrides zcml file for your application.16:35
J1mYou don't modify the zope configuration.16:35
projekt01Can we change this later in the core?16:36
projekt01If it's working16:36
J1mIt works, we use it in our projects.16:36
mgedminprojekt01, I imagine that there can be a security requirement that anonymous users must not distinguish between URLs that do not exist and URLs that exist but are password protected16:36
mgedminI don't know any actual use cases, though16:37
projekt01I'm sure nobody is using subsites. Right?16:37
J1mprojekt01, I'd have to ponder whether this should be a default.16:38
projekt01Right now we have a two step login with subsites. Is this the case we like to have. (It's also OK). For me it's just important to understand the concept.16:39
J1mNo, we should not have a 2-step login.16:39
projekt01Like mgedmin says you need all keys for the building16:39
projekt01J1m, this is the case we have now.16:40
J1mI'll note, that eventually, I want to change the publication process so that a system can have multiple rots.16:40
J1mprojekt01, not with those adapter declarations.16:40
J1mAnd only because you haven't given everyone view in the root16:40
J1mIf we had multiple roots, then each site would be it's own root and you wouldn't have to traverse a top site to get to it.16:41
J1mI think School Tool did something like this.16:41
J1mThe new publication object on my Bobo branch would allow this.16:41
projekt01Not to the root, I denied the zope.View permission on the first site.16:42
projekt01J1m, I don't think your proposal will work, the method _maybePlacefullyAuthenticate in ZopePublication tries also to authenticate on each ISite16:42
J1mYeah, so what16:43
J1mOn the top site, authentication will fail and an unauthenticated user will be returned.16:43
projekt01This forces also the login on the first site16:43
mgedminperhaps there should be two different permissions -- zope.View and zope.Traverse?16:44
mgedminthen projekt01 could just allow traversal for the outer site but disallow views16:44
projekt01Yup, I was thinking about this today:-)16:44
*** SteveA has quit IRC16:44
projekt01I think travers and view are different parts16:44
projekt01J1m, perhaps we can put the concept of the method _maybePlacefullyAuthenticate into a event. This can be overriden.16:46
*** regebro has joined #zope3-dev16:46
*** tvon has quit IRC16:46
projekt01J1m, perhaps the BeforeTraverseEvent and AfterTravereEvent is the right place to do _maybePlacefullyAuthenticate()16:47
*** regebro has quit IRC16:52
*** BjornT has quit IRC16:52
J1mprojekt01, yes, eventually it will be done in an event that fires just before an object is traversed.16:55
J1mThat is, effectively, what happens now.16:55
J1mThe main reason to move it out to an event will be to make the publisher leaner.16:55
projekt01How can I get rid of the method _maybePlacefullyAuthenticate() right now?16:57
J1mwhy do you want to?16:57
J1mYou can't without replacing the publication object.16:57
projekt01It forces a login on the site and stop the traverser travers to the subsite.16:57
J1mBut I don't recommend that.16:57
J1mNo, it doesn't.16:57
J1mIt tries to authenticate.16:58
*** regebro has joined #zope3-dev16:58
J1mIt does not issue a challenge unless you try to acess something that is not public.16:58
J1m]If you make the traversers public, as I suggested, then you won't have a problem.16:58
J1mIf you make the traversers public, as I suggested, then you won't have a problem.16:59
J1mAlternatively, you can grant zope.View for everyone in the root site and deny it in the subsite.16:59
projekt01Our site is more then just a login hook. I can't give zope.View permissions there.17:00
J1mOK, then make the traverses public.17:00
mgedminJ1m, the other day I was thinking about noninheritable grants17:00
mgedminyou can't just say "I want zope.View for this container, but not for objects contained within it"17:00
J1mOr you can replace the publication object if you insist.17:01
J1mmgedmin, in our customer projects, our grants are mostly non-acquireable.17:01
mgedminhow do you do that?17:01
mgedmina different security policy?17:01
J1m(That can only be acquired by objects that can't have their own grants.)17:01
J1mYes, we are using a different security policy.17:02
mgedminbut security policy is global -- you can't switch to a different one in a site17:02
*** SureshZ has quit IRC17:02
J1mright, not currently.17:02
mgedminthat means, if you want multiple apps to interoperate in a single zope instance, you have to use the default security policy17:02
J1mYou have to use the same security policy, yes.17:03
J1m(you don't have to use the default one.)17:03
J1mEventually, I'd like to change this.17:03
*** bskahan has joined #zope3-dev17:03
J1mYou could actually change this yourself now.17:03
J1mThe security policy is really just an interaction factory.17:04
J1mYou could create a security policy that looks up an interaction factory.17:04
projekt01Is it not a better solution to Deny in the root by default and Allow in a site as the default concept.17:05
J1mThat depends on your application.17:06
projekt01Why? Which usecase can't be done with this pattern17:06
*** tvon has joined #zope3-dev17:06
*** hdima has quit IRC17:06
regebroQ: Ehm, OK, so I have an addform, right. But I want one of the fields to have a different default depending on what object it is created in. How do I do that?17:06
regebroSomething in update() perhaps?17:07
J1mYou can provide a class that overrides _setUpWidgets.17:08
regebroOK, I'll check into that.17:08
J1mCall the base than call setRenderedValue on the desired widget.17:09
J1mprojekt01, maybe I want the top site to be public and use subsites for member functions.17:10
*** tvon has quit IRC17:10
*** tvon has joined #zope3-dev17:10
projekt01Jim, this can be done in the principals.zcml with the right configuration, right?17:11
*** SureshZ has joined #zope3-dev17:11
J1mCan what be done?17:11
projekt01Give zope.View permission to Unauthenticated principals.17:12
projekt01Then you can access the top site by default17:13
*** tvon has quit IRC17:15
projekt01I see your solution with the trusted adapter, but I'm scary about to use a non standard way. If we whould change the default way (Deny by default and Allow optional) it's much more clear what to do.17:15
*** tvon has joined #zope3-dev17:15
J1mRight, you could give zope.View to Unauthorized.  I suggested that earlier. That is an option.17:16
J1mZope 3 is meant to be pluggable.  I see nothing scary about overriding component registrations as long as you understand what's going on.17:17
J1mI'll note that, in our app, we want to allow traversal to any object, even if we have to traverse objects that a user doesn't have other access to.17:18
projekt01Not just in our app. Right now the zope server offers a 2 step login for subsites.17:19
projekt01This is the default concept right now. And I see you don't like that. Right?17:19
J1mThat depends on how it is configures.17:20
J1mIf you grant View to the unauthenticated user or Everybody, you won't get a two-step login.17:21
projekt01Yes everything is changable, but that's the default if you stat the server, and you have to register trusted adapters in a override.zcml.17:21
projekt01I'm wondering if this can be done form scripters?17:21
J1mNo, this can't be done by scriptors today.17:21
J1mGotta go17:21
*** J1m is now known as J1m|away17:22
*** BjornT has joined #zope3-dev17:22
*** mkerrin has quit IRC17:22
*** tvon|x31 has joined #zope3-dev17:24
*** tvon has quit IRC17:25
*** zagy has quit IRC17:30
*** mgedmin has quit IRC17:33
*** zagy has joined #zope3-dev17:35
*** tvon has joined #zope3-dev17:40
*** tvon|x31 has quit IRC17:40
*** tarek_ has quit IRC18:12
*** tarek_ has joined #zope3-dev18:15
*** SteveA__ is now known as SteveA18:18
regebroWell J1m|away is away, but he still rocks, and so does Zope3. The widget update thing works, and now I get different default days depending on which day I am viewing when I press "Add events". This calendar application will rock! (In a month or two).18:30
*** Theuni has quit IRC18:32
*** zagy has quit IRC18:36
*** regebro has quit IRC18:37
*** Theuni has joined #zope3-dev18:37
*** mgedmin has joined #zope3-dev18:38
projekt01mgedmin, thanks for the building/key sample ;-)18:42
*** j-w has left #zope3-dev18:49
mgedminI'm glad it was helpful18:55
projekt01What do you think, is the standard way right now OK, or should we workout another securitypolicy? I'm not sure what's Jim's ideas for this.18:56
mgedminit's a question that requires much thought18:57
mgedminI am not prepared to answer now18:57
projekt01Perhaps we should start a proposal with usecases and show different server configurations.18:58
projekt01Later we can find a good "everybody fit" solution18:58
mgedminperhaps the default security policy should use adapters18:58
mgedminICheckPermission(object).hasPermission(principal, permission_id) or something18:59
mgedminI believe Steve uses something like that in Launchpad18:59
projekt01At least it should be replaceable.19:00
projekt01What's Launchpad?19:00
*** SureshZ has left #zope3-dev19:04
*** SureshZ has joined #zope3-dev19:07
*** watzo has quit IRC19:10
*** deo has joined #zope3-dev19:10
*** tvon|x31 has joined #zope3-dev19:13
*** tvon has quit IRC19:13
*** bskahan has quit IRC19:18
*** tarek_ has quit IRC19:24
*** MrTopf has quit IRC19:29
*** zagy has joined #zope3-dev19:40
*** Aiste has quit IRC19:41
*** Aiste has joined #zope3-dev19:44
*** watzo has joined #zope3-dev19:59
*** SureshZ has quit IRC20:08
*** MalcolmC has quit IRC20:10
*** mohsen has joined #zope3-dev20:27
*** bskahan has joined #zope3-dev20:40
*** vlado has quit IRC21:00
*** sashav has joined #zope3-dev21:02
*** ignas is now known as ignas|away21:16
*** tvon|x31 has quit IRC21:49
*** sashav has quit IRC21:56
*** alga has joined #zope3-dev22:18
*** mohsenX has joined #zope3-dev22:56
*** jhauser_ has quit IRC23:10
*** bradb has quit IRC23:11
*** zagy has quit IRC23:12
*** hazmat has quit IRC23:13
*** bskahan has quit IRC23:16
*** tvon has joined #zope3-dev23:19
*** srichter has quit IRC23:26
*** jhauser has joined #zope3-dev23:31
*** bskahan has joined #zope3-dev23:33
*** jhauser has joined #zope3-dev23:34
*** hazmat has joined #zope3-dev23:37
*** srichter has joined #zope3-dev23:40
*** ChanServ sets mode: +o srichter23:41
*** jhauser has quit IRC23:56
*** bradb has joined #zope3-dev23:58
*** mgedmin has quit IRC23:59

Generated by 2.15.1 by Marius Gedminas - find it at!