Hi, Is it possible for form to have more than one actions? What i have in mind to do is to collect some user info through the form and store them into table at the same time display this info in another form for the user to enter the remaining info and then finaly pass the info into secure form. Any idea on the matter will be appreciated. ===== Hamzat kamaldeen Ishola Dnet Systems Limited 223 Ikorodu Road, Lagos. 234 1 7749381, 234 08033011305 __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/
On Fri, Mar 22, 2002 at 05:37:23AM -0800, Hamzal Kamal wrote:
Is it possible for form to have more than one actions?
In general - no. With Zope - yes! Use :method in your submit buttons tags. Oleg. -- Oleg Broytmann http://phd.pp.ru/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
On Fri, Mar 22, 2002 at 04:54:11PM +0300, Oleg Broytmann wrote:
On Fri, Mar 22, 2002 at 05:37:23AM -0800, Hamzal Kamal wrote:
Is it possible for form to have more than one actions?
In general - no. With Zope - yes! Use :method in your submit buttons tags.
You can use multiple submit buttons in one form, each with a different "name" attribute, and just test for its value in the handler. Works outside of zope, too. But not so elegant. --PW
is it possible to ssh in to zope (or: can anyone suggest how I might configure my server to do this)? thanks, Robert Hood Department of Philosophy Middle Tennessee State University rhood@mtsu.edu
From: "Robert Hood, Ph.D." <rhood@mtsu.edu>
is it possible to ssh in to zope (or: can anyone suggest how I might configure my server to do this)?
Zope doesn't have a command prompt, so I don't understand your question. How do you mean "in to Zope"?
On 22/03/02, 14:10:05, "Lennart Regebro" <lennart@torped.se> wrote regarding Re: [Zope] ssh and zope:
From: "Robert Hood, Ph.D." <rhood@mtsu.edu>
is it possible to ssh in to zope (or: can anyone suggest how I might configure my server to do this)?
Zope doesn't have a command prompt, so I don't understand your question. How do you mean "in to Zope"?
Well, there's zshell but that uses a browser. There are command line webDav clients. Cadaver lets you do a lot of Zope stuff, including editing text files in vi;) from a cli shell. He could ssh in to the zope host and run cadaver locally, for security. -- Bruce
clarification: re: ssh Excuse my stupidity. Maybe I'm asking about sftp access to zope. I've been advised by security people on my campus to shut down normal ftp and telnet access to my server if possible and to use sftp and ssh for access. I currently sometimes ftp things to zope. I do not have any packages installed that give zope file system access, so I don't really think zope's ftp port would be a security hazard (and my own view is that my machine does not have any national security type stuff on it, so that this request may be going a bit far). Suggestions appreciated. Robert Hood Department of Philosophy Middle Tennessee State University rhood@mtsu.edu
On Fri, Mar 22, 2002 at 09:09:31AM -0600, Robert Hood, Ph.D. wrote:
I've been advised by security people on my campus to shut down normal ftp and telnet access to my server if possible and to use sftp and ssh for access. I currently sometimes ftp things to zope.
One solution would be (this assumes that your Zope server runs on some sort of Unix variant) to: 1) have ZServer listen only on the localhost interface (named lo, address 127.0.0.1) 2) get an SSH client on your desktop computer that does port forwarding. Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/) works fine for Windows in that regard. This would allow you to set up an encrypted tunnel between your desktop computer and the Zope server's FTP port (or HTTP port, or Webdav port, whatever). 3) You'd then point your ftp client to the port on your desktop computer that is on one end of the tunnel, and you'd be automatically connected to the server port that's not otherwise exposed to the outside world. 4) Since your Zope ports are no longer directly exposed to the outside world, you'll have to put Apache, Squid, or some other proxy-capable server on your publicly-available port 80. You may have already done this for other reasons, though.
I do not have any packages installed that give zope file system access, so I don't really think zope's ftp port would be a security hazard (and my own view is that my machine does not have any national security type stuff on it, so that this request may be going a bit far).
As an aside, your security-conscious (or security-paranoid) coworkers don't care whether or not you have national-security information on the server. I'm one of their security-paranoid counterparts up the road, and if they're anything like me, their concerns include: - the possibility that someone's cleartext password would be sniffed in a lab, from offsite, or wherever. If someone used the same password on their FTP server and on their main email account (or worse, their account that gets them into the student records system), there's a potentially big compromise there. Maybe the FTP server only has your account on it, but they don't know that. Maybe you use different passwords there and other place, but they don't know that either. And they're not likely to maintain a list of low-account-number, properly-differently-passworded FTP servers that they don't control. - the possibility for a poorly-written FTP server to be used in bounce attacks on other hosts. No, Zope's FTP server isn't a candidate for that right now. However, they're not going to keep a list that says "oh, *that* FTP server's for Bob's Zope site (running Zope 2.foo.bar). That version's 100% secure, so let it run". -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- renfro@tntech.edu
On Fri, 22 Mar 2002 09:09:31 -0600 (CST) "Robert Hood, Ph.D." <rhood@mtsu.edu> wrote:
clarification: re: ssh
Excuse my stupidity. Maybe I'm asking about sftp access to zope.
I've been advised by security people on my campus to shut down normal ftp and telnet access to my server if possible and to use sftp and ssh for access. I currently sometimes ftp things to zope. I do not have any packages installed that give zope file system access, so I don't really think zope's ftp port would be a security hazard (and my own view is that my machine does not have any national security type stuff on it, so that this request may be going a bit far).
Suggestions appreciated.
Robert: Secure Zope connections have been exercising us of late too. You should find some pointers in http://www.zope.org/Members/glpb/dwhowto This doesn't directly solve your ftp security problem - but see the links after the "Useful to know" bit. The overall recipe does offer an alternative way of keeping your security people happy, however. Paul -- The Library, Tyndall Avenue, Univ. of Bristol, Bristol, BS8 1TJ, UK E-mail: paul.browning@bristol.ac.uk URL: http://www.bris.ac.uk/
On Fri, 22 Mar 2002 09:09:31 -0600 (CST), "Robert Hood, Ph.D." <rhood@mtsu.edu> wrote:
and to use sftp and ssh for access.
That makes sense.
I currently sometimes ftp things to zope. I do not have any packages installed that give zope file system access, so I don't really think zope's ftp port would be a security hazard (and my own view is that my machine does not have any national security type stuff on it, so that this request may be going a bit far).
The risk is that your zope password is transmitted in the clear across your network. I dont think their requests is unreasonable. Anyone with physical access to your network can break into your zope server. If you accidentally type a password for a different system into the zope ftp prompt, then that can break into that other system too. The same is true of authentication over http too; I guess this hasnt hit your security people's radar yet.
Suggestions appreciated.
Use a secure method to copy files across the network onto the zope machine; scp is ok, but a network filesystem may be easier. Then use ssh to log on to that machine, and use a local ftp to transfer things into zope. There is no security problem with ftp that does not cross a network. Toby Dickenson tdickenson@geminidataloggers.com
thanks for all the information re: ssh / sftp. I didn't mean to sound resentful about the security requests. I'm switching over to linux (currently my server is NT) to improve security. (among other things). And a colleague's academic server at another school got hacked into recently, which has really perked up my ears. again, thanks for the advice (and any additional advice). Robert Hood Department of Philosophy Middle Tennessee State University rhood@mtsu.edu
On Fri, 2002-03-22 at 17:12, Robert Hood, Ph.D. wrote:
thanks for all the information re: ssh / sftp.
I didn't mean to sound resentful about the security requests. I'm switching over to linux (currently my server is NT) to improve security. (among other things). And a colleague's academic server at another school got hacked into recently, which has really perked up my ears.
Ahh, security. I have to enforce security in over 600 locations. That's a lot of people that think of me as the "technology taxman". Oh well, never thought I would win any popularity contests!
again, thanks for the advice (and any additional advice).
Another solution that I did not see mentioned earlier. Has a dependency: 1) Use apache, with mod_dav reverse-proxied to the DAV port of Zope 2) SSL-enable apache 3) use cadaver as "ftp-like" client, with SSL enabled This (to me at least) looks the cleanest, as each technology is being used as intended -;^>= I'm doing it on my machine at home just to see what it takes to get going, and it really was not that bad... -- Mitch Pirtle Corporate Security Officer Kühne & Nagel Management AG Tel: +41 1 786 96 45 Fax: +41 1 786 95 95
From: "Robert Hood, Ph.D." <rhood@mtsu.edu>
I've been advised by security people on my campus to shut down normal ftp and telnet access to my server if possible and to use sftp and ssh for access.
Ah, yes, that is something you are well adviced to do. However, ftp access to Zope is not "normal" ftp access. :-)
I currently sometimes ftp things to zope. I do not have any packages installed that give zope file system access, so I don't really think zope's ftp port would be a security hazard
Quite correct.
(and my own view is that my machine does not have any national security type stuff on it, so that this request may be going a bit far).
Oh, hackers gaining access to secret data is not a very big security problem. The problems are that they use your machine to make attacks on other machines, spread copyrighted data, send spam e-mails, and so on.
Suggestions appreciated.
I'm sure it is possible to implement sftp too, but I would think it is quite a lot of work, for very little gain, so probably you have to do it yourself... Oh, and you can run the ftp on a non-standard port, and your security people probably won't find it. :-)
On Fri, 22 Mar 2002, Bruce Richardson wrote:
Well, there's zshell but that uses a browser.
You can also use ZShell from your favorite shell using Andy McKay's ZShellCLI. This needs more work, especially most of the ZShell commands don't output anything when successful to better mimic the Unix commands, so ZShellCLI is not very verbose when commands ran OK, but it can be used this way. ZShellCLI is now part of ZShell. The soon-to-be-released next version of ZShell will feature improvements wrt ZShellCLI interaction, as well as an impressing preliminary support for ZShell variables useable like the Unix shell ones (e.g. $0 ... $n, $PATH, etc...) I originally planned to release a new version because I've modified the license again : since the ZPL is compatible with the GPL now, ZShell's new license is pure GPL. bye, Jerome Alet
On Fri, 22 Mar 2002 05:37:23 -0800 (PST) "Hamzal Kamal" <k_hamzat@yahoo.com> wrote:
What i have in mind to do is to collect some user info through the form and store them into table at the same time display this info in another form for the user to enter the remaining info and then finaly pass the info into secure form.
you can simply call a dtml-method (or whatever you want) before you display the second form... so your second form should be: <dtml-call storeDataIntoYourTableMethod> <form ...> ... </form> greetings, maik. -- maik jablonski visit www.zope.org, universitaet bielefeld LET'S GET ZOPED!!!! zentrum fuer lehrerbildung didaktik des sachunterrichts postfach 10 01 31 33501 bielefeld germany tel: + 49 (0) 521 106 4234 http://www.zfl.uni-bielefeld.de/ http://www.sachunterricht-online.de/
Hamzal, I think what you mean is you want to have an action that store some info and also displays it. You can use <dtml-call insertZSQLMethod> to insert data into a table as a "side effect" of displaying the data. Then use <dtml-var ....> to display the data that was inserted on the same page. Is that what you mean? -steve On Friday, March 22, 2002, at 08:37 AM, Hamzal Kamal wrote:
Hi,
Is it possible for form to have more than one actions?
What i have in mind to do is to collect some user info through the form and store them into table at the same time display this info in another form for the user to enter the remaining info and then finaly pass the info into secure form.
Any idea on the matter will be appreciated.
===== Hamzat kamaldeen Ishola Dnet Systems Limited 223 Ikorodu Road, Lagos. 234 1 7749381, 234 08033011305
__________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy AwardsÆ http://movies.yahoo.com/
From: "Hamzal Kamal" <k_hamzat@yahoo.com>
Is it possible for form to have more than one actions?
Yes, you can append ":method" to the submit buttons and you will call methods instead. So a form with action foo and a button "bar:method" will result in the method bar() of the foo object being called.
participants (13)
-
Bruce Richardson -
Hamzal Kamal -
Jerome Alet -
Lennart Regebro -
Maik Jablonski -
Mike Renfro -
Mitch Pirtle -
Oleg Broytmann -
Paul Browning -
Paul Winkler -
Robert Hood, Ph.D. -
Steve Spicklemire -
Toby Dickenson