Hi all! Some days ago I send to the list a question about a problem losting user credentials In my code I don't use nothing about security and nothing is changed on zmi's security tab But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one Can you point me what is happening? Thanks! -- Mis Cosas: http://blogs.sistes.net/Garito
--On 12. März 2007 04:04:31 +0100 Garito <garito@gmail.com> wrote:
Hi all! Some days ago I send to the list a question about a problem losting user credentials
In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Somewhat hard to believe without a detailed description.... -aj
Hi Andreas! What kind of information do you need? On my last messages to the list I send the tracebacks and some other information (need to resend them?) Could you point me what details do you need? Thank you so much for you interest! 2007/3/12, Andreas Jung <lists@zopyx.com>:
--On 12. März 2007 04:04:31 +0100 Garito <garito@gmail.com> wrote:
Hi all! Some days ago I send to the list a question about a problem losting user credentials
In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Somewhat hard to believe without a detailed description....
-aj
-- Mis Cosas: http://blogs.sistes.net/Garito
Could any charitable soul take pity on this poor sinner, please...? 2007/3/12, Garito <garito@gmail.com>:
Hi Andreas! What kind of information do you need? On my last messages to the list I send the tracebacks and some other information (need to resend them?)
Could you point me what details do you need?
Thank you so much for you interest!
2007/3/12, Andreas Jung <lists@zopyx.com>:
--On 12. März 2007 04:04:31 +0100 Garito <garito@gmail.com> wrote:
Hi all! Some days ago I send to the list a question about a problem losting user credentials
In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Somewhat hard to believe without a detailed description....
-aj
-- Mis Cosas: http://blogs.sistes.net/Garito
-- Mis Cosas: http://blogs.sistes.net/Garito
If you create a new posting, you should include all related information. I don't go hunting for information somewhere else. -aj --On 12. März 2007 18:56:28 +0100 Garito <garito@gmail.com> wrote:
Could any charitable soul take pity on this poor sinner, please...?
2007/3/12, Garito <garito@gmail.com>:
Hi Andreas! What kind of information do you need? On my last messages to the list I send the tracebacks and some other information (need to resend them?)
Could you point me what details do you need?
Thank you so much for you interest!
2007/3/12, Andreas Jung <lists@zopyx.com>:
--On 12. März 2007 04:04:31 +0100 Garito <garito@gmail.com> wrote:
Hi all! Some days ago I send to the list a question about a problem losting user credentials
In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Somewhat hard to believe without a detailed description....
-aj
-- Mis Cosas: http://blogs.sistes.net/Garito
-- Mis Cosas: http://blogs.sistes.net/Garito
-- ZOPYX Ltd. & Co. KG - Charlottenstr. 37/1 - 72070 Tübingen - Germany Web: www.zopyx.com - Email: info@zopyx.com - Phone +49 - 7071 - 793376 Registergericht: Amtsgericht Stuttgart, Handelsregister A 381535 Geschäftsführer/Gesellschafter: ZOPYX Limited, Birmingham, UK ------------------------------------------------------------------------ E-Publishing, Python, Zope & Plone development, Consulting
I did not catch the original post and so don't know any of the details, but it sounds like a problem with the logging system, not a loss of credentials. We had long ago and resolved with the list's help. This patch is still in use with Zope 2.9.X. You need to patch ../lib/python/ZServer/medusa/http_server.py --- ./v0.0/http_server.py 2004-12-25 22:39:31.000000000 -0800 +++ ./v0.1/http_server.py 2004-12-25 22:39:31.000000000 -0800 @@ -36,6 +36,9 @@ from counter import counter from urllib import unquote +# Paul's Patch (a shameful thing) to make names register properly +from ZPublisher.HTTPRequest import parse_cookie + # =========================================================================== # Request Object # =========================================================================== @@ -277,6 +280,7 @@ auth=self.get_header('Authorization') name='Anonymous' + if auth is not None: if string.lower(auth[:6]) == 'basic ': try: decoded=base64.decodestring(auth[6:]) @@ -286,10 +290,35 @@ name = 'Unknown (bad auth string)' else: name = t[0] + else: + # start of patch + try: + auth_cookie_name='__ac' + cookie= None + try: + cookies = {} + header_value = self.get_header("Cookie") + if header_value: + parse_cookie(header_value, cookies) + cookie = cookies.get(auth_cookie_name, None) + except: + name = 'Anonymous' + + if cookie is not None: + cookie = unquote(cookie) + try: + cookie = base64.decodestring(cookie) + name, password = tuple( cookie.split(':',1)) + except: name= "Unknown (bad auth cookie)" + except: + name = "Failure!" + # end of patch + # log the host domain too self.channel.server.logger.log ( self.channel.addr[0], - '- %s [%s] "%s" %d %d "%s" "%s"\n' % ( + '%s %s [%s] "%s" %d %d "%s" "%s"\n' % ( + self.get_header('Host'), name, self.log_date_string (time.time()), self.request, Hope this helps. On Mon, 12 Mar 2007, Garito wrote:
Could any charitable soul take pity on this poor sinner, please...?
2007/3/12, Garito <garito@gmail.com>:
Hi Andreas! What kind of information do you need? On my last messages to the list I send the tracebacks and some other information (need to resend them?)
Could you point me what details do you need?
Thank you so much for you interest!
2007/3/12, Andreas Jung <lists@zopyx.com>:
--On 12. März 2007 04:04:31 +0100 Garito <garito@gmail.com> wrote:
Hi all! Some days ago I send to the list a question about a problem losting user credentials
In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Somewhat hard to believe without a detailed description....
-aj
-- Mis Cosas: http://blogs.sistes.net/Garito
--
Sorry the gmail response send only to the original poster not to the list (sorry Andreas) The original post: The question then (sorry): I have a product called Yanged This product has overrided: __bobo_traverse__ who returns some objects and sometime a wrapper object with the HTML code to the browser __call__ who returns the HTML code to __bobo_traverse__ or if you call the object itself index_html who returns __call__ A TALES evaluator to evaluate some TALES expresion out of page templates All works ok except when I try to delete some objects. When I try to launch the delete method I raises an authorized error and ask for new login and password I try with my user who is manager and owner but logon doesn't work and raises the same error If I look the error log I could see this error: Traceback (innermost last): Module ZPublisher.Publish , line 106, in publish Module ZPublisher.BaseRequest, line 323, in traverse Module Products.Yanged.Yanged, line 61, in __bobo_traverse__ Module Products.Yanged.Yanged, line 141, in __call__ Module Products.Yanged.Yanged , line 170, in Ejecutar Module Products.Yanged.Yanged, line 125, in __call__ Module Products.Yanged.Yanged, line 170, in Ejecutar Module Shared.DC.Scripts.Bindings, line 311, in __call__ Module Shared.DC.Scripts.Bindings , line 348, in _bindAndExec Module Products.PythonScripts.PythonScript, line 325, in _exec Module None, line 2, in BorrarFuncionalidad - <PythonScript at /sistes.net/clientes/escobarsl.com/Comandos/BorrarFuncionalidad used for /sistes.net/clientes/escobarsl.com/Pagina/Borrar/BorrarCaso> - Line 2 Module AccessControl.ImplPython, line 729, in guarded_getattr Module AccessControl.ImplPython, line 671, in aq_validate Module AccessControl.ImplPython, line 565, in validate Module AccessControl.ImplPython , line 463, in validate Module AccessControl.ImplPython, line 810, in raiseVerbose Unauthorized: Your user account does not have the required permission. Access to 'manage_delObjects' of (Yanged at /sistes.net/clientes/escobarsl.com/Pagina/Funcionalidades) denied. Your user account, Anonymous User, exists at (unknown). Access requires one of the following roles: ['Manager']. Your roles in this context are ['Anonymous']. If I try to delete the object the error is raised but if immediately I try to create another object works ok This are the code about BorrarFuncionalidad (the code who raises the error) and CrearFuncionalidad (the code that works ok). Both are Python Scripts: BorrarFuncinalidad carpeta = getattr(context.Singular(), 'Funcionalidades') carpeta.manage_delObjects(args['path']) return args CrearFuncionalidad carpeta = getattr(context.Singular (), 'Funcionalidades') Id = context.Dame(context.Id) args['caso'] = carpeta.manage_addProduct['Yanged'].CrearYanged(Id) return args Both scripts are launched in the same way (the Ejecutar method you could see at the traceback above) I try to track the user from the __bobo_traverse__ to the __call__ and seems the user credentials are lost when I call CrearFuncionalidad (in the whole call) Can you point me some clues to solve this problem? Thanks! 2007/3/12, Dennis Allison <allison@shasta.stanford.edu>:
I did not catch the original post and so don't know any of the details, but it sounds like a problem with the logging system, not a loss of credentials. We had long ago and resolved with the list's help. This patch is still in use with Zope 2.9.X.
You need to patch ../lib/python/ZServer/medusa/http_server.py
--- ./v0.0/http_server.py 2004-12-25 22:39:31.000000000 -0800 +++ ./v0.1/http_server.py 2004-12-25 22:39:31.000000000 -0800 @@ -36,6 +36,9 @@ from counter import counter from urllib import unquote
+# Paul's Patch (a shameful thing) to make names register properly +from ZPublisher.HTTPRequest import parse_cookie + #
=========================================================================== # Request Object #
=========================================================================== @@ -277,6 +280,7 @@
auth=self.get_header('Authorization') name='Anonymous' + if auth is not None: if string.lower(auth[:6]) == 'basic ': try: decoded=base64.decodestring(auth[6:]) @@ -286,10 +290,35 @@ name = 'Unknown (bad auth string)' else: name = t[0] + else: + # start of patch + try: + auth_cookie_name='__ac' + cookie= None + try: + cookies = {} + header_value = self.get_header("Cookie") + if header_value: + parse_cookie(header_value, cookies) + cookie = cookies.get(auth_cookie_name, None) + except: + name = 'Anonymous' + + if cookie is not None: + cookie = unquote(cookie) + try: + cookie = base64.decodestring(cookie) + name, password = tuple( cookie.split(':',1)) + except: name= "Unknown (bad auth cookie)" + except: + name = "Failure!" + # end of patch
+ # log the host domain too self.channel.server.logger.log ( self.channel.addr[0], - '- %s [%s] "%s" %d %d "%s" "%s"\n' % ( + '%s %s [%s] "%s" %d %d "%s" "%s"\n' % ( + self.get_header('Host'), name, self.log_date_string (time.time()), self.request,
Hope this helps.
On Mon, 12 Mar 2007, Garito wrote:
Could any charitable soul take pity on this poor sinner, please...?
2007/3/12, Garito <garito@gmail.com>:
Hi Andreas! What kind of information do you need? On my last messages to the list I send the tracebacks and some other information (need to resend them?)
Could you point me what details do you need?
Thank you so much for you interest!
2007/3/12, Andreas Jung <lists@zopyx.com>:
--On 12. März 2007 04:04:31 +0100 Garito <garito@gmail.com> wrote:
Hi all! Some days ago I send to the list a question about a problem
losting
user
credentials
In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Somewhat hard to believe without a detailed description....
-aj
-- Mis Cosas: http://blogs.sistes.net/Garito
--
-- Mis Cosas: http://blogs.sistes.net/Garito
Garito wrote at 2007-3-12 04:04 +0100:
... In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Your problem description is too terse to say something definite about the real problem. But, I can tell you that whether or not a user appears to be anonymous or logged in only slightly depends on security settings. The process is as follows: The url traversal determines the published object and the path to reach it. From the published object the roles are determined necessary to access it. Then a user folder is looked for that can authenticate a user from the current request with the required roles. This lookup proceeds in the reverse order than the url traversal. Thus, unless you have given your object unreasonable roles (usually you protect by a permission which is then mapped to a set of roles), the authenticated user primarily depends on the authentication information in the request. In what kind the request contains authentication information highly depends on the form of authentication you are using. There are at least two widely used approaches: cookie based authentication and HTTP (basic) authentication. In the first case, the user will appear "anonymous" whenever cookies are disabled. -- Dieter
To Dennis: I use Zope 2.9.5 final. Is this version concern 2007/3/12, Dieter Maurer <dieter@handshake.de>:
Garito wrote at 2007-3-12 04:04 +0100:
... In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Your problem description is too terse to say something definite about the real problem.
But, I can tell you that whether or not a user appears to be anonymous or logged in only slightly depends on security settings.
The process is as follows:
The url traversal determines the published object and the path to reach it. From the published object the roles are determined necessary to access it. Then a user folder is looked for that can authenticate a user from the current request with the required roles. This lookup proceeds in the reverse order than the url traversal.
Thus, unless you have given your object unreasonable roles (usually you protect by a permission which is then mapped to a set of roles), the authenticated user primarily depends on the authentication information in the request.
In what kind the request contains authentication information highly depends on the form of authentication you are using. There are at least two widely used approaches: cookie based authentication and HTTP (basic) authentication.
In the first case, the user will appear "anonymous" whenever cookies are disabled.
-- Dieter
-- Mis Cosas: http://blogs.sistes.net/Garito
Fuck$%&ing gmail Sorry all for this stupidity To Dennis: I use Zope 2.9.5 final. Is this version concern with this bug? To Dieter: I use HTTP authentication method (at least I suppose that). I don't change anything about the default configuration nor use any cookie at least What I wonder is CrearFuncionalidad works ok but not BorrarFuncionalidad who are launched both in the same way Any idea? 2007/3/12, Garito <garito@gmail.com>:
To Dennis: I use Zope 2.9.5 final. Is this version concern
2007/3/12, Dieter Maurer <dieter@handshake.de>:
Garito wrote at 2007-3-12 04:04 +0100:
... In my code I don't use nothing about security and nothing is changed on zmi's security tab
But when I launch a method (Borrar if you remember) the user who launches the action is anonymous not the logged one
Your problem description is too terse to say something definite about the real problem.
But, I can tell you that whether or not a user appears to be anonymous or logged in only slightly depends on security settings.
The process is as follows:
The url traversal determines the published object and the path to reach it. From the published object the roles are determined necessary to access it. Then a user folder is looked for that can authenticate a user from the current request with the required roles. This lookup proceeds in the reverse order than the url traversal.
Thus, unless you have given your object unreasonable roles (usually you protect by a permission which is then mapped to a set of roles), the authenticated user primarily depends on the authentication information in the request.
In what kind the request contains authentication information highly depends on the form of authentication you are using. There are at least two widely used approaches: cookie based authentication and HTTP (basic) authentication.
In the first case, the user will appear "anonymous" whenever cookies are disabled.
-- Dieter
-- Mis Cosas: http://blogs.sistes.net/Garito
-- Mis Cosas: http://blogs.sistes.net/Garito
To Dieter: I use HTTP authentication method (at least I suppose that). I don't change anything about the default configuration nor use any cookie at least What you get when you authenticate: a pop-up window (HTTP authentication) or an html form (Cookie based authentication)?
What I wonder is CrearFuncionalidad works ok but not BorrarFuncionalidad who are launched both in the same way In the original thread: http://mail.zope.org/pipermail/zope/2007-March/170794.html
you said:
The question I can't understand is when BorrarFuncionalidad ask for a login and password I put my user that is manager and owner but the login don't work (it ask again and again)
Both scripts has the same parent and the same security permissions
How are you defining the permissions: by checking the "Acquire permission settings?" checkbox or are you implicit defining a role for that permission? In the first case zope will scan the folder hierarchy till it finds a folder where the permission is defined. In the worst case it will reach the root folder where the permission must be either enabled or disabled. So, it can be that somewhere the "Delete Objects" permission was disabled for the "Manager" and "Authenticated" roles. If I were you, I would try to implicit define the "Delete objects" permission in the folder where you want to delete the objects and see if the problem persists. In your last reply to the other thread: http://mail.zope.org/pipermail/zope/2007-March/170806.html you asked: """ I'm using prototype to launch some actions via AJAX Could be this the problem? How can I conservate the user who launch the actions between AJAX calls? """ I have never used AJAX, so, I don't know if the user credentials get lost during the call of your AJAX code. Perhaps other people can help here. Regards Josef Out-topic:
Fuck$%&ing gmail Sorry all for this stupidity Then try to use another newsreader like Thunderbird (multi platform). If you are on windows you could also try "Outlook Express" as well.
2007/3/12, Josef Meile <jmeile@hotmail.com>:
To Dieter: I use HTTP authentication method (at least I suppose that). I don't change anything about the default configuration nor use any cookie at least What you get when you authenticate: a pop-up window (HTTP authentication) or an html form (Cookie based authentication)?
Finally I use HTTP authentication method (pop-up window)
What I wonder is CrearFuncionalidad works ok but not BorrarFuncionalidad
who are launched both in the same way In the original thread: http://mail.zope.org/pipermail/zope/2007-March/170794.html
you said:
The question I can't understand is when BorrarFuncionalidad ask for a login and password I put my user that is manager and owner but the login don't work (it ask again and again)
Both scripts has the same parent and the same security permissions
How are you defining the permissions: by checking the "Acquire permission settings?" checkbox or are you implicit defining a role for that permission? In the first case zope will scan the folder hierarchy till it finds a folder where the permission is defined. In the worst case it will reach the root folder where the permission must be either enabled or disabled. So, it can be that somewhere the "Delete Objects" permission was disabled for the "Manager" and "Authenticated" roles. If I were you, I would try to implicit define the "Delete objects" permission in the folder where you want to delete the objects and see if the problem persists.
I use Acquire permissions (I don't touch anything) If Manager couldn't delete object at this folder I couldn't delete any object with ZMI but I can In your last reply to the other thread:
http://mail.zope.org/pipermail/zope/2007-March/170806.html
you asked: """ I'm using prototype to launch some actions via AJAX Could be this the problem? How can I conservate the user who launch the actions between AJAX calls? """
I have never used AJAX, so, I don't know if the user credentials get lost during the call of your AJAX code. Perhaps other people can help here.
Regards Josef
Out-topic:
Fuck$%&ing gmail Sorry all for this stupidity Then try to use another newsreader like Thunderbird (multi platform). If you are on windows you could also try "Outlook Express" as well.
Sure. But the real question is don't use gmail at least I try Google Apps for your domain but this was a big error I'm in the process to install a linux server with all my needs but I'm newbie with it For now I disable the hotkeys on gmail to avoid to send unconcluded messages (as before) . Sorry for the inconveniences (now I need to be subscribed to this list with two accounts because my main one don't receive some messages from this list Thanks!!! _______________________________________________
Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Mis Cosas: http://blogs.sistes.net/Garito
Any idea then? 2007/3/12, Garito <garito@gmail.com>:
2007/3/12, Josef Meile <jmeile@hotmail.com>:
To Dieter: I use HTTP authentication method (at least I suppose that). I don't change anything about the default configuration nor use any cookie at least What you get when you authenticate: a pop-up window (HTTP authentication) or an html form (Cookie based authentication)?
Finally I use HTTP authentication method (pop-up window)
What I wonder is CrearFuncionalidad works ok but not BorrarFuncionalidad
who are launched both in the same way In the original thread: http://mail.zope.org/pipermail/zope/2007-March/170794.html
you said:
The question I can't understand is when BorrarFuncionalidad ask for a login and password I put my user that is manager and owner but the login don't work (it ask again and again)
Both scripts has the same parent and the same security permissions
How are you defining the permissions: by checking the "Acquire permission settings?" checkbox or are you implicit defining a role for that permission? In the first case zope will scan the folder hierarchy till it finds a folder where the permission is defined. In the worst case it will reach the root folder where the permission must be either enabled or disabled. So, it can be that somewhere the "Delete Objects" permission was disabled for the "Manager" and "Authenticated" roles. If I were you, I would try to implicit define the "Delete objects" permission in the folder where you want to delete the objects and see if the problem persists.
I use Acquire permissions (I don't touch anything) If Manager couldn't delete object at this folder I couldn't delete any object with ZMI but I can
In your last reply to the other thread:
http://mail.zope.org/pipermail/zope/2007-March/170806.html
you asked: """ I'm using prototype to launch some actions via AJAX Could be this the problem? How can I conservate the user who launch the actions between AJAX calls?
"""
I have never used AJAX, so, I don't know if the user credentials get lost during the call of your AJAX code. Perhaps other people can help here.
Regards Josef
Out-topic:
Fuck$%&ing gmail Sorry all for this stupidity Then try to use another newsreader like Thunderbird (multi platform). If you are on windows you could also try "Outlook Express" as well.
Sure. But the real question is don't use gmail at least I try Google Apps for your domain but this was a big error I'm in the process to install a linux server with all my needs but I'm newbie with it For now I disable the hotkeys on gmail to avoid to send unconcluded messages (as before) . Sorry for the inconveniences (now I need to be subscribed to this list with two accounts because my main one don't receive some messages from this list
Thanks!!!
_______________________________________________
Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
-- Mis Cosas: http://blogs.sistes.net/Garito
-- Mis Cosas: http://blogs.sistes.net/Garito
Garito wrote at 2007-3-12 19:48 +0100:
... To Dieter: I use HTTP authentication method (at least I suppose that). I don't change anything about the default configuration nor use any cookie at least
Meanwhile, I read enough of your messages that I again got the big picture ;-) As you wrote you get the authentication dialog (when you try to do an specific action) and whatever login information you provide, the authentication dialog is repeated ever again. There are several possibilities for this behaviour: The "specific action" is protected by some roles that the user you try to login does not have. Then, no user folder would authenticate the user. The user is defined outside of scope of your object. In this case, the authentication would succeed (and the "error_log" entry would show you this user) but Zope would nevertheless deny access. This appears not to be the case as one of your messages indicated "Anonymous User" as the active user. There really is no user for the given login information. As you seem to have a big problem, some powerful tool might be necessary to resolve it. I would probably approach it by trying to reproduce the problem in an interactive Python interpreter session. If you have an object "o" with method "meth", then "o.meth__roles__" (for a true method) or "o.meth.__roles__" (for an object acting somwhat as a method) are the roles that protect "meth". An alternative would be debugging. Some colleagues of mine are using the commercial (!) WingIDE. It allows to debug life Zope instances. These colleagues are quite happy with the tool. Other colleagues are using Eclipse (with a Python plugin). There do not yet know how to debug life Zope instances but I saw hints in the Plone mailing list that it might be possible. I dislike IDEs and use "import pdb; pdb.set_trace()" for debugging purposes. -- Dieter
Thanks Dennis! 2007/3/12, Dennis Allison <allison@shasta.stanford.edu>:
On Mon, 12 Mar 2007, Garito wrote:
To Dennis: I use Zope 2.9.5 final. Is this version concern
Reviewing your reposted description of the problem, the patch I sent does not appear applicable.
--
-- Mis Cosas: http://blogs.sistes.net/Garito
participants (5)
-
Andreas Jung -
Dennis Allison -
Dieter Maurer -
Garito -
Josef Meile