[Zope-dev] Zope logic

Adrian Hungate adrian@haqa.co.uk
Thu, 30 May 2002 19:57:11 +0100


Hmm... being able to acquire the Control_Panel (or anything) and it taking
on the wrong security context was a bug, and AFAIK it has been corrected.

Before I start sounding like I did in a previous thread, I am starting to
have some very serious doubts about the direction Z3 development is heading.
I have been a strong proponent of Zope, in part because of the very features
that people seem to be proudly proclaiming will be removed from, or at best
depricated in, Z3...

Bottom line, internal bugs to one side, Z2.x works a particular way, and is
documented as doing so. This is a powerful and useful feature, and we are
likely to severly impact the power and process of "Zopeing" by removing it.
If we are still heading for "10x" we should be enhancing those features that
set Zope apart from the competition, not removing features that make it
different.

Just my $0.02

Adrian...

--
Adrian Hungate
EMail: adrian@haqa.co.uk
Web: http://www.haqa.co.uk


----- Original Message -----
From: "Casey Duncan" <casey@zope.com>
To: "Adrian Hungate" <adrian@haqa.co.uk>; "Toby Dickenson"
<tdickenson@geminidataloggers.com>; "Lennart Regebro" <lennart@torped.se>;
"Wei He" <hewei@mail.ied.ac.cn>; <zope-dev@zope.org>
Sent: Thursday, May 30, 2002 6:43 PM
Subject: Re: [Zope-dev] Zope logic


The namspace traversal in Zope 2 severely violates the principle of least
surprise IMO. Although you can use this to clever ends, it opens up many
doors to misuse of a site or even significant security holes.

For instance, it used to be possible to access the Control Panel (and
shutdown
Zope) as a user defined in a subfolder of the root who had the local Manager
role, just by forming a URL like:

http://somezope/myfolder/Control_Panel/manage_main

The point is that this grants way too much power to the end user to muck up
the namespaces. It is difficult, if not impossible to design an app in Zope
today that accounts for all possible namespace variations gracefully, since
there are effectively an infinite number of them for every given object in
Zope based on different URLs.

Now I won't argue that implicit acquisition isn't useful. It rules in
solving
(and simplifying) problems in creating highly coordinated objects. But,
being
an implicit and magical thing, it is better if it is invoked through an
explicit gesture rather than simply being there all the time. Having it
around all the time also makes it easy to use it when its not the best (or
most robust) solution because it also excels in creating namespace chaos
that
is difficult to predict and account for.

This is what Zope3 realizes.

-Casey

On Thursday 30 May 2002 12:42 pm, Adrian Hungate wrote:
> Hmmm... interesting points... However I almost completely disagree.
>
> The only part of URL implicit acquisition that I have a problem with is
> acquiring from outside the VHost, but if you plan properly, you can even
> avoid this.
>
> I have written several sites that use this feature, and I have found no
> significant problems with it, and as for it being a problem for caching
> proxies, many of the objects that get acquired are dynamic, and provide
> different content based on context, so multiple cache entries is the
correct
> answer.
>
> Adrian...
>
> --
> Adrian Hungate
> EMail: adrian@haqa.co.uk
> Web: http://www.haqa.co.uk
>
> ----- Original Message -----
> From: "Toby Dickenson" <tdickenson@geminidataloggers.com>
> To: "Lennart Regebro" <lennart@torped.se>; "Wei He"
<hewei@mail.ied.ac.cn>;
> <zope-dev@zope.org>
> Sent: Thursday, May 30, 2002 4:07 PM
> Subject: Re: [Zope-dev] Zope logic
>
>
> On Thursday 30 May 2002 10:29 am, Lennart Regebro wrote:
>
> > It not only sounds good, but it is good.No, it' is fantastic. Amazing.
> > Totally unbelivingly great! It's one of the best and main features of
> Zope.
>
> Is anyone relying on your site to provide information? How do you test
your
> site to make sure that every possible url (not just the ones you link to)
do
> not give out misinformation.
>
> Some specific problems that I have encountered:
>
> 1. Content that crosses between virtual hosts.
>
> If two different virtual hosts come from the same zope then it is possible
> to
> construct a URL so that content from one site appears under the hostname
> (and
> https certificate!) of another.
>
> 2. A page that uses a mix of context and containment
>
> If a page is built up with some content found from its context, and other
> content from containment, then it is possible to construct a URL so that
> apparently related information comes from unrelated objects.  Imagine a
> medical imaging database, where it was possible for a page do display the
> wrong patient name above an image.
>
>
> My conclusions are:
>
> a. implicit acquisition is dangerous
>
> b. acquisition that searches outside the containment hierarchy is evil.
>
>
> Im not keeping up with Zope 3 development..... how does Zope 3 handle
> acquisition?
>
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>
>
>
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )
>