I have a collection of session objects, each corresponding to an active users, each stored away in a session data container which is, itself, stored away in a transience object (aka temp_folder). For system monitoring purposes I want a privileged user to be able to look at the session data objects. The documentation (Zope Book, 2_6 Ed) is silent on this question. A first attempt at looking inside a session data container failed on security even at the highest privilege level. I'm assuming that access is only allowed from External Methods and Procducts, but thought I'd ask the group before reading the code and experimenting. -d
You'll need to be a little more specific when you say "able to look at the session data objects". What methods do you want to call on the session data container? On Sun, 2003-08-31 at 19:32, Dennis Allison wrote:
I have a collection of session objects, each corresponding to an active users, each stored away in a session data container which is, itself, stored away in a transience object (aka temp_folder). For system monitoring purposes I want a privileged user to be able to look at the session data objects. The documentation (Zope Book, 2_6 Ed) is silent on this question. A first attempt at looking inside a session data container failed on security even at the highest privilege level. I'm assuming that access is only allowed from External Methods and Procducts, but thought I'd ask the group before reading the code and experimenting.
-d
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
No problem. I want to write a monitoring program to maintain running sumamries of users. We store a lot of information as session variables and so I'll want to look at the stored session variable for all active sessions. This does not appear to be possible without doing a Product or using an External Method--I've already built a bit of a framework for what I need using external methods. -d On 1 Sep 2003, Chris McDonough wrote:
You'll need to be a little more specific when you say "able to look at the session data objects". What methods do you want to call on the session data container?
On Sun, 2003-08-31 at 19:32, Dennis Allison wrote:
I have a collection of session objects, each corresponding to an active users, each stored away in a session data container which is, itself, stored away in a transience object (aka temp_folder). For system monitoring purposes I want a privileged user to be able to look at the session data objects. The documentation (Zope Book, 2_6 Ed) is silent on this question. A first attempt at looking inside a session data container failed on security even at the highest privilege level. I'm assuming that access is only allowed from External Methods and Procducts, but thought I'd ask the group before reading the code and experimenting.
-d
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
I still don't know the methods you want to call, but I'll venture a guess as to how you want to do this. Some of desire for this functionality has already been predicted. There is a method on the session data manager named getSessionDataByKey, which returns a session data object for a particular browser id. It is protected by the "Access arbitrary user session data" permission, which by default is granted to a Manager. Once he's gotten the object, any user can do whatever he wants with it (it is not protected by any permission in any way). So the trick is getting the list of active sessions (really just their their browser ids) and allowing users to call getSessionDataByKey. Unfortunately, there is no way get the list of current sessions without writing an external method or Product at the moment. You could:add a security declaration to the "keys" method of the transient object container which would then allow you to do this in TTW code. However, that method is not part of the public API and is subject to change without notice (although it's unlikely to go away). I would probably accept a patch that made what you're doing possible as long as it didn't negatively impact sessioning security. HTH! - C On Mon, 2003-09-01 at 23:25, Dennis Allison wrote:
No problem. I want to write a monitoring program to maintain running sumamries of users. We store a lot of information as session variables and so I'll want to look at the stored session variable for all active sessions. This does not appear to be possible without doing a Product or using an External Method--I've already built a bit of a framework for what I need using external methods.
-d
On 1 Sep 2003, Chris McDonough wrote:
You'll need to be a little more specific when you say "able to look at the session data objects". What methods do you want to call on the session data container?
On Sun, 2003-08-31 at 19:32, Dennis Allison wrote:
I have a collection of session objects, each corresponding to an active users, each stored away in a session data container which is, itself, stored away in a transience object (aka temp_folder). For system monitoring purposes I want a privileged user to be able to look at the session data objects. The documentation (Zope Book, 2_6 Ed) is silent on this question. A first attempt at looking inside a session data container failed on security even at the highest privilege level. I'm assuming that access is only allowed from External Methods and Procducts, but thought I'd ask the group before reading the code and experimenting.
-d
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Thanks Chris, that helps. I'll explore a bit and let you know what I end up doing. -dra On 1 Sep 2003, Chris McDonough wrote:
I still don't know the methods you want to call, but I'll venture a guess as to how you want to do this.
Some of desire for this functionality has already been predicted. There is a method on the session data manager named getSessionDataByKey, which returns a session data object for a particular browser id. It is protected by the "Access arbitrary user session data" permission, which by default is granted to a Manager. Once he's gotten the object, any user can do whatever he wants with it (it is not protected by any permission in any way).
So the trick is getting the list of active sessions (really just their their browser ids) and allowing users to call getSessionDataByKey. Unfortunately, there is no way get the list of current sessions without writing an external method or Product at the moment. You could:add a security declaration to the "keys" method of the transient object container which would then allow you to do this in TTW code. However, that method is not part of the public API and is subject to change without notice (although it's unlikely to go away).
I would probably accept a patch that made what you're doing possible as long as it didn't negatively impact sessioning security.
HTH!
- C
On Mon, 2003-09-01 at 23:25, Dennis Allison wrote:
No problem. I want to write a monitoring program to maintain running sumamries of users. We store a lot of information as session variables and so I'll want to look at the stored session variable for all active sessions. This does not appear to be possible without doing a Product or using an External Method--I've already built a bit of a framework for what I need using external methods.
-d
On 1 Sep 2003, Chris McDonough wrote:
You'll need to be a little more specific when you say "able to look at the session data objects". What methods do you want to call on the session data container?
On Sun, 2003-08-31 at 19:32, Dennis Allison wrote:
I have a collection of session objects, each corresponding to an active users, each stored away in a session data container which is, itself, stored away in a transience object (aka temp_folder). For system monitoring purposes I want a privileged user to be able to look at the session data objects. The documentation (Zope Book, 2_6 Ed) is silent on this question. A first attempt at looking inside a session data container failed on security even at the highest privilege level. I'm assuming that access is only allowed from External Methods and Procducts, but thought I'd ask the group before reading the code and experimenting.
-d
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
On 1 Sep 2003, Chris McDonough wrote:
I would probably accept a patch that made what you're doing possible as long as it didn't negatively impact sessioning security.
What I want to do (look into the values of session variables for a multiplicity of users) probably counts as a negative impact on sessioning security. I think it is best relegated to External Methods and/or Products.
participants (2)
-
Chris McDonough -
Dennis Allison