Test

From girtsk at latnet.lv Mon Sep 8 02:37:38 2003 From: girtsk at latnet.lv (G'irts Kalnins) Date: Sun, 07 Sep 2003 19:37:38 +0300 (EEST) Subject: [albatross-users] some live samples offline Message-ID: <1062952658.3f5b5ed22ec55@clients.latnet.lv> HTTP 500 : Internal Server Error http://www.object-craft.com.au/cgi-bin/alsamp/form2/form.py From djc at object-craft.com.au Mon Sep 8 10:18:22 2003 From: djc at object-craft.com.au (Dave Cole) Date: 08 Sep 2003 10:18:22 +1000 Subject: [albatross-users] some live samples offline In-Reply-To: <1062952658.3f5b5ed22ec55@clients.latnet.lv> References: <1062952658.3f5b5ed22ec55@clients.latnet.lv> Message-ID: >>>>> "G'irts" == G'irts Kalnins writes: G'irts> HTTP 500 : Internal Server Error G'irts> http://www.object-craft.com.au/cgi-bin/alsamp/form2/form.py Should be fixed now. Thanks. - Dave -- http://www.object-craft.com.au From esj at harvee.org Thu Sep 11 09:36:27 2003 From: esj at harvee.org (Eric S. Johansson) Date: Wed, 10 Sep 2003 19:36:27 -0400 Subject: [albatross-users] can't figure out why it's flipping me the bird Message-ID: <3F5FB57B.9010107@harvee.org> started on another CGI script. Obviously my knowledge is better and it went much faster than the traditional naked python CGI but I'm still hitting a bit of a roadblock. In the spamtrap viewer I have a fragment of nicely working albatross that looks like:

so now, in the configuration editing tool I have a similar problem (multiple data elements of similar structure) so I figured I would use a similar structure:

but all it does is give me... ApplicationError: al-input "albatross_token" not defined as "list" I'm confused. Is there an option I'm forgetting to set? The only reason I'm trying to set the name is so I can identify each field and determine whether or not has changed from the previous value so I will know whether to write it out or not. Looking forward to clarity and understanding, thanks ---eric From matt at pollenation.net Thu Sep 11 10:08:29 2003 From: matt at pollenation.net (Matt Goodall) Date: Thu, 11 Sep 2003 01:08:29 +0100 Subject: [albatross-users] can't figure out why it's flipping me the bird In-Reply-To: <3F5FB57B.9010107@harvee.org> References: <3F5FB57B.9010107@harvee.org> Message-ID: <1063238908.2034.17.camel@debian> On Thu, 2003-09-11 at 00:36, Eric S. Johansson wrote: > started on another CGI script. Obviously my knowledge is better and it went > much faster than the traditional naked python CGI but I'm still hitting a bit of > a roadblock. In the spamtrap viewer I have a fragment of nicely working > albatross that looks like: > > > > > > > > > valueexpr="line.value().token" list onclick="CCA(this,'mystery');DownHalt();" > > > > > so now, in the configuration editing tool I have a similar problem (multiple > data elements of similar structure) so I figured I would use a similar structure: > > > valueexpr="line.value().variable"> > > but all it does is give me... > > ApplicationError: al-input "albatross_token" not defined as "list" > > I'm confused. Is there an option I'm forgetting to set? The error means that you have multiple al-input fields with the same name, "albatross_token". There are two ways to fix that, depending on what you are trying to do: 1. Add a 'list' attribute to the al-input element to allow more than one al-input with the same name. The name will always be the string "albatross_token". 2. Use a 'nameexpr' attribute rather than 'name' so that each al-input has a different name. The name of the al-input will be the current value of the albatross_token variable. > > The only reason I'm trying to set the name is so I can identify each field and > determine whether or not has changed from the previous value so I will know > whether to write it out or not. OK, I think you want 2 - use a 'nameexpr' attribute. Cheers, Matt -- Matt Goodall From esj at harvee.org Thu Sep 11 10:14:04 2003 From: esj at harvee.org (Eric S. Johansson) Date: Wed, 10 Sep 2003 20:14:04 -0400 Subject: [albatross-users] can't figure out why it's flipping me the bird In-Reply-To: <1063238908.2034.17.camel@debian> References: <3F5FB57B.9010107@harvee.org> <1063238908.2034.17.camel@debian> Message-ID: <3F5FBE4C.7020608@harvee.org> Matt Goodall explained: > > The error means that you have multiple al-input fields with the same > name, "albatross_token". There are two ways to fix that, depending on > what you are trying to do: > > 1. Add a 'list' attribute to the al-input element to allow more than one > al-input with the same name. The name will always be the string > "albatross_token". > 2. Use a 'nameexpr' attribute rather than 'name' so that each al-input > has a different name. The name of the al-input will be the current value > of the albatross_token variable. > > >>The only reason I'm trying to set the name is so I can identify each field and >>determine whether or not has changed from the previous value so I will know >>whether to write it out or not. > > > OK, I think you want 2 - use a 'nameexpr' attribute. > I'm doubly confused them. In my first example you'll notice that I set the value of albatross_token before using any input statement. In that example, each name is set to the value of albatross_token. I'm trying to do the same thing in the second example. As you'll see, I'm setting the value with a al-exec expr... statement. I did try the nameexpr version but you notice that I also have a valueexpr to set the value of each input. If I use nameexpr then I cannot use valueexpr. So, how do I set the name and the value fields in each input? (This really should not be this hard although I know it is for many systems like albatross) ---eric From matt at pollenation.net Thu Sep 11 18:34:43 2003 From: matt at pollenation.net (Matt Goodall) Date: 11 Sep 2003 09:34:43 +0100 Subject: [albatross-users] can't figure out why it's flipping me the bird In-Reply-To: <3F5FBE4C.7020608@harvee.org> References: <3F5FB57B.9010107@harvee.org> <1063238908.2034.17.camel@debian> <3F5FBE4C.7020608@harvee.org> Message-ID: <1063269282.15471.56.camel@localhost> On Thu, 2003-09-11 at 01:14, Eric S. Johansson wrote: > Matt Goodall explained: > > > > > The error means that you have multiple al-input fields with the same > > name, "albatross_token". There are two ways to fix that, depending on > > what you are trying to do: > > > > 1. Add a 'list' attribute to the al-input element to allow more than one > > al-input with the same name. The name will always be the string > > "albatross_token". > > 2. Use a 'nameexpr' attribute rather than 'name' so that each al-input > > has a different name. The name of the al-input will be the current value > > of the albatross_token variable. > > > > > >>The only reason I'm trying to set the name is so I can identify each field and > >>determine whether or not has changed from the previous value so I will know > >>whether to write it out or not. > > > > > > OK, I think you want 2 - use a 'nameexpr' attribute. > > > > > I'm doubly confused them. Oops, sorry ;-) > In my first example Here it is again for reference:

> you'll notice that I set the > value of albatross_token before using any input statement. Yes, the albatross_token variable will be either the string 'off' or the value of line.value().token. > In that example, each name is set to the value of albatross_token. The wording in your sentence is a bit ambiguous so just to clarify ... the name of all checkbox fields will be 'albatross_token', i.e. in the HTML each checkbox will have a name="albatross_token" attribute. Erm, I just noticed something. Unless I'm missing something obvious (which is quite possible!) the albatross_token variable in your example is set but never actually used. > I'm trying to do the same > thing in the second example. As you'll see, I'm setting the value with a > al-exec expr... statement. I did try the nameexpr version but you notice that I > also have a valueexpr to set the value of each input. If I use nameexpr then I > cannot use valueexpr. I only just realised this myself but, according to the documentation, the valueexpr attribute will be ignored for type="text" inputs. The value is taken from ctx.locals. > So, how do I set the name and the value fields in each input? Use nameexpr to give each al-input a unique name and put the values of the data in ctx.locals. Something like the following untested code should work: # Some data to use data = [ {'token': 'a', 'value': 1}, {'token': 'b', 'value': 2}, ] # Build a list of tokens ctx.locals.tokens = [line['token'] for line in data] # Publish the token values to ctx.locals for line in data: setattr(ctx.locals, line['token'], line['value'])

Of course, there may be a much better way of doing this. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenation.net e: matt at pollenation.net t: +44 (0)113 2252500 From neel at mediapulse.com Thu Sep 11 23:49:57 2003 From: neel at mediapulse.com (Michael C. Neel) Date: Thu, 11 Sep 2003 09:49:57 -0400 Subject: [albatross-users] can't figure out why it's flipping me the bird Message-ID: In your al-input you have the "list" attrib set: > valueexpr="line.value().token" list > onclick="CCA(this,'mystery');DownHalt();" > > but you set it as a string here: > > > > > The "list" attrib tell albatross that the varible should be created as a list; shorthand for:

In your example, albtross_token is a string, but then later it's refered to as a list which I think is what is causing the error. Mike From esj at harvee.org Fri Sep 12 02:17:28 2003 From: esj at harvee.org (Eric S. Johansson) Date: Thu, 11 Sep 2003 12:17:28 -0400 Subject: [albatross-users] can't figure out why it's flipping me the bird In-Reply-To: <1063269282.15471.56.camel@localhost> References: <3F5FB57B.9010107@harvee.org> <1063238908.2034.17.camel@debian> <3F5FBE4C.7020608@harvee.org> <1063269282.15471.56.camel@localhost> Message-ID: <3F60A018.8080400@harvee.org> Matt Goodall explained: > The wording in your sentence is a bit ambiguous so just to clarify ... > the name of all checkbox fields will be 'albatross_token', i.e. in the > HTML each checkbox will have a name="albatross_token" attribute. > > Erm, I just noticed something. Unless I'm missing something obvious > (which is quite possible!) the albatross_token variable in your example > is set but never actually used. you are quite right. I managed to code around the problem without being fully cognizant of it. I must admit, this has had me sitting back here in my chair blinking little bit. I guess I don't understand albatross as well as I thought I did. I would be interested in hearing the theory behind this behavior with name and value. It's another cognitive clash. > I only just realised this myself but, according to the documentation, > the valueexpr attribute will be ignored for type="text" inputs. The > value is taken from ctx.locals. ahh the dreaded context.locals... following your example, I created the following: for line in display_list: field_value = line.variable if line.variable == "None": field_value = "" setattr(context.locals,line.field_name, field_value) display_list is a list of objects containing attributes which contain the actual values I want to use in the albatross code. I need to strip out the string "None" and replace it with a blank line when it is displayed in the form. and albatross I just use the normal: and since field name resolves to a context.locals attribute, everything works and the value is set to the value of the action viewed just as it should. now one of the hazards of this technique is if one of the fields match another variable that is a part of context.locals. It also makes it difficult to actually index through the list although I'm sure I'll find a pythonism to make it possible. Fortunately this wasn't as ugly as I feared, merely obtuse. > Of course, there may be a much better way of doing this. blood taste salty... ---eric From esj at harvee.org Fri Sep 12 02:50:45 2003 From: esj at harvee.org (Eric S. Johansson) Date: Thu, 11 Sep 2003 12:50:45 -0400 Subject: [albatross-users] can't figure out why it's flipping me the bird In-Reply-To: <1063269282.15471.56.camel@localhost> References: <3F5FB57B.9010107@harvee.org> <1063238908.2034.17.camel@debian> <3F5FBE4C.7020608@harvee.org> <1063269282.15471.56.camel@localhost> Message-ID: <3F60A7E5.7080609@harvee.org> Matt Goodall explained: > Of course, there may be a much better way of doing this. just thought of one. Add namedirect and valuedirect to the system which lets you add literal names and values to the HTML. Values are returned from the input field in the same storage element they were originally presented in. So if the value is defined as line.value().xyzzy for input, that is the same storage element used to return a value. clear as mud? ---eric From sheila at thinkspot.net Fri Sep 12 15:27:14 2003 From: sheila at thinkspot.net (Sheila King) Date: Thu, 11 Sep 2003 22:27:14 -0700 Subject: [albatross-users] Duplicate cookie mystery solved??? Message-ID: <200892938.1063319234@localhost> OK, I think I have figured out the situation with this duplicate cookie scenario that I've mentioned more than once on this list. I am using random modular apps with sessionfile sessions. I have applied Matt Goodall's patch to specifically set the cookie path. Here is what is happening... Let's say the full URL to my app is http://example.com/cgi-bin/myapp.py and that the start page is "login" But being the lazy butt that I am, when I go to my app for the first time, I don't feel like typing the long version of the URL with the page name appended. I know that it will automatically redirect me to the proper start page. So I simply enter this: http://example.com/cgi-bin/myapp.py Which sets a cookie with this path: /cgi-bin/ Albatross now redirects to the start page URL as follows: http://example.com/cgi-bin/myapp.py/login which now sets a new cookie with this path: /cgi-bin/myapp.py/ Thus, two cookies have been set with slightly different paths. If the app never throws an unhandled exception, no problem. But if it does, the cookie with the shorter path causes a problem. I can resolve this situation one of two ways: I can either delete from my browser the cookie with the shorter path. Or, else I can type in the original, shorter URL that I had initially started from, and then be redirected to the full start page URL and things will proceed normally from there. It seems to me, that if the original cookie path were not set to that short version, but were always set to the longer verion ending in /myapp.py/ that this would resolve the issue. ??? Does this make sense? -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From matt at pollenation.net Fri Sep 12 19:43:15 2003 From: matt at pollenation.net (Matt Goodall) Date: 12 Sep 2003 10:43:15 +0100 Subject: [albatross-users] Duplicate cookie mystery solved??? In-Reply-To: <200892938.1063319234@localhost> References: <200892938.1063319234@localhost> Message-ID: <1063359794.15789.97.camel@localhost> On Fri, 2003-09-12 at 06:27, Sheila King wrote: > OK, I think I have figured out the situation with this duplicate cookie > scenario that I've mentioned more than once on this list. > > I am using random modular apps with sessionfile sessions. > > I have applied Matt Goodall's patch to specifically set the cookie path. > > Here is what is happening... > > Let's say the full URL to my app is > > http://example.com/cgi-bin/myapp.py > > and that the start page is "login" > > But being the lazy butt that I am, when I go to my app for the first time, > I don't feel like typing the long version of the URL with the page name > appended. I know that it will automatically redirect me to the proper start > page. So I simply enter this: > > http://example.com/cgi-bin/myapp.py > > Which sets a cookie with this path: > > /cgi-bin/ [snip] > It seems to me, that if the original cookie path were not set to that short > version, but were always set to the longer verion ending in > /myapp.py/ > > that this would resolve the issue. Well, that's what the patch was supposed to do but it needs to build an absolute url path similar to AppContext.redirect_url() to work correctly. Thanks for looking into this Sheila. I will send another message after this with a patch, just to make sure Dave spots it more easily. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenation.net e: matt at pollenation.net t: +44 (0)113 2252500 From matt at pollenation.net Fri Sep 12 20:03:27 2003 From: matt at pollenation.net (Matt Goodall) Date: 12 Sep 2003 11:03:27 +0100 Subject: [albatross-users] [patch] set cookie path Message-ID: <1063361006.16268.122.camel@localhost> Hi, Attached is patch (against 1.10) which fixes the multiple cookie (incorrect cookie paths) problem that Sheila highlighted. The patch contains the following changes: * Extracted most of AppContext.redirect_url() to a new method, AppContext.absolute_base_url() * Changed session.py and sessionfile.py to use the result of new method to calculate the path. I've done some tests and things still seem to be working ok but please review the change. Hope this is ok. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenation.net e: matt at pollenation.net t: +44 (0)113 2252500 -------------- next part -------------- A non-text attachment was scrubbed... Name: setcookiepath.patch Type: text/x-patch Size: 2040 bytes Desc: not available URL: From matt at pollenation.net Fri Sep 12 20:04:05 2003 From: matt at pollenation.net (Matt Goodall) Date: 12 Sep 2003 11:04:05 +0100 Subject: [albatross-users] New release? Message-ID: <1063361045.14194.124.camel@localhost> Dave, Any chance of a new release soon or at least a snapshot of your source? It's getter harder and harder to send patches as my code base gets more and more out of sync with 1.10. I had to manually edit the patch I just sent (produced by Subversion) to remove other changes to these files, app.py in particular. Thanks, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenation.net e: matt at pollenation.net t: +44 (0)113 2252500 From esj at harvee.org Sat Sep 13 00:38:34 2003 From: esj at harvee.org (Eric S. Johansson) Date: Fri, 12 Sep 2003 10:38:34 -0400 Subject: [albatross-users] tamper-resistant authentication code Message-ID: <3F61DA6A.1000701@harvee.org> this is a very rough cut on authentication code for Web services. I followed the model set down by some folks at MIT (see URL and comments)after taking the time to understand the security model so I'm confident that it is a a correct implementation and will withstand all of the attacks discussed in the paper. it will also be vulnerable to the problems discussed in the paper too. ;-) I kept this object as simple as possible to make it easier to validate. There are four functions, initialization, new, validate, and check authentication. object initialization just stores the secret key and the duration of validity for any authentication token. I chose to store these components at this time because they are common to all of the interfaces. The new creates a new token and has the option of adding some authentication specific information to the token and changing the duration. Just occurred to me that I did not put in any method for retrieving the data. Next revision. validate takes a returned authentication token and return the Boolean as to whether or not the token is valid. Alternatively, if people prefer, I could throw an exception on the two different types but I see that is being needlessly complicated. The last routine, check authentication, looks within the albatross context for an authentication variable and depending on its presence and validation, will either return the Login HTML reference or an application HTML reference. I'm just starting to think about integration with albatross. Since I don't know the code base very well, I would ask for advice on how to integrate or whether or not I should. For example, if I'm not going to integrate directly into the code base but maintain this separately I might derive a new object from the base authentication object to do the albatross specific magic in. what say you? ---eric -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: login.py URL: From tchur at optushome.com.au Sat Sep 13 07:03:07 2003 From: tchur at optushome.com.au (Tim Churches) Date: 13 Sep 2003 07:03:07 +1000 Subject: [albatross-users] tamper-resistant authentication code In-Reply-To: <3F61DA6A.1000701@harvee.org> References: <3F61DA6A.1000701@harvee.org> Message-ID: <1063400587.1187.5.camel@emilio> On Sat, 2003-09-13 at 00:38, Eric S. Johansson wrote: > this is a very rough cut on authentication code for Web services. I followed > the model set down by some folks at MIT (see URL and comments)after taking the > time to understand the security model so I'm confident that it is a a correct > implementation and will withstand all of the attacks discussed in the paper. it > will also be vulnerable to the problems discussed in the paper too. ;-) > # from: "dos and don'ts of client authentication on the Web" > http://cookies.lcs.mit.edu > I think this is a really excellent initiative. Earlier this year I pointed Dave and Andrew (of Object-Craft) at a Web app security checklist published by MIT (a different one, but I can't find the URL now). They indicated an intention to work through the checklist and close any remaining theoretical vulnerabilities in the various Albatross app models. -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From esj at harvee.org Sat Sep 13 08:23:39 2003 From: esj at harvee.org (Eric S. Johansson) Date: Fri, 12 Sep 2003 18:23:39 -0400 Subject: [albatross-users] tamper-resistant authentication code In-Reply-To: <1063400587.1187.5.camel@emilio> References: <3F61DA6A.1000701@harvee.org> <1063400587.1187.5.camel@emilio> Message-ID: <3F62476B.2050608@harvee.org> Tim Churches explained: > I think this is a really excellent initiative. Earlier this year I > pointed Dave and Andrew (of Object-Craft) at a Web app security > checklist published by MIT (a different one, but I can't find the URL > now). They indicated an intention to work through the checklist and > close any remaining theoretical vulnerabilities in the various Albatross > app models. unfortunately, I've run into a bit of a stumbling block. It turns out that pwd.getpwnam won't work for beans on a Linux system with shadow passwords. I've posted on the Python newsgroup about this problem but I suspect I'm facing having to create a whole separate password database and management tool kit. You have no idea how unhappy this makes me. On the other hand, I could be forced to use sasl which is a nightmare and a half. I'm hoping the mythical sasl3 will be a simplificationbut it's probably more like a tax code (i.e. everything is added, nothing removed) ---eric From matt at pollenation.net Sat Sep 13 09:06:52 2003 From: matt at pollenation.net (Matt Goodall) Date: 13 Sep 2003 00:06:52 +0100 Subject: [albatross-users] tamper-resistant authentication code In-Reply-To: <3F62476B.2050608@harvee.org> References: <3F61DA6A.1000701@harvee.org> <1063400587.1187.5.camel@emilio> <3F62476B.2050608@harvee.org> Message-ID: <1063408012.25985.9.camel@localhost> On Fri, 2003-09-12 at 23:23, Eric S. Johansson wrote: > It turns out that pwd.getpwnam won't work for beans on a Linux system with shadow passwords. I had a similar problem a few years ago when trying to authenticate Zope users against the Linux password database. In the end I created a horrific hack and wrote a suid root script to do the password check ;-). Is there a Python PAM module that you could use? Would it be any better than SASL? - Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenation.net e: matt at pollenation.net t: +44 (0)113 2252500 From sheila at thinkspot.net Sat Sep 13 09:18:40 2003 From: sheila at thinkspot.net (Sheila King) Date: Fri, 12 Sep 2003 16:18:40 -0700 Subject: [albatross-users] Confused over name spaces Message-ID: <3387901.1063383520@lsanca1-ar1-4-41-026-254.lsanca1.dsl-verizon.net> Name spaces seem to be one of the most confusing things for me in using Albatross. Mind you, I've found some work arounds for the issue I'm about to present, but they seemed particularly inelegant to me and I did not like them. I do not see why the following code produces an error. :\ Here is the template file: ---------(begin test.html)--------------

Test

---------(end test.html)---------------- Here is the page module: ---------(begin test.py)---------------- import time def page_process(ctx): pass def page_display(ctx): ctx.run_template("test.html") ----------(end test.py)----------------- Here is the essential error message (much traceback removed): File "./blog/test.html", line 6, in al-value NameError: name 'now' is not defined I'm just wondering why, when I have define "now" one tag prior to invoking it, that Albatross claims to have no idea what "now" is when I invoke it on line 6 of the template file. This example from the documentation http://object-craft.com.au/projects/albatross/albatross/tag-exec-expr.html certainly leads me to think I should be able to do this. In the linked example, "results" is a list defined in an al-exec tag, and then immediately following is an al-for tag that uses "results". The only way around this type of thing that I have seen, is to define the desired value (in my example this would be the value "now") within the page module, such as ctx.locals.now = time.localtime() However, I don't want to do this because I am planning on using a particular macro repeatedly wherever I like, and I don't want to have to set the values in each page module before calling this macro. I want the macro to handle it for me. Any ideas? -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From matt at pollenation.net Sat Sep 13 09:55:11 2003 From: matt at pollenation.net (Matt Goodall) Date: 13 Sep 2003 00:55:11 +0100 Subject: [albatross-users] Confused over name spaces In-Reply-To: <3387901.1063383520@lsanca1-ar1-4-41-026-254.lsanca1.dsl-verizon.net> References: <3387901.1063383520@lsanca1-ar1-4-41-026-254.lsanca1.dsl-verizon.net> Message-ID: <1063410911.25985.20.camel@localhost> On Sat, 2003-09-13 at 00:18, Sheila King wrote: > > now = time.localtime() > """ /> > > > > Assuming it's not a typo, you only need one lot of " around the al-exec expr, i.e. I'm not sure what """ would do. I'm kind of surprised that doesn't raise an error. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenation.net e: matt at pollenation.net t: +44 (0)113 2252500 From sheila at thinkspot.net Sat Sep 13 10:04:38 2003 From: sheila at thinkspot.net (Sheila King) Date: Fri, 12 Sep 2003 17:04:38 -0700 Subject: [albatross-users] Confused over name spaces In-Reply-To: <1063410911.25985.20.camel@localhost> References: <3387901.1063383520@lsanca1-ar1-4-41-026-254.lsanca1.dsl-verizon.net> <1063410911.25985.20.camel@localhost> Message-ID: <6145406.1063386277@lsanca1-ar1-4-41-026-254.lsanca1.dsl-verizon.net> --On Saturday, September 13, 2003 12:55 AM +0100 Matt Goodall wrote: > On Sat, 2003-09-13 at 00:18, Sheila King wrote: >> >> > now = time.localtime() >> """ /> >> >> >> >> > > Assuming it's not a typo, you only need one lot of " around the al-exec > expr, i.e. > > > > I'm not sure what """ would do. I'm kind of surprised that doesn't raise > an error. > > Cheers, Matt Well, and what do you know...Matt is right. It's the triple quotes. Change them to single and it works. Hmmm. I could swear I've had this issue before, but I cannot recollect whether I was using the single or triple quotes. I will have to go back and check my old code and see if that is what my problem was. sheesh. stupid. Thanks, Matt. :) -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From sheila at thinkspot.net Sat Sep 13 17:08:42 2003 From: sheila at thinkspot.net (Sheila King) Date: Sat, 13 Sep 2003 00:08:42 -0700 Subject: [albatross-users] New wiki example: Calendar Message-ID: <293381670.1063411722@localhost> Just for grins and giggles, and hopefully to help out some future learner of Albatross, I added an example of my own to the Wiki: http://object-craft.com.au/projects/albatross/wiki/SimpleCalendar -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From andrewm at object-craft.com.au Mon Sep 15 13:53:51 2003 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Mon, 15 Sep 2003 13:53:51 +1000 Subject: [albatross-users] tamper-resistant authentication code In-Reply-To: Message from Matt Goodall of "13 Sep 2003 00:06:52 +0100." <1063408012.25985.9.camel@localhost> References: <3F61DA6A.1000701@harvee.org> <1063400587.1187.5.camel@emilio> <3F62476B.2050608@harvee.org> <1063408012.25985.9.camel@localhost> Message-ID: <20030915035351.5B0983CA33@coffee.object-craft.com.au> >> It turns out that pwd.getpwnam won't work for beans on a Linux system >> with shadow passwords. > >I had a similar problem a few years ago when trying to authenticate Zope >users against the Linux password database. In the end I created a >horrific hack and wrote a suid root script to do the password check ;-). I had to do a similar thing with one of our Albatross projects - a setuid root C helper that the cgi spoke to to authenticate users. In the past, I've also had to do similar things for password changing. I wouldn't recommend coding the helper in a scripting language - there are too many gotchyas. I probably should review the code for missed security vulernabilities and post it somewhere. It's always made me nervous, since anything like this weakens system security slightly. >Is there a Python PAM module that you could use? Would it be any better >than SASL? PAM is patchy - the linux pam model that auths against the shadow password file uses a setuid root helper, but it is rightly paranoid, and refuses to auth anyone but the user or root (not so useful). Most PAM don't even go this far - if you aren't euid 0, you can't auth against shadow. Dunno what the BSD are doing. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From esj at harvee.org Tue Sep 16 09:13:10 2003 From: esj at harvee.org (Eric S. Johansson) Date: Mon, 15 Sep 2003 19:13:10 -0400 Subject: [albatross-users] Login.py second draft Message-ID: <3F664786.6070106@harvee.org> knocked in this out this afternoon. Got no answer on the python newsgroup about authenticating against your own password file in a portable fashion. It is a difficult problem that hasn't itched anyone enough. You will notice (if you read the code) that I have added a second class for dealing with another password file. It's basically the same type of code as I used for white list management so I felt pretty good taking it as a cut-and-paste inheritance. It also counts on an external program called portalocker which is probably similar to portaloo. It gives you portable file locking on many types of UNIX, Linux, and Windows. I try to be very conservative about locking files which unfortunately costs performance. Fortunately this code isn't critical path. Critique would be nice as I'm always trying to improve what I write. now, I am puzzling over how to integrate this login code with albatross. Ideally there should be little or no impact. If there is no authentication token or the token has expired, put up the login screen, repeatedly until they succeed. then return control to the desired screen by the user hopefully with all stored values intact. It might be possible to put this all as an alternative path to page_display and once it succeeds, page_display is called but only if you can guarantee that none of the other processing methods get called. but what do I know. I haven't spent anytime with the albatross source. I'm only guessing from observed behavior. all I hope for is that this code or some variant thereof will find its way into albatross. ---eric -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: login.py URL: From gabriel.cooper at mediapulse.com Fri Sep 19 05:17:10 2003 From: gabriel.cooper at mediapulse.com (Gabriel Cooper) Date: Thu, 18 Sep 2003 15:17:10 -0400 Subject: [albatross-users] Strange a2b_base64() error on form submission Message-ID: <3F6A04B6.9030707@mediapulse.com> An HTML attachment was scrubbed... URL: From djc at object-craft.com.au Sat Sep 20 13:58:17 2003 From: djc at object-craft.com.au (Dave Cole) Date: 20 Sep 2003 13:58:17 +1000 Subject: [albatross-users] Confused over name spaces In-Reply-To: <1063410911.25985.20.camel@localhost> References: <3387901.1063383520@lsanca1-ar1-4-41-026-254.lsanca1.dsl-verizon.net> <1063410911.25985.20.camel@localhost> Message-ID: > On Sat, 2003-09-13 at 00:18, Sheila King wrote: > > > > > now = time.localtime() > > """ /> > > > > > > > > > > Assuming it's not a typo, you only need one lot of " around the al-exec > expr, i.e. > > > > I'm not sure what """ would do. I'm kind of surprised that doesn't raise > an error. The reason you don't see an exception is due to the parser being based upon regular expressions. Anything that does not match the tag regular expressions is treated as plain text. You can see how the parser loads the above template by doing this: >>> from albatross import Template, SimpleContext >>> s = ''' ... ... ... ... ... ... ''' >>> ctx = SimpleContext('.') >>> t = Template(ctx, '', s) >>> t Template(Content([Content([Text( ), ])])) This shows (very crudely) how the parser handled the template. What you can see though is that your tag was handled as text. This can be confirmed like this: >>> t.content.items[0].content.items[0].__class__.__name__ 'Text' >>> t.content.items[0].content.items[0].text '\n\n' The above makes me think that the __repr__ methods in templates could be improved to make the above clearer. - Dave -- http://www.object-craft.com.au From djc at object-craft.com.au Sat Sep 20 22:57:49 2003 From: djc at object-craft.com.au (Dave Cole) Date: 20 Sep 2003 22:57:49 +1000 Subject: [albatross-users] New release? In-Reply-To: <1063361045.14194.124.camel@localhost> References: <1063361045.14194.124.camel@localhost> Message-ID: >>>>> "Matt" == Matt Goodall writes: Matt> Dave, Any chance of a new release soon or at least a snapshot of Matt> your source? Matt> It's getter harder and harder to send patches as my code base Matt> gets more and more out of sync with 1.10. I had to manually edit Matt> the patch I just sent (produced by Subversion) to remove other Matt> changes to these files, app.py in particular. I have spent most of today getting everything ready for a 1.20pre1 release. I want to include your new PageModuleMixin as I think it is the right way to go. It will break some code - probably a good thing though. I want Andrew to have a look at the new code before a final decision is made. Rather than import the page module you execfile() it. This means that all classes defined in the page module look like they are defined in the __builtin__ module. This causes problems if you ever place instances of these classes into the session... As we are trying to promote the use of an MVC approach, it might be a good idea to discourage people from placing more than the most basic glue code (no class definitions) in page modules. I can think of at least a few programs I have written that this will break :-). - Dave -- http://www.object-craft.com.au From sheila at thinkspot.net Sun Sep 21 00:21:05 2003 From: sheila at thinkspot.net (Sheila King) Date: Sat, 20 Sep 2003 07:21:05 -0700 Subject: [albatross-users] New release? In-Reply-To: References: <1063361045.14194.124.camel@localhost> Message-ID: <54044692.1064042465@localhost> --On Saturday, September 20, 2003 10:57 PM +1000 Dave Cole wrote: >>>>>> "Matt" == Matt Goodall writes: > > Matt> Dave, Any chance of a new release soon or at least a snapshot of > Matt> your source? > > Matt> It's getter harder and harder to send patches as my code base > Matt> gets more and more out of sync with 1.10. I had to manually edit > Matt> the patch I just sent (produced by Subversion) to remove other > Matt> changes to these files, app.py in particular. > > I have spent most of today getting everything ready for a 1.20pre1 > release. Sound exciting. And time consuming. > I want to include your new PageModuleMixin as I think it is the right > way to go. It will break some code - probably a good thing though. I > want Andrew to have a look at the new code before a final decision is > made. Somehow I'm thinking the above remark doesn't apply to Matt's latest cookie-path patch? I've been meaning to post that I've been using it and it seems to have solved the problems I had been reporting regarding duplicate cookies and corrupted sessions that I could not re-establish. Thanks again, Matt! > Rather than import the page module you execfile() it. This means that > all classes defined in the page module look like they are defined in > the __builtin__ module. This causes problems if you ever place > instances of these classes into the session... The above is over my head, as I am not that intimate with the Albatross source and that level of development is beyond where I am personally comfortable. However, for me, the last Albatross upgrade set me back two weeks of trying to fix code that "broke" for me and allowed me to make no progress in my actual task at hand, just trying to scramble to get my code functioning again due to upgrading Albatross. Certainly gives me pause in considering to upgrade Albatross further if it is going to break stuff each time. Especially since for me, I have no way to install an upgrade without overwriting my current install. I wish it were possible to do an alt-install switch, like one can do with Python, so that you can easily have more than one version installed. > As we are trying to promote the use of an MVC approach, it might be a > good idea to discourage people from placing more than the most basic > glue code (no class definitions) in page modules. I understand the reference to MVC approach, but I'm not sure what exactly is meant by trying to "discourage people from placing more than the most basic glue code (no class definitions) in page modules." Are you referring to classes I might write myself? Or page classes? or what? How are the suggested changes expected to break code? > I can think of at least a few programs I have written that this will > break :-). :\ -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From matt at pollenation.net Sun Sep 21 01:10:37 2003 From: matt at pollenation.net (Matt Goodall) Date: Sat, 20 Sep 2003 16:10:37 +0100 Subject: [albatross-users] New release? In-Reply-To: <54044692.1064042465@localhost> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> Message-ID: <1064070637.1493.39.camel@debian> On Sat, 2003-09-20 at 15:21, Sheila King wrote: > --On Saturday, September 20, 2003 10:57 PM +1000 Dave Cole > > I want to include your new PageModuleMixin as I think it is the right > > way to go. It will break some code - probably a good thing though. I > > want Andrew to have a look at the new code before a final decision is > > made. [snip] > for me, the last Albatross upgrade set me back two > weeks of trying to fix code that "broke" for me and allowed me to make no > progress in my actual task at hand, just trying to scramble to get my code > functioning again due to upgrading Albatross. Dave, for the record, after you told me about the issue you found with execfile I was a little less keen on my solution. It's up to you though, the current code is definitely incorrect but would it be better to use a hack to avoid breaking code? I think a hack is feasbile but it would be a fairly nasty hack ;-). Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 From matt at pollenation.net Sun Sep 21 01:18:56 2003 From: matt at pollenation.net (Matt Goodall) Date: Sat, 20 Sep 2003 16:18:56 +0100 Subject: [albatross-users] New release? In-Reply-To: <54044692.1064042465@localhost> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> Message-ID: <1064071136.1457.49.camel@debian> On Sat, 2003-09-20 at 15:21, Sheila King wrote: > --On Saturday, September 20, 2003 10:57 PM +1000 Dave Cole > > I have spent most of today getting everything ready for a 1.20pre1 > > release. > > Sound exciting. And time consuming. Absolutely! Thanks for spending your weekend (again!) on this. > > I want to include your new PageModuleMixin as I think it is the right > > way to go. It will break some code - probably a good thing though. I > > want Andrew to have a look at the new code before a final decision is > > made. > > Somehow I'm thinking the above remark doesn't apply to Matt's latest > cookie-path patch? You're right, it's not. It's about the way page modules are located and loaded. Basically, the 1.10 way can make a mess of sys.modules (the list of loaded modules). I sent a patch to Dave and Andrew that used execfile() to load the page module code rather than actually importing it. The big advantage is that execfile() does not touch sys.modules. I raised the page module loading problem in the list but, for some reason, Dave and I discussed much of the problem off list. IIRC, it was a quick "how are you" chat that turned into a "how to fix the page module loading" chat. If I find the time, I'll summarise the discussion and post it to the list so everyone else can see it too. > I've been meaning to post that I've been using it and it > seems to have solved the problems I had been reporting regarding duplicate > cookies and corrupted sessions that I could not re-establish. > > Thanks again, Matt! Great stuff and no problem - it was incorrect for me too, I just hadn't noticed. > > Rather than import the page module you execfile() it. This means that > > all classes defined in the page module look like they are defined in > > the __builtin__ module. This causes problems if you ever place > > instances of these classes into the session... > > The above is over my head, as I am not that intimate with the Albatross > source and that level of development is beyond where I am personally > comfortable. However, for me, the last Albatross upgrade set me back two > weeks of trying to fix code that "broke" for me and allowed me to make no > progress in my actual task at hand, just trying to scramble to get my code > functioning again due to upgrading Albatross. > > Certainly gives me pause in considering to upgrade Albatross further if it > is going to break stuff each time. Especially since for me, I have no way > to install an upgrade without overwriting my current install. I wish it > were possible to do an alt-install switch, like one can do with Python, so > that you can easily have more than one version installed. I agree that it's bad that the code breaks but can you not use a staging server of some sort to test new releases? > > As we are trying to promote the use of an MVC approach, it might be a > > good idea to discourage people from placing more than the most basic > > glue code (no class definitions) in page modules. > > I understand the reference to MVC approach, but I'm not sure what exactly > is meant by trying to "discourage people from placing more than the most > basic glue code (no class definitions) in page modules." > > Are you referring to classes I might write myself? Or page classes? or > what? How are the suggested changes expected to break code? The problem is classes you write yourself that are defined in the page module and whose instances are stored in the session. The bottom line is that instances of a class **defined in a page module** cannot be pickled and so cannot be put in the session. This includes any TreeNode (http://www.object-craft.com.au/projects/albatross/albatross/tag-treenode.html) classes. The solution (if Dave and Andrew decide to go ahead with the change) is to move any page support classes into a proper package/module hierarchy, leaving _only_ the code immediately responsible for working with pages in the page module. Hope that provides a better understanding of code that might be affected. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 From matt at pollenation.net Sun Sep 21 01:27:41 2003 From: matt at pollenation.net (Matt Goodall) Date: Sat, 20 Sep 2003 16:27:41 +0100 Subject: Example of execfile() problem (was Re: [albatross-users] New release?) In-Reply-To: <54044692.1064042465@localhost> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> Message-ID: <1064071661.1495.59.camel@debian> The following is not an Albatross page module but demonstrates the problem using execfile() to dynamically load and execute code. The code fails during pickle.loads(...) since the Test class cannot be found. Strange but true ;-). --- test.py --- import cPickle as pickle data = None class Test: def __init__(self): self.count = 0 def run(): global data if data: t = pickle.loads(data) else: t = Test() print 't is of type', t t.count += 1 print 'count=%s' % t.count data = pickle.dumps(t) --------------- And then from inside an Python shell: >>> d={} >>> execfile('test.py',d) >>> d['run']() t is of type <__builtin__.Test instance at 0x402125ac> count=1 >>> d['run']() Traceback (most recent call last): File "", line 1, in ? File "test.py", line 12, in run t = pickle.loads(data) AttributeError: 'module' object has no attribute 'Test' >>> -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 From sheila at thinkspot.net Sun Sep 21 04:27:31 2003 From: sheila at thinkspot.net (Sheila King) Date: Sat, 20 Sep 2003 11:27:31 -0700 Subject: [albatross-users] New release? In-Reply-To: <1064071136.1457.49.camel@debian> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> <1064071136.1457.49.camel@debian> Message-ID: <68831634.1064057251@localhost> --On Saturday, September 20, 2003 4:18 PM +0100 Matt Goodall wrote: > On Sat, 2003-09-20 at 15:21, Sheila King wrote: >> --On Saturday, September 20, 2003 10:57 PM +1000 Dave Cole >> > I have spent most of today getting everything ready for a 1.20pre1 >> > release. >> >> Sound exciting. And time consuming. > > Absolutely! Thanks for spending your weekend (again!) on this. > >> > I want to include your new PageModuleMixin as I think it is the right >> > way to go. It will break some code - probably a good thing though. I >> > want Andrew to have a look at the new code before a final decision is >> > made. >> >> Somehow I'm thinking the above remark doesn't apply to Matt's latest >> cookie-path patch? > > You're right, it's not. It's about the way page modules are located and > loaded. Basically, the 1.10 way can make a mess of sys.modules (the list > of loaded modules). I sent a patch to Dave and Andrew that used > execfile() to load the page module code rather than actually importing > it. The big advantage is that execfile() does not touch sys.modules. > > I raised the page module loading problem in the list but, for some > reason, Dave and I discussed much of the problem off list. IIRC, it was > a quick "how are you" chat that turned into a "how to fix the page > module loading" chat. If I find the time, I'll summarise the discussion > and post it to the list so everyone else can see it too. > >> I've been meaning to post that I've been using it and it >> seems to have solved the problems I had been reporting regarding >> duplicate cookies and corrupted sessions that I could not re-establish. >> >> Thanks again, Matt! > > Great stuff and no problem - it was incorrect for me too, I just hadn't > noticed. > >> > Rather than import the page module you execfile() it. This means that >> > all classes defined in the page module look like they are defined in >> > the __builtin__ module. This causes problems if you ever place >> > instances of these classes into the session... >> >> The above is over my head, as I am not that intimate with the Albatross >> source and that level of development is beyond where I am personally >> comfortable. However, for me, the last Albatross upgrade set me back two >> weeks of trying to fix code that "broke" for me and allowed me to make >> no progress in my actual task at hand, just trying to scramble to get >> my code functioning again due to upgrading Albatross. >> >> Certainly gives me pause in considering to upgrade Albatross further if >> it is going to break stuff each time. Especially since for me, I have >> no way to install an upgrade without overwriting my current install. I >> wish it were possible to do an alt-install switch, like one can do with >> Python, so that you can easily have more than one version installed. > > I agree that it's bad that the code breaks but can you not use a staging > server of some sort to test new releases? No. Some of us just have little shared hosting accounts and no similar set up on our home systems, and no feasible way to do so. I would be in that group. >> > As we are trying to promote the use of an MVC approach, it might be a >> > good idea to discourage people from placing more than the most basic >> > glue code (no class definitions) in page modules. >> >> I understand the reference to MVC approach, but I'm not sure what >> exactly is meant by trying to "discourage people from placing more than >> the most basic glue code (no class definitions) in page modules." >> >> Are you referring to classes I might write myself? Or page classes? or >> what? How are the suggested changes expected to break code? > > The problem is classes you write yourself that are defined in the page > module and whose instances are stored in the session. Hmmm. Doesn't sound like anything I've done. I have written some of my own classes, but I've put them in separate files, because I wanted to be able to access them for multiple pages, and I'm not storing any instances of classes in sessions. Makes me feel a little better. > The bottom line is that instances of a class **defined in a page > module** cannot be pickled and so cannot be put in the session. This > includes any TreeNode > (http://www.object-craft.com.au/projects/albatross/albatross/tag-treenode > .html) classes. > > The solution (if Dave and Andrew decide to go ahead with the change) is > to move any page support classes into a proper package/module hierarchy, > leaving _only_ the code immediately responsible for working with pages > in the page module. > > Hope that provides a better understanding of code that might be > affected. > > Cheers, Matt > Indeed, it does. I appreciate it. :) -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From tchur at optushome.com.au Sun Sep 21 07:14:01 2003 From: tchur at optushome.com.au (Tim Churches) Date: 21 Sep 2003 07:14:01 +1000 Subject: [albatross-users] New release? In-Reply-To: <54044692.1064042465@localhost> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> Message-ID: <1064092441.1205.27.camel@emilio> On Sun, 2003-09-21 at 00:21, Sheila King wrote: > The above is over my head, as I am not that intimate with the Albatross > source and that level of development is beyond where I am personally > comfortable. However, for me, the last Albatross upgrade set me back two > weeks of trying to fix code that "broke" for me and allowed me to make no > progress in my actual task at hand, just trying to scramble to get my code > functioning again due to upgrading Albatross. > > Certainly gives me pause in considering to upgrade Albatross further if it > is going to break stuff each time. Especially since for me, I have no way > to install an upgrade without overwriting my current install. I wish it > were possible to do an alt-install switch, like one can do with Python, so > that you can easily have more than one version installed. I agree. There is now a sufficiently large installed base of Albatross apps that serious consideration needs to be given to backwards compatibility. If new features are introduced, they need to have new names, and the old ones need to be retained with their original names - possibly marked as deprecated, but still retained so that existing apps don't break. Just like Python, which has achieved a remarkable level of backwards compatibility (not perfect, but very good, with excellent signposting of future breakage). -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From tchur at optushome.com.au Sun Sep 21 07:39:01 2003 From: tchur at optushome.com.au (Tim Churches) Date: 21 Sep 2003 07:39:01 +1000 Subject: [albatross-users] New release? In-Reply-To: <1064071136.1457.49.camel@debian> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> <1064071136.1457.49.camel@debian> Message-ID: <1064093941.1191.50.camel@emilio> On Sun, 2003-09-21 at 01:18, Matt Goodall wrote: > The problem is classes you write yourself that are defined in the page > module and whose instances are stored in the session. > > The bottom line is that instances of a class **defined in a page > module** cannot be pickled and so cannot be put in the session. This > includes any TreeNode > (http://www.object-craft.com.au/projects/albatross/albatross/tag-treenode.html) classes. > > The solution (if Dave and Andrew decide to go ahead with the change) is > to move any page support classes into a proper package/module hierarchy, > leaving _only_ the code immediately responsible for working with pages > in the page module. > > Hope that provides a better understanding of code that might be > affected. OK, thanks, much clearer. That's not so bad then (since most of our Albatross code has been written by Dave, Andrew or Ben of Object-Craft - it's only my hacks which will need to be refactored a bit. However, my comments about the importance of backwards compatibility still stand. -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From matt at pollenation.net Sun Sep 21 07:52:53 2003 From: matt at pollenation.net (Matt Goodall) Date: Sat, 20 Sep 2003 22:52:53 +0100 Subject: [albatross-users] New release? In-Reply-To: <1064092441.1205.27.camel@emilio> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> <1064092441.1205.27.camel@emilio> Message-ID: <1064094773.4785.29.camel@debian> On Sat, 2003-09-20 at 22:14, Tim Churches wrote: > I agree. There is now a sufficiently large installed base of Albatross > apps that serious consideration needs to be given to backwards > compatibility. If new features are introduced, they need to have new > names, and the old ones need to be retained with their original names - > possibly marked as deprecated, but still retained so that existing apps > don't break. Just like Python, which has achieved a remarkable level of > backwards compatibility (not perfect, but very good, with excellent > signposting of future breakage). I completely agree but, just to clarify, we're not talking about a new feature here. I found a potentially serious problem with the page module loader where entries in sys.modules can get overwritten. As you can imagine, that causes some seriously strange problems ;-). See http://www.object-craft.com.au/pipermail/albatross-users/2003-August/000826.html. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 From tchur at optushome.com.au Sun Sep 21 08:05:32 2003 From: tchur at optushome.com.au (Tim Churches) Date: 21 Sep 2003 08:05:32 +1000 Subject: [albatross-users] New release? In-Reply-To: <1064094773.4785.29.camel@debian> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> <1064092441.1205.27.camel@emilio> <1064094773.4785.29.camel@debian> Message-ID: <1064095532.1205.97.camel@emilio> On Sun, 2003-09-21 at 07:52, Matt Goodall wrote: > On Sat, 2003-09-20 at 22:14, Tim Churches wrote: > > I agree. There is now a sufficiently large installed base of Albatross > > apps that serious consideration needs to be given to backwards > > compatibility. If new features are introduced, they need to have new > > names, and the old ones need to be retained with their original names - > > possibly marked as deprecated, but still retained so that existing apps > > don't break. Just like Python, which has achieved a remarkable level of > > backwards compatibility (not perfect, but very good, with excellent > > signposting of future breakage). > > I completely agree but, just to clarify, we're not talking about a new > feature here. > > I found a potentially serious problem with the page module loader where > entries in sys.modules can get overwritten. As you can imagine, that > causes some seriously strange problems ;-). See > http://www.object-craft.com.au/pipermail/albatross-users/2003-August/000826.html. > Yup. Thanks to your subsequent post, both Sheila and I now better understand what you are talking about, and we are much more relaxed about the proposed change/fix. -- Tim C PGP/GnuPG Key 1024D/EAF993D0 available from keyservers everywhere or at http://members.optushome.com.au/tchur/pubkey.asc Key fingerprint = 8C22 BF76 33BA B3B5 1D5B EB37 7891 46A9 EAF9 93D0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From djc at object-craft.com.au Sun Sep 21 12:55:42 2003 From: djc at object-craft.com.au (Dave Cole) Date: 21 Sep 2003 12:55:42 +1000 Subject: [albatross-users] New release? In-Reply-To: <1064095532.1205.97.camel@emilio> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> <1064092441.1205.27.camel@emilio> <1064094773.4785.29.camel@debian> <1064095532.1205.97.camel@emilio> Message-ID: >>>>> "Tim" == Tim Churches writes: Tim> On Sun, 2003-09-21 at 07:52, Matt Goodall wrote: >> On Sat, 2003-09-20 at 22:14, Tim Churches wrote: > I agree. There >> is now a sufficiently large installed base of Albatross > apps that >> serious consideration needs to be given to backwards > >> compatibility. If new features are introduced, they need to have >> new > names, and the old ones need to be retained with their >> original names - > possibly marked as deprecated, but still >> retained so that existing apps > don't break. Just like Python, >> which has achieved a remarkable level of > backwards compatibility >> (not perfect, but very good, with excellent > signposting of future >> breakage). >> >> I completely agree but, just to clarify, we're not talking about a >> new feature here. >> >> I found a potentially serious problem with the page module loader >> where entries in sys.modules can get overwritten. As you can >> imagine, that causes some seriously strange problems ;-). See >> http://www.object-craft.com.au/pipermail/albatross-users/2003-August/000826.html. >> Tim> Yup. Thanks to your subsequent post, both Sheila and I now better Tim> understand what you are talking about, and we are much more Tim> relaxed about the proposed change/fix. -- Maybe I should back out the new page module loader and leave it unchanged for the next release. There are enough small fixes over 1.10 to warrant a new release without the new page module loader. I think that even with the pickling problems introduced by the new page module loader, it is a better way to go. The new loader does not pollute sys.modules. One huge benefit of the new page module loader is that with a small modification page modules can be made completely invisible to the Python importer. Since execfile() takes a filename argument it is possible to give the page modules an extension that is invisible to Python. djc at rat:~$ cat > some_page.apy print "hello" djc at rat:~$ python Python 2.3+ (#2, Aug 10 2003, 11:33:47) [GCC 3.3.1 (Debian)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> execfile('some_page.apy') hello >>> import some_page Traceback (most recent call last): File "", line 1, in ? ImportError: No module named some_page I think that this would be big step forward. Currently Matt's new loader appends '.py' to the page name to determine the name of the page module file. I am all for making that extension something else. Having said all of that, I think I will remove the loader for the next release. Oh, on the subject of installing albatross in a way that does not disrupt the previous version; all you have to do is this: $ python setup.py install --install-lib ~/myproj --install-scripts ~/myproj $ ls -l ~/myproj/ total 20 -rwxr-xr-x 1 djc staff 1111 Sep 21 12:53 al-httpd -rwxr-xr-x 1 djc staff 8414 Sep 21 12:53 al-session-daemon drwxr-sr-x 2 djc staff 4096 Sep 21 12:56 albatross This gives you the ability to have a project specific version of Albatross. - Dave -- http://www.object-craft.com.au From djc at object-craft.com.au Sun Sep 21 12:57:34 2003 From: djc at object-craft.com.au (Dave Cole) Date: 21 Sep 2003 12:57:34 +1000 Subject: [albatross-users] New release? In-Reply-To: <54044692.1064042465@localhost> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> Message-ID: >>>>> "Sheila" == Sheila King writes: >> I have spent most of today getting everything ready for a 1.20pre1 >> release. Sheila> Sound exciting. And time consuming. >> I want to include your new PageModuleMixin as I think it is the >> right way to go. It will break some code - probably a good thing >> though. I want Andrew to have a look at the new code before a >> final decision is made. Sheila> Somehow I'm thinking the above remark doesn't apply to Matt's Sheila> latest cookie-path patch? I've been meaning to post that I've Sheila> been using it and it seems to have solved the problems I had Sheila> been reporting regarding duplicate cookies and corrupted Sheila> sessions that I could not re-establish. Sheila> Thanks again, Matt! Yes, thanks Matt! I am going to ensure that all of the bugfixes make it into the next release. The pre release will allow people to check that I have not missed anything... - Dave -- http://www.object-craft.com.au From djc at object-craft.com.au Sun Sep 21 13:43:55 2003 From: djc at object-craft.com.au (Dave Cole) Date: 21 Sep 2003 13:43:55 +1000 Subject: [albatross-users] SERVER_NAME vs HTTP_HOST? In-Reply-To: <1061131114.23921.3.camel@localhost> References: <864r0jay0a.fsf@mobile.repose.cx> <1061131114.23921.3.camel@localhost> Message-ID: >>>>> "Matt" == Matt Goodall writes: Matt> On Sun, 2003-08-17 at 11:40, Dave Cole wrote: >> Applied. Matt> Dave, did you find time to make the same change for the other Matt> Request adapters? fcgiapp should be the same change; Done. Matt> I think httpdapp is a matter of urlparse'ing the raw request; Not sure if this matters for httpdapp. Matt> not sure about mod_python. Me either... -- http://www.object-craft.com.au From djc at object-craft.com.au Sun Sep 21 16:20:17 2003 From: djc at object-craft.com.au (Dave Cole) Date: 21 Sep 2003 16:20:17 +1000 Subject: [albatross-users] Albatross 1.11 pre1 release Message-ID: I have just packaged up the 1.11pre1 release of Albatross. As this is a pre-release the announcement is only being sent to this list. The documentation has been updated. You can see a list of the changes here. http://www.object-craft.com.au/projects/albatross/albatross/changes.html This release is intended to be fully compatible with the 1.10 release. A lot of minor reorganisation of the samples has been performed to enable the samples to be executed via the al-httpd program. al-httpd is a very useful tool for testing during development. For example, the tree1 sample can be executed like this: $ cd samples/tree2/ $ al-httpd tree.app 8080 /alsamp/images ../images/ You can now point your browser at http://localhost:8080/ to try the example. al-httpd allows pairs of URI to filesystem path prefix translations to be specified on the command line. This allows static resources to be served by al-httpd. Please download the release and make sure I have not forgotten one of the fixes.. - Dave -- http://www.object-craft.com.au From sheila at thinkspot.net Tue Sep 23 04:37:40 2003 From: sheila at thinkspot.net (Sheila King) Date: Mon, 22 Sep 2003 11:37:40 -0700 Subject: [albatross-users] New release? In-Reply-To: References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> <1064092441.1205.27.camel@emilio> <1064094773.4785.29.camel@debian> <1064095532.1205.97.camel@emilio> Message-ID: <37711756.1064230660@localhost> Dave, thanks for the tip below. I'm SURPISED it is that simple, because... I've looked in the archives for assistance on this topic and found nowhere such a simple solution. Might be worth mentioning in the installation docs? -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org --On Sunday, September 21, 2003 12:55 PM +1000 Dave Cole wrote: > Oh, on the subject of installing albatross in a way that does not > disrupt the previous version; all you have to do is this: > > $ python setup.py install --install-lib ~/myproj --install-scripts > ~/myproj $ ls -l ~/myproj/ > total 20 > -rwxr-xr-x 1 djc staff 1111 Sep 21 12:53 al-httpd > -rwxr-xr-x 1 djc staff 8414 Sep 21 12:53 al-session-daemon > drwxr-sr-x 2 djc staff 4096 Sep 21 12:56 albatross > > This gives you the ability to have a project specific version of > Albatross. From djc at object-craft.com.au Tue Sep 23 10:16:20 2003 From: djc at object-craft.com.au (Dave Cole) Date: 23 Sep 2003 10:16:20 +1000 Subject: [albatross-users] New release? In-Reply-To: <37711756.1064230660@localhost> References: <1063361045.14194.124.camel@localhost> <54044692.1064042465@localhost> <1064092441.1205.27.camel@emilio> <1064094773.4785.29.camel@debian> <1064095532.1205.97.camel@emilio> <37711756.1064230660@localhost> Message-ID: >>>>> "Sheila" == Sheila King writes: Sheila> Dave, thanks for the tip below. I'm SURPISED it is that Sheila> simple, because... I've looked in the archives for assistance Sheila> on this topic and found nowhere such a simple solution. I didn't know about it until 15 minutes before I wrote the email :-). All I did was $ python setup.py install --help Then wondered what all of those options were for :-). Sheila> Might be worth mentioning in the installation docs? I have added the following to the installation section of the manual: If you already have a copy of Albatross installed and wish to test the new release before installing it globally then you can install an application private copy. If your application is installed in \texttt{/path/to/proj} then the following command will install a copy of Albatross that is only visible to that application: \begin{verbatim} python setup.py install --install-lib /path/to/proj --install-scripts /path/to/proj \end{verbatim} - Dave -- http://www.object-craft.com.au From matt at pollenation.net Tue Sep 23 23:23:05 2003 From: matt at pollenation.net (Matt Goodall) Date: Tue, 23 Sep 2003 14:23:05 +0100 Subject: [albatross-users] SCGI Message-ID: <1064323384.29960.53.camel@debian> Not feeling too well today so I'm having a day "working" from home. What a good chance to do some playing :). I've noticed that some people consider SCGI superior to FastCGI, mostly due to simplicity, so I thought I'd find out more. Attached is a simple Albatross app plus SCGI handler. Seems to work ok with apache-1.3.27.1-3, libapache-mod-scgi-1.1-1 and python2.3-scgi (Debian packages). Anything else is completely untested. This is definitely a work in progress -- it needs splitting up into an scgiapp module and an al-scgi script -- but I thought you might be interested to know how it's done and how simple it is. Now I've written a couple of these CGI-like adapters it's clear that a small amount of refactoring to cgiapp could simplify FastCGI and SCGI support. FYI, SCGI works by sending a CGI-like environment and the HTTP request from the Apache process to an _already running_ SCGI server (an Albatross application in this case). The SCGIServer I've extended is a preforking thingy so I don't think it's going to work on Windows ... sorry! I don't have any strong opinions about SCGI vs FastCGI yet. They seem to perform about the same on my machine. However. a couple of advantages I can see with SCGI are: * Number of children is defined by the application. No need to touch Apache config once SCGI has been enabled. * It's simpler to deploy a new version of the code - just kill and restart the Python app. No need to restart Apache. This makes things easier during development. Now it's time to see what patches Dave missed in the new release ... ;-) Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at pollenation.net Wed Sep 24 00:59:02 2003 From: matt at pollenation.net (Matt Goodall) Date: Tue, 23 Sep 2003 15:59:02 +0100 Subject: [albatross-users] Albatross 1.11 pre1 release In-Reply-To: References: Message-ID: <1064329141.29959.139.camel@debian> On Sun, 2003-09-21 at 07:20, Dave Cole wrote: > I have just packaged up the 1.11pre1 release of Albatross. As this is > a pre-release the announcement is only being sent to this list. [snip] > al-httpd allows pairs of URI to filesystem path prefix > translations to be specified on the command line. This allows static > resources to be served by al-httpd. Thanks Dave. I'd forgotten all about the change to al-httpd for static resources. > Please download the release and make sure I have not forgotten one of > the fixes.. I can't _see_ anything I might have sent that you missed although I haven't had the chance to actually try it yet. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 From francis.meyvis at sonycom.com Wed Sep 24 16:00:10 2003 From: francis.meyvis at sonycom.com (Francis Meyvis) Date: Wed, 24 Sep 2003 08:00:10 +0200 Subject: [albatross-users] albatross installation References: <20030923202503.10372.79947.Mailman@numbat.object-craft.com.au> Message-ID: <3F7132EA.50201@sonycom.com> Hello, > Sheila> Dave, thanks for the tip below. I'm SURPISED it is that > Sheila> simple, because... I've looked in the archives for assistance > Sheila> on this topic and found nowhere such a simple solution. > > I didn't know about it until 15 minutes before I wrote the email :-). > > All I did was > > $ python setup.py install --help I unpack the tar.gz file and simply copy the contents of albatross to my_project/lib/albatross and the top of the main my_project.py source file that is called from the HTTP server's CGI engine typically looks like this #!/usr/bin/python import sys sys.path.append('lib') so that an import albatross further down in the source succeeds. This is a quick and dirty way: - to check whether your sources work with the latest albatross version. - if you don't have the rights on UNIX to add things to the standard python installation (that's also my case). - make sure your project is always linked to that specific albatross version it was implemented for. Ok you have to python-compile this stuff in albatross manually :-( (I most of the time forget to do this of course :-( regards, francis From esj at harvee.org Thu Sep 25 04:08:45 2003 From: esj at harvee.org (Eric S. Johansson) Date: Wed, 24 Sep 2003 14:08:45 -0400 Subject: [albatross-users] login integration challenges again Message-ID: <3F71DDAD.8010700@harvee.org> I started trying to integrate the login code into one of my applications and I discovered a few things that show me it is time to learn more about albatross. The working model for albatross use was the single file for all methods and functions plus the glue code for activating albatross. The working model broke out the code in the following fashion: Includes independent functions classes albatross glue class with methods page_enter page_process page_display and last, glue code instance of SimpleApp register page (binding glue class to albatross) then run (request()) Granted, many of the features around the glue code still escape me and I take the simpleminded view that page_enter is used to create initial values, page_process is used to perform work based on a button push and set up data for use during page_display. Page_display is used for any calculations necessary for page display independent of whether or not page page_display has run. Adding login semantics to this style of coding doesn't work well. For example, page_enter would use some form of login object instantiation and then storing that object as part of context.locals. Next during page_process the first thing one must do is validate that someone is logged in and a token is valid. If not control passes to a login page, potentially preserving the current state of the submit. Same thing is true for page_display because someone may just access the page for data display. Unfortunately, I do not remember if page_process executes every time you access the page or not. Conceptually, the big problem is the redirecting control to a login page and then picking up again from where you left off. So, is there any way to embed my login capabilities into albatross so that I can minimize the amount of work a user needs to remember to do in order to get authentication working with their application? Ideally, the most they should have to do would be to define a login authentication instance in the page_enter section and everything else should happen automatically and invisibly. I don't think I'm too far off base on usability model, I just need to know how to integrate with albatross better (I think) Suggestions? Ideas? ---eric From neel at mediapulse.com Thu Sep 25 04:44:44 2003 From: neel at mediapulse.com (Michael C. Neel) Date: Wed, 24 Sep 2003 14:44:44 -0400 Subject: [albatross-users] login integration challenges again Message-ID: This is of cource my preference, but I don't think doing authencation inside of albatross is the way to go. Rather wrap the auth code around the albatross app. Since I'm using mod_python, this is farily easy - I just define a auth handler for apache. If the auth handler fails, the content handler (albatross) is never called. I don't think this would be too much trouble in a cgi app; just before you start up the albatross code, preform the needed login/premisson checks. Once we passed the auth code, I pass into the albatross request object any auth data it might need, like such: myReq = Request(req) myReq.username = username return app.run(myReq) and then access these members though ctx.request (i.e. ctx.request.username). I've found this to work well no matter the auth scheme (http-auth, cookie, even referer). Mike > -----Original Message----- > From: Eric S. Johansson [mailto:esj at harvee.org] > Sent: Wednesday, September 24, 2003 2:09 PM > To: albatross-users > Subject: [albatross-users] login integration challenges again > > > I started trying to integrate the login code into one of my > applications and I > discovered a few things that show me it is time to learn more > about albatross. > > The working model for albatross use was the single file for > all methods and > functions plus the glue code for activating albatross. The > working model broke > out the code in the following fashion: > > Includes > independent functions > classes > albatross glue class with methods > page_enter > page_process > page_display > and last, glue code > instance of SimpleApp > register page (binding glue class to albatross) > then run (request()) > > Granted, many of the features around the glue code still > escape me and I take > the simpleminded view that page_enter is used to create > initial values, > page_process is used to perform work based on a button push > and set up data for > use during page_display. Page_display is used for any > calculations necessary > for page display independent of whether or not page > page_display has run. > > Adding login semantics to this style of coding doesn't work > well. For example, > page_enter would use some form of login object instantiation > and then storing > that object as part of context.locals. Next during > page_process the first thing > one must do is validate that someone is logged in and a token > is valid. If not > control passes to a login page, potentially preserving the > current state of the > submit. Same thing is true for page_display because someone > may just access the > page for data display. Unfortunately, I do not remember if > page_process > executes every time you access the page or not. > > Conceptually, the big problem is the redirecting control to a > login page and > then picking up again from where you left off. > > So, is there any way to embed my login capabilities into > albatross so that I can > minimize the amount of work a user needs to remember to do in > order to get > authentication working with their application? Ideally, the > most they should > have to do would be to define a login authentication instance > in the page_enter > section and everything else should happen automatically and invisibly. > > I don't think I'm too far off base on usability model, I just > need to know how > to integrate with albatross better (I think) > > Suggestions? Ideas? > > ---eric > > > _______________________________________________ > Albatross-users mailing list > Albatross-users at object-craft.com.au > https://www.object-craft.com.au/cgi-bin/mailman/listinfo/albat ross-users From matt at pollenation.net Thu Sep 25 04:58:26 2003 From: matt at pollenation.net (Matt Goodall) Date: Wed, 24 Sep 2003 19:58:26 +0100 Subject: [albatross-users] login integration challenges again In-Reply-To: <3F71DDAD.8010700@harvee.org> References: <3F71DDAD.8010700@harvee.org> Message-ID: <1064429906.12808.54.camel@debian> On Wed, 2003-09-24 at 19:08, Eric S. Johansson wrote: > I started trying to integrate the login code into one of my applications and I > discovered a few things that show me it is time to learn more about albatross. > > The working model for albatross use was the single file for all methods and > functions plus the glue code for activating albatross. The working model broke > out the code in the following fashion: > > Includes > independent functions > classes > albatross glue class with methods > page_enter > page_process > page_display > and last, glue code > instance of SimpleApp > register page (binding glue class to albatross) > then run (request()) > > Granted, many of the features around the glue code still escape me and I take > the simpleminded view that page_enter is used to create initial values, > page_process is used to perform work based on a button push and set up data for > use during page_display. Page_display is used for any calculations necessary > for page display independent of whether or not page page_display has run. > > Adding login semantics to this style of coding doesn't work well. For example, > page_enter would use some form of login object instantiation and then storing > that object as part of context.locals. Next during page_process the first thing > one must do is validate that someone is logged in and a token is valid. If not > control passes to a login page, potentially preserving the current state of the > submit. Same thing is true for page_display because someone may just access the > page for data display. Unfortunately, I do not remember if page_process > executes every time you access the page or not. Unless you call ctx.redirect() or raise some form of error (both amount to the same thing anyway) then page_process will be called. > Conceptually, the big problem is the redirecting control to a login page and > then picking up again from where you left off. > > So, is there any way to embed my login capabilities into albatross so that I can > minimize the amount of work a user needs to remember to do in order to get > authentication working with their application? Ideally, the most they should > have to do would be to define a login authentication instance in the page_enter > section and everything else should happen automatically and invisibly. > > I don't think I'm too far off base on usability model, I just need to know how > to integrate with albatross better (I think) > > Suggestions? Ideas? If users must *always* be authenticated to use the application, and you are not using Albatross in random mode, then the simplest solution is probably to set the start page to your login page. Once the user authenticates correctly call ctx.set_page() to move to the main application page. If the user restarts the browser or the session times out the user will be automatically sent back to the login page. If you only want authentication to happen on first access to a protected page then it would probably be best to override one of the Albatross methods rather than scatter access control checks throughout your page code. The two more obvious Albatross methods to override are set_page() and page_enter(), I would have to look at the Albatross code to decide which one to override. If the user is already authenticated then call the parent class's version of the overridden method; if not then redirect() or set_page() to your login page, passing enough information to return to the current page later. Hope this helps. Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 From esj at harvee.org Thu Sep 25 04:56:49 2003 From: esj at harvee.org (Eric S. Johansson) Date: Wed, 24 Sep 2003 14:56:49 -0400 Subject: [albatross-users] login integration challenges again In-Reply-To: References: Message-ID: <3F71E8F1.6030201@harvee.org> Michael C. Neel explained: > This is of cource my preference, but I don't think doing authencation > inside of albatross is the way to go. Rather wrap the auth code around > the albatross app. Since I'm using mod_python, this is farily easy - I > just define a auth handler for apache. If the auth handler fails, the > content handler (albatross) is never called. thank you for the perspective. I had been so boxed in by my own preconceptions around albatross that I couldn't see the alternative. > > I don't think this would be too much trouble in a cgi app; just before > you start up the albatross code, preform the needed login/premisson > checks. obviously this means that the login code (or its CGI wrapper) would need access and process the raw authentication information. Interesting. > Once we passed the auth code, I pass into the albatross request object > any auth data it might need, like such: > > myReq = Request(req) > myReq.username = username > return app.run(myReq) > > and then access these members though ctx.request (i.e. > ctx.request.username). > > I've found this to work well no matter the auth scheme (http-auth, > cookie, even referer). very good perspective. It gives me a significant degree of freedom. My original reason for wanting to embed it with an albatross is so that I could make use of the same templates for page presentation so that the login screen would look the same as the rest of the application. I think I will go experiment for a bit. ---eric From esj at harvee.org Thu Sep 25 05:08:44 2003 From: esj at harvee.org (Eric S. Johansson) Date: Wed, 24 Sep 2003 15:08:44 -0400 Subject: [albatross-users] login integration challenges again In-Reply-To: <1064429906.12808.54.camel@debian> References: <3F71DDAD.8010700@harvee.org> <1064429906.12808.54.camel@debian> Message-ID: <3F71EBBC.4050000@harvee.org> Matt Goodall explained: > On Wed, 2003-09-24 at 19:08, Eric S. Johansson wrote: > If users must *always* be authenticated to use the application, and you > are not using Albatross in random mode, then the simplest solution is > probably to set the start page to your login page. Once the user > authenticates correctly call ctx.set_page() to move to the main > application page. If the user restarts the browser or the session times > out the user will be automatically sent back to the login page. the whole point behind authentication is that the user must be authenticated every step of the way no matter how they entered the application. For that reason, I'm coming to appreciate the "login wrapper" model even though it does appear to have problems with persistence. I need to investigate that a little further. > If you only want authentication to happen on first access to a protected > page then it would probably be best to override one of the Albatross > methods rather than scatter access control checks throughout your page > code. > > The two more obvious Albatross methods to override are set_page() and > page_enter(), I would have to look at the Albatross code to decide which > one to override. If the user is already authenticated then call the > parent class's version of the overridden method; if not then redirect() > or set_page() to your login page, passing enough information to return > to the current page later. this makes sense. To make sure I'm understanding what you are saying correctly, I would create a new variation on the albatross classes in which I override one of a couple of methods. In the overrides, I can redirect control if authentication fails. The only challenge with this model is that I'm not sure how to preserve the entire context.locals state so that it will be presented next time around just like it was the first time except with authentication. > > Hope this helps. as always, it does. ---eric From matt at pollenation.net Thu Sep 25 05:40:28 2003 From: matt at pollenation.net (Matt Goodall) Date: Wed, 24 Sep 2003 20:40:28 +0100 Subject: [albatross-users] login integration challenges again In-Reply-To: <3F71EBBC.4050000@harvee.org> References: <3F71DDAD.8010700@harvee.org> <1064429906.12808.54.camel@debian> <3F71EBBC.4050000@harvee.org> Message-ID: <1064432427.18977.20.camel@debian> On Wed, 2003-09-24 at 20:08, Eric S. Johansson wrote: > Matt Goodall explained: > > > On Wed, 2003-09-24 at 19:08, Eric S. Johansson wrote: > > If users must *always* be authenticated to use the application, and you > > are not using Albatross in random mode, then the simplest solution is > > probably to set the start page to your login page. Once the user > > authenticates correctly call ctx.set_page() to move to the main > > application page. If the user restarts the browser or the session times > > out the user will be automatically sent back to the login page. By the way, this is basically what the popview example does. > the whole point behind authentication is that the user must be authenticated > every step of the way no matter how they entered the application. For that > reason, I'm coming to appreciate the "login wrapper" model even though it does > appear to have problems with persistence. I need to investigate that a little > further. Keeping authentication code out of pages also helps make sure access control isn't missed. I generally use this sort of model and I often also assume no access unless the authentication code says otherwise, i.e. the login page is open to the public but everything else is proteced. > > > If you only want authentication to happen on first access to a protected > > page then it would probably be best to override one of the Albatross > > methods rather than scatter access control checks throughout your page > > code. > > > > The two more obvious Albatross methods to override are set_page() and > > page_enter(), I would have to look at the Albatross code to decide which > > one to override. If the user is already authenticated then call the > > parent class's version of the overridden method; if not then redirect() > > or set_page() to your login page, passing enough information to return > > to the current page later. > > this makes sense. To make sure I'm understanding what you are saying correctly, > I would create a new variation on the albatross classes in which I override one > of a couple of methods. In the overrides, I can redirect control if > authentication fails. Yes. Note that your application class is already a "variation of the Albatross classes" as you inherited from the Albatross classes. You should be able to override a method there. > The only challenge with this model is that I'm not sure how to preserve the > entire context.locals state so that it will be presented next time around just > like it was the first time except with authentication. Yep, that could be an interesting problem ;-). Cheers, Matt -- Matt Goodall, Pollenation Internet Ltd w: http://www.pollenationinternet.com e: matt at pollenation.net t: +44 (0)113 2252500 From esj at harvee.org Thu Sep 25 14:25:54 2003 From: esj at harvee.org (Eric S. Johansson) Date: Thu, 25 Sep 2003 00:25:54 -0400 Subject: [albatross-users] next bit of confused insight Message-ID: <3F726E52.1050200@harvee.org> I'm experimenting with keeping the login code external from the application. I'm trying to invoke it external to the initial invocation of albatross and it seems to be working okay but am having problems getting back to the original page. I have hardcoded the return page but it's giving me grieve. Template traceback (most recent call last): Traceback (most recent call last): File "/usr/lib/python2.2/site-packages/albatross/app.py", line 248, in run self.display_response(ctx) File "/usr/lib/python2.2/site-packages/albatross/app.py", line 459, in display_response obj = self.__page_objects[ctx.page] KeyError: edit_config.py the code that gives me this error is: context.set_page('edit_config.py') and is found in the login's page_process now I'm not fully clear on how everything works yet (obviously). What I do in edit_config.py is app = SimpleApp(base_url = 'edit_config.py', template_path = '.', start_page = 'edit_config', secret = '-=-secret-=-' ) # check for authentication new_request = Request() #should not return without proper authentication. login.go_login(new_request) app.register_page('edit_config',edit_configuration()) app.run(new_request) then in login.go_login def go_login(new_request): app = SimpleApp(base_url = 'login.py', template_path = '.', start_page = 'login', secret = '-=-secret-=-' ) # check for authentication authentication = login_authentication() if hasattr(new_request,'_albatross_authentication') and \ authentication.validate_token(context._albatross_authentication): # token is there and validates. Return to calling context return syslog.syslog("let's go to authentication") #need to go off and do login authentication app.register_page('login',login_processing()) app.run(new_request) sys.exit(0); so, according to my limited knowledge, everything should work but obviously I'm missing something. Ideas? By the way, pushing the code around like this makes me even more convinced that some form of authentication should be embedded just to make it easier for people to do things right. ---eric From gnb at itga.com.au Thu Sep 25 15:31:32 2003 From: gnb at itga.com.au (Gregory Bond) Date: Thu, 25 Sep 2003 15:31:32 +1000 Subject: [albatross-users] next bit of confused insight In-Reply-To: Your message of Thu, 25 Sep 2003 00:25:54 -0400. Message-ID: <200309250531.PAA05489@lightning.itga.com.au> > context.set_page('edit_config.py') Umm, the page name is 'edit_config', you should be using that, not the file name. From esj at harvee.org Fri Sep 26 00:22:55 2003 From: esj at harvee.org (Eric S. Johansson) Date: Thu, 25 Sep 2003 10:22:55 -0400 Subject: [albatross-users] next bit of confused insight In-Reply-To: <200309250531.PAA05489@lightning.itga.com.au> References: <200309250531.PAA05489@lightning.itga.com.au> Message-ID: <3F72FA3F.2090404@harvee.org> Gregory Bond explained: >> context.set_page('edit_config.py') > > > Umm, the page name is 'edit_config', you should be using that, not the file > name. that dawned on me shortly after I sent the message. Same failure. It's almost like it doesn't know that page exists and I even tried registering that page before calling the login code. ---eric Template traceback (most recent call last): Traceback (most recent call last): File "/usr/lib/python2.2/site-packages/albatross/app.py", line 248, in run self.display_response(ctx) File "/usr/lib/python2.2/site-packages/albatross/app.py", line 459, in display_response obj = self.__page_objects[ctx.page] KeyError: edit_config From gnb at itga.com.au Fri Sep 26 10:54:32 2003 From: gnb at itga.com.au (Gregory Bond) Date: Fri, 26 Sep 2003 10:54:32 +1000 Subject: [albatross-users] next bit of confused insight In-Reply-To: Your message of Thu, 25 Sep 2003 00:25:54 -0400. Message-ID: <200309260054.KAA22018@lightning.itga.com.au> OK, the next problem here is you have 2 app objects. One is in edit_config.py and has the edit_config page registered. One is in go_login(), which doesn't have this page registered. Calling set_page('edit_config') inside the login page is using the login app object, which doesn't have this page registered, hence the error. There should be no need for a separate app object in the login function. Were I to attack the problem of "make sure I have valid auth at all times", I'd do something like this (bearing in mind I use page objects, not page modules, and file-based server-side sessions for non-Random apps): - Create a base class for all my page objects (I do this anyway so I can put application-wide nav bars etc in) - This base class would have a page_process function like this def page_process(self, ctx): if not hasattr(ctx.locals, '_auth'): ctx.set_page('login') return if not valid_auth(ctx.locals._auth): ctx.set_page('login_expired') return self.sub_page_process(ctx) - 2 new pages, for initial login and for handling stale/expired auth credentials. These would set the ctx.locals._auth member into the session state and then set_page() to the main application page. These objects would NOT be a subclass of the above base! - All other pages subclass the page base and provide a sub_page_process() to do the actual navigation. This should ensure that the auth is checked and valid before any action is taken anywhere in the application. From gnb at itga.com.au Fri Sep 26 11:28:33 2003 From: gnb at itga.com.au (Gregory Bond) Date: Fri, 26 Sep 2003 11:28:33 +1000 Subject: [albatross-users] python 2.2-ism in httpdapp Message-ID: <200309260128.LAA00900@lightning.itga.com.au> httpdapp.py (in 1.10) does from urlparse import urlsplit which is a 2.2-ism and breaks on my 2.1 installation. The attached patch fixes that, on the dubious assumption that I understood the code in the first place! -------------- next part -------------- --- albatross/httpdapp.py.DIST Sat Jul 12 14:42:51 2003 +++ albatross/httpdapp.py Fri Sep 26 11:21:16 2003 @@ -9,7 +9,18 @@ import BaseHTTPServer import cgi from cStringIO import StringIO -from urlparse import urlsplit + +try: + from urlparse import urlsplit + def parse(s): + return urlsplit(s.split()[1])[3] +except ImportError: + # Python 2.1, so use the old and inferior urlparse + from urlparse import urlparse + def parse(s): + return urlparse(s.split()[1])[4] + + class Request: @@ -33,7 +44,7 @@ def parse_get_fields(self): """Extract fields from query string""" - qs = urlsplit(self._req.requestline.split()[1])[3] + qs = parse(self._req.requestline) if not qs: return {} return cgi.parse_qs(qs) From djc at object-craft.com.au Fri Sep 26 11:37:06 2003 From: djc at object-craft.com.au (Dave Cole) Date: 26 Sep 2003 11:37:06 +1000 Subject: [albatross-users] next bit of confused insight In-Reply-To: <200309260054.KAA22018@lightning.itga.com.au> References: <200309260054.KAA22018@lightning.itga.com.au> Message-ID: > Were I to attack the problem of "make sure I have valid auth at all > times", I'd do something like this (bearing in mind I use page > objects, not page modules, and file-based server-side sessions for > non-Random apps): > > - Create a base class for all my page objects (I do this anyway so > I can put application-wide nav bars etc in) > > - This base class would have a page_process function like this > > def page_process(self, ctx): > if not hasattr(ctx.locals, '_auth'): > ctx.set_page('login') > return > if not valid_auth(ctx.locals._auth): > ctx.set_page('login_expired') > return > self.sub_page_process(ctx) > > - 2 new pages, for initial login and for handling stale/expired auth > credentials. These would set the ctx.locals._auth member into > the session state and then set_page() to the main application > page. These objects would NOT be a subclass of the above base! > > - All other pages subclass the page base and provide a > sub_page_process() to do the actual navigation. > > This should ensure that the auth is checked and valid before any action is > taken anywhere in the application. If you want to use page modules rather than page objects you can put the behaviour into the application class. If you look at the run() method of the Albatross Application class (in app.py) you will see a convenient place to place this sort of functionality. def run(self, req): '''Process a single browser request ''' ctx = None try: ctx = self.create_context() ctx.set_request(req) self.load_session(ctx) self.load_page(ctx) if self.validate_request(ctx): self.merge_request(ctx) self.process_request(ctx) self.display_response(ctx) self.save_session(ctx) ctx.flush_content() except Redirect, e: self.save_session(ctx) return ctx.send_redirect(e.loc) except: self.handle_exception(ctx, req) return req.status() The thing to notice from the above is that the application will not merge or process the browser request if it fails validation. Vanilla Albatross does not perform any request validation as you can see from the Application validate_request() method: def validate_request(self, ctx): return 1 You could subclass the Albatross application class and do something like this (completely untested): def validate_request(self, ctx): if not hasattr(ctx.locals, '_auth'): ctx.set_page('login') return 0 if not valid_auth(ctx.locals._auth): ctx.set_page('login_expired') return 0 Oh, this should probably work in all types of session based Albatross applications. - Dave -- http://www.object-craft.com.au From gnb at itga.com.au Fri Sep 26 12:23:32 2003 From: gnb at itga.com.au (Gregory Bond) Date: Fri, 26 Sep 2003 12:23:32 +1000 Subject: [albatross-users] next bit of confused insight In-Reply-To: Your message of 26 Sep 2003 11:37:06 +1000. Message-ID: <200309260223.MAA06568@lightning.itga.com.au> >You could subclass the Albatross application class and do something >like this (completely untested): > > def validate_request(self, ctx): With the added check that if ctx.locals.__page__ == 'login': return 1 this works a treat! I've added a short example to the Wiki http://www.object-craft.com.au/projects/albatross/wiki/Handling_20Authentication From andrewm at object-craft.com.au Fri Sep 26 13:55:48 2003 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Fri, 26 Sep 2003 13:55:48 +1000 Subject: [albatross-users] python 2.2-ism in httpdapp In-Reply-To: Message from Gregory Bond of "Fri, 26 Sep 2003 11:28:33 +1000." <200309260128.LAA00900@lightning.itga.com.au> References: <200309260128.LAA00900@lightning.itga.com.au> Message-ID: <20030926035548.E56283CA66@coffee.object-craft.com.au> >httpdapp.py (in 1.10) does > from urlparse import urlsplit >which is a 2.2-ism and breaks on my 2.1 installation. Ooooh - a 2.1 user! We were just about to break Albatross completely for you. It's been pointed out that our use of MD5 hashes is insecure, and that we should use HMAC, but the hmac module doesn't exist in 2.1. I'm reluctant to have the code silently fallback to MD5 when 2.1 is used because it gives people a false sense of security. We could include the python hmac module in the albatross source, I guess? Thoughts? -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From andrewm at object-craft.com.au Fri Sep 26 14:00:19 2003 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Fri, 26 Sep 2003 14:00:19 +1000 Subject: [albatross-users] Re: load_page_module patch In-Reply-To: Message from Dave Cole of "20 Sep 2003 19:45:19 +1000." References: <1063361888.14194.136.camel@localhost> Message-ID: <20030926040019.6294A3CA66@coffee.object-craft.com.au> [added cc to albatross-users] >You sent something slightly different to that. The current Albatross >is just plain wrong in the way that it loads page modules. It makes a >structured module space effectively flat. It also imports the modules >in a way that interferes with the Python module space. > >In the past I was of the opinion that page modules should be organised >such that they provided a "package" under the specified module_path. >I mentioned my position to Andrew and he was not really sure that >making page modules look like a package is a good idea. My concern is that both proposed solutions are fairly radical - we don't know all the consequences, and people won't appreciate us breaking their previously working scripts. I'd suggest we maintain a list of things we need to fix for the 2.0 release. In the mean time, maybe we can supply an alternate mixin that implements the proposed behaviour BTW, my objection to execfile is you lose the pre-compiled python byte code. I'll have to see if I can come up with a scheme that uses the normal import machinery, but imports into a synthetic __pages__ namespace or something. >Matt> Oh yeah, the patch contains some slightly quirky code. That >Matt> class Page stuff is the beginning of an experiment to simplify >Matt> the whole page module vs page class thing. I figured that if the >Matt> page module loader return a class that acted as a proxy to the >Matt> module then some of the other code could be simplified. > >I think that it might be a good way to manage the code from page >modules. There is no sensible way for the page to be cached >otherwise. Indeed. But it feels like we're just re-inventing modules... -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From gnb at itga.com.au Fri Sep 26 14:42:30 2003 From: gnb at itga.com.au (Gregory Bond) Date: Fri, 26 Sep 2003 14:42:30 +1000 Subject: [albatross-users] python 2.2-ism in httpdapp In-Reply-To: Your message of Fri, 26 Sep 2003 13:55:48 +1000. Message-ID: <200309260442.OAA12688@lightning.itga.com.au> Personally, I'd be happy with a fall-back to MD5 and a warning at install time. We don't do anything security-sensitive here so MD5 vs HMAC is not a problem for us. And we will be on 2.3 at some point in the next few months.... From matt at pollenation.net Fri Sep 26 17:55:51 2003 From: matt at pollenation.net (Matt Goodall) Date: Fri, 26 Sep 2003 08:55:51 +0100 Subject: [albatross-users] next bit of confused insight In-Reply-To: References: <200309260054.KAA22018@lightning.itga.com.au> Message-ID: <3F73F107.9070606@pollenation.net> Dave Cole wrote: >>Were I to attack the problem of "make sure I have valid auth at all >>times", I'd do something like this (bearing in mind I use page >>objects, not page modules, and file-based server-side sessions for >>non-Random apps): >> >> - Create a base class for all my page objects (I do this anyway so >> I can put application-wide nav bars etc in) >> >> - This base class would have a page_process function like this >> >> def page_process(self, ctx): >> if not hasattr(ctx.locals, '_auth'): >> ctx.set_page('login') >> return >> if not valid_auth(ctx.locals._auth): >> ctx.set_page('login_expired') >> return >> self.sub_page_process(ctx) >> >> - 2 new pages, for initial login and for handling stale/expired auth >> credentials. These would set the ctx.locals._auth member into >> the session state and then set_page() to the main application >> page. These objects would NOT be a subclass of the above base! >> >> - All other pages subclass the page base and provide a >> sub_page_process() to do the actual navigation. >> >>This should ensure that the auth is checked and valid before any action is >>taken anywhere in the application. >> >> > >If you want to use page modules rather than page objects you can >put the behaviour into the application class. > Presumably your suggestion below would work for page objects too? >If you look at the run() method of the Albatross Application class (in >app.py) you will see a convenient place to place this sort of >functionality. > > def run(self, req): > '''Process a single browser request > ''' > ctx = None > try: > ctx = self.create_context() > ctx.set_request(req) > self.load_session(ctx) > self.load_page(ctx) > if self.validate_request(ctx): > self.merge_request(ctx) > self.process_request(ctx) > self.display_response(ctx) > self.save_session(ctx) > ctx.flush_content() > except Redirect, e: > self.save_session(ctx) > return ctx.send_redirect(e.loc) > except: > self.handle_exception(ctx, req) > return req.status() > >The thing to notice from the above is that the application will not >merge or process the browser request if it fails validation. Vanilla >Albatross does not perform any request validation as you can see from >the Application validate_request() method: > > def validate_request(self, ctx): > return 1 > Oh, that's much nicer than my suggestion of set_page() or page_enter(). Thanks for pointing it out Dave, I never though to look at what validate_request() actually does ;-). >You could subclass the Albatross application class and do something >like this (completely untested): > > def validate_request(self, ctx): > if not hasattr(ctx.locals, '_auth'): > ctx.set_page('login') > return 0 > if not valid_auth(ctx.locals._auth): > ctx.set_page('login_expired') > return 0 > Or ctx.redirect(...) for random apps. Cheers, Matt From matt at pollenation.net Fri Sep 26 18:42:59 2003 From: matt at pollenation.net (Matt Goodall) Date: Fri, 26 Sep 2003 09:42:59 +0100 Subject: [albatross-users] Re: load_page_module patch In-Reply-To: <20030926040019.6294A3CA66@coffee.object-craft.com.au> References: <1063361888.14194.136.camel@localhost> <20030926040019.6294A3CA66@coffee.object-craft.com.au> Message-ID: <3F73FC13.8010809@pollenation.net> Andrew McNamara wrote: >[added cc to albatross-users] > > > >>You sent something slightly different to that. The current Albatross >>is just plain wrong in the way that it loads page modules. It makes a >>structured module space effectively flat. It also imports the modules >>in a way that interferes with the Python module space. >> >>In the past I was of the opinion that page modules should be organised >>such that they provided a "package" under the specified module_path. >>I mentioned my position to Andrew and he was not really sure that >>making page modules look like a package is a good idea. >> >> > >My concern is that both proposed solutions are fairly radical - we don't >know all the consequences, and people won't appreciate us breaking their >previously working scripts. I'd suggest we maintain a list of things we >need to fix for the 2.0 release. > Good idea, I created the BugList wiki page: http://www.object-craft.com.au/projects/albatross/wiki/BugList Only one bug so far ;-) >In the mean time, maybe we can supply an >alternate mixin that implements the proposed behaviour > That's a good solution. I don't really mind how it's managed as long as I can get my code base back in line with your packages. >BTW, my objection to execfile is you lose the pre-compiled python >byte code. > Perhaps we should profile some typical apps to see what the performance hit is like? If it's not significant then perhaps this is not worth worrying about. Andrew, I think you mentioned something like a 3-4 times increase in page module load time which sounds really bad but is it really? CGI is the most likely to suffer but typically only one or two page modules will be loaded per request. How much of an overhead is that compared to loading the Python interpreter, standard Python modules, Albatross modules and other 3rd party modules the application uses? Gut feeling says it will not be that significant but I can't prove it. >I'll have to see if I can come up with a scheme that uses >the normal import machinery, but imports into a synthetic __pages__ >namespace or something. > I've already done this. It works but it feels very dirty, it's not a piece of code that makes you feel good ;-). I'll probably have the code in an email somewhere but I may have sent it to Dave already. Let me know if you want it again. Cheers, Matt From matt at pollenation.net Fri Sep 26 18:58:11 2003 From: matt at pollenation.net (Matt Goodall) Date: Fri, 26 Sep 2003 09:58:11 +0100 Subject: [albatross-users] Re: load_page_module patch In-Reply-To: <20030926040019.6294A3CA66@coffee.object-craft.com.au> References: <1063361888.14194.136.camel@localhost> <20030926040019.6294A3CA66@coffee.object-craft.com.au> Message-ID: <3F73FFA3.4070106@pollenation.net> Andrew McNamara wrote: >>Matt> Oh yeah, the patch contains some slightly quirky code. That >>Matt> class Page stuff is the beginning of an experiment to simplify >>Matt> the whole page module vs page class thing. I figured that if the >>Matt> page module loader return a class that acted as a proxy to the >>Matt> module then some of the other code could be simplified. >> >>I think that it might be a good way to manage the code from page >>modules. There is no sensible way for the page to be cached >>otherwise. >> >> > >Indeed. But it feels like we're just re-inventing modules.. > Nah, it's not reinventing modules. As Dave points out the page wrapper object is convenient for caching but Albatross only really cares about sending a certain message (page_process, page_display etc) to the page. Whether the page is a normal class instance or an object that proxies requests to functions of a module shouldn't matter. I admit I haven't had time to test my theory but I think the wrapper object approach can simplify the page mixins to the point where it's only the page object location (page_load) that actually differs. Anyway, it's obviously up to you what you feel is right. You guys have a much better understanding of the "big picture", Perhaps one day I'll find time to play with this some more ... not likely in the coming months though :(. Cheers, Matt From marc at informatik.uni-bremen.de Sat Sep 27 02:33:40 2003 From: marc at informatik.uni-bremen.de (Marc Recht) Date: Fri, 26 Sep 2003 18:33:40 +0200 Subject: [albatross-users] python 2.2-ism in httpdapp In-Reply-To: <20030926035548.E56283CA66@coffee.object-craft.com.au> References: <200309260128.LAA00900@lightning.itga.com.au> <20030926035548.E56283CA66@coffee.object-craft.com.au> Message-ID: <60540000.1064594020@leeloo.intern.geht.de> > Ooooh - a 2.1 user! We were just about to break Albatross completely > for you. It's been pointed out that our use of MD5 hashes is insecure, [...] > Thoughts? IMHO it is completely OK only to support the one preceding major version (2.2 at this point). This keeps the codebase clear. Just my 0.02 EUR... -- Marc Recht From esj at harvee.org Sun Sep 28 14:52:12 2003 From: esj at harvee.org (Eric S. Johansson) Date: Sun, 28 Sep 2003 00:52:12 -0400 Subject: [albatross-users] pushing and popping Message-ID: <3F7668FC.70205@harvee.org> following some ofthe suggestions I received, I restructured how I'm handling login. for example: def login_validation(self,context): # check for authentication authentication = login_authentication() if hasattr(context,'_albatross_authentication') and \ authentication.validate_token(context._albatross_authentication): # token is there and validates. Return to calling context return 1 syslog.syslog("let's go to authentication") #need to go off and do login authentication context.push_page('login') Application.validate_request=login_validation overwrites Application.validate_request's method with my code login_validation. It's cool and that my code transfers controlled to my login page, I enter my username and password and then, on submission nothing happens except and error message telling me I have premature end of script headers. It's not clear what's going on because neither of my two display objects appear to get executed. I suspect I have some form of fault happening very early on and I am puzzling on how to get a handle on the error. Any suggestions? Running the script by hand at the command line and paying attention to network dumps aren't helping. On the other hand, maybe getting some sleep might help (up to early, up too late, Mars is beautiful and has been all this opposition). ---eric From sheila at thinkspot.net Tue Sep 30 11:14:23 2003 From: sheila at thinkspot.net (Sheila King) Date: Mon, 29 Sep 2003 18:14:23 -0700 Subject: [albatross-users] Limitations of al-select and al-option Message-ID: <666375927.1064859263@localhost> Hello, I'm trying to implement a drop-down menu on a form, and either the al-select/al-option mechanism is rather limited, or I just don't understand something. Here is *my* understanding of the al-select, and please correct me if I am wrong: (1) If I have a list, such as optionlist, I can do the following to generate an entire drop-down select menu: However, the problem as far as I can see, with the above, is that I cannot get option tags that have a separate "value" attribute. For example, if I want to display to the web site visitor some text data, but I want to have the form return an integer (such as a category ID in a MySQL table), I cannot see how I could get that from the above structure? (2) I can't use an al-for to generate this either, as the al-select tag ignores any al-option tags that are not "direct children" of the al-select tag. So it appears that I cannot generate HTML code such as: If I'm missing something, and there is a way to generate HTML as shown above, please clue me in. Right now I'm getting around this by making extra MySQL queries to convert the text "option 1" into the integer value that I would really like the form to return for me. Thanks for any hints, -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From djc at object-craft.com.au Tue Sep 30 11:43:13 2003 From: djc at object-craft.com.au (Dave Cole) Date: 30 Sep 2003 11:43:13 +1000 Subject: [albatross-users] Limitations of al-select and al-option In-Reply-To: <666375927.1064859263@localhost> References: <666375927.1064859263@localhost> Message-ID: > I'm trying to implement a drop-down menu on a form, and either the > al-select/al-option mechanism is rather limited, or I just don't > understand something. > > Here is *my* understanding of the al-select, and please correct me if > I am wrong: > > (1) If I have a list, such as optionlist, I can do the following to > generate an entire drop-down select menu: > > That is correct. > However, the problem as far as I can see, with the above, is that I > cannot get option tags that have a separate "value" attribute. > > For example, if I want to display to the web site visitor some text > data, but I want to have the form return an integer (such as a > category ID in a MySQL table), I cannot see how I could get that from > the above structure? Have a closer look at the second example on this page: http://www.object-craft.com.au/projects/albatross/albatross/tag-select-optionexpr.html Unless I misunderstand what you are asking, it does exactly what you require. > (2) I can't use an al-for to generate this either, as the al-select > tag ignores any al-option tags that are not "direct children" of the > al-select tag. > > So it appears that I cannot generate HTML code such as: > > > > If I'm missing something, and there is a way to generate HTML as shown > above, please clue me in. Right now I'm getting around this by making > extra MySQL queries to convert the text "option 1" into the integer > value that I would really like the form to return for me. What you need to do is something similar to this in your Python code: c.execute('SELECT id, name FROM category') ctx.locals.optionlist = c.fetchall() ctx.run_template('something.html') When the tag sees that each item in the option list is a tuple it treats item differently. It uses the first element of each tuple as the option value and the second element as the content. - Dave -- http://www.object-craft.com.au From sheila at thinkspot.net Tue Sep 30 12:50:01 2003 From: sheila at thinkspot.net (Sheila King) Date: Mon, 29 Sep 2003 19:50:01 -0700 Subject: [albatross-users] Limitations of al-select and al-option In-Reply-To: References: <666375927.1064859263@localhost> Message-ID: <672114149.1064865001@localhost> --On Tuesday, September 30, 2003 11:43 AM +1000 Dave Cole wrote: > Have a closer look at the second example on this page: > > > http://www.object-craft.com.au/projects/albatross/albatross/tag-select-op > tionexpr.html > > Unless I misunderstand what you are asking, it does exactly what you > require. I knew it had to be me not catching on, as it just seemed so obvious someone would want that functionality. I do not know HOW I missed that second example previously, as I reviewed that page more than once. :/ Thank you very much for your prompt reply. You are right, that example does do exactly what I want. :) -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org >> (2) I can't use an al-for to generate this either, as the al-select >> tag ignores any al-option tags that are not "direct children" of the >> al-select tag. >> >> So it appears that I cannot generate HTML code such as: >> >> >> >> If I'm missing something, and there is a way to generate HTML as shown >> above, please clue me in. Right now I'm getting around this by making >> extra MySQL queries to convert the text "option 1" into the integer >> value that I would really like the form to return for me. > > What you need to do is something similar to this in your Python code: > > c.execute('SELECT id, name FROM category') > ctx.locals.optionlist = c.fetchall() > ctx.run_template('something.html') > > When the tag sees that each item in the option list is a > tuple it treats item differently. It uses the first element of each > tuple as the option value and the second element as the content. > > - Dave From sheila at thinkspot.net Tue Sep 30 17:40:15 2003 From: sheila at thinkspot.net (Sheila King) Date: Tue, 30 Sep 2003 00:40:15 -0700 Subject: [albatross-users] Having trouble implementing pagination Message-ID: <689528469.1064882415@localhost> OK, I'm tearing my hair out and am about to give up for tonight and go to bed. LOL. Should have probably done that a couple of hours ago. Oh, well. I just can't seem to get pagination with the al-for tag to work. I understand that I need some sort of sequence type that has both __len__ and __getitem__ methods. I'm returning a result of several rows in a MySQLdb object using the Dictionary Cursor types. A typical query result, after using fetchall() to get all the results, would be something like this: mydicts = ({'a': 1}, {'b': 2}) I have a class, that I use on individual dictionaries, such as the result of a fetchone() command, that works really nicely. That class works fine by itself. However, today I tried to make some kind of a class that is a list of those dictionary objects, because I want to iterate over them and use pagination. But I am totally unable to have any kind of success at this. I tried this: class myclass(list): def __getitem__(self, x): return self[x] But the above TOTALLY does not work and just recurses like mad until I hit the maximum recursion level. I tried a bunch of other stuff too. If someone can toss me a hint, I'd sure appreciate it. Thanks, -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org From alb-users at repose.cx Tue Sep 30 17:47:01 2003 From: alb-users at repose.cx (Damien Elmes) Date: Tue, 30 Sep 2003 17:47:01 +1000 Subject: [albatross-users] Having trouble implementing pagination In-Reply-To: <689528469.1064882415@localhost> (Sheila King's message of "Tue, 30 Sep 2003 00:40:15 -0700") References: <689528469.1064882415@localhost> Message-ID: <86r81yu304.fsf@mobile.repose.cx> Sheila King writes: > I tried this: > > class myclass(list): > def __getitem__(self, x): > return self[x] If you're inheriting from list, getitem should be defined already. ie: >>> class mylist(list): ... pass ... >>> m = mylist([1,2,3]) >>> m[2] 3 If you really wanted to do getitem manually, you'd want to call the super function - ie, list.__getitem__(self, x) If you were only creating a custom class for the purposes of providing those methods, you can probably skip it and just use a standard list (but I haven't played with albatross's pagination support before). Cheers, -- Damien Elmes From sheila at thinkspot.net Tue Sep 30 23:53:59 2003 From: sheila at thinkspot.net (Sheila King) Date: Tue, 30 Sep 2003 06:53:59 -0700 Subject: [albatross-users] Having trouble implementing pagination In-Reply-To: <86r81yu304.fsf@mobile.repose.cx> References: <689528469.1064882415@localhost> <86r81yu304.fsf@mobile.repose.cx> Message-ID: <711952543.1064904839@localhost> --On Tuesday, September 30, 2003 5:47 PM +1000 Damien Elmes wrote: > Sheila King writes: > >> I tried this: >> >> class myclass(list): >> def __getitem__(self, x): >> return self[x] > > If you're inheriting from list, getitem should be defined already. ie: > >>>> class mylist(list): > ... pass > ... >>>> m = mylist([1,2,3]) >>>> m[2] > 3 Actually, that is what I tried initially. Well, not as you have shown, but I created an empty list and then appended items to it. But Albatross later complained that my object had no __getitem__ method. I must've had something else wrong with my code. I will have to go back and look at it again tonight. > If you really wanted to do getitem manually, you'd want to call the > super function - ie, > > list.__getitem__(self, x) > > If you were only creating a custom class for the purposes of > providing those methods, you can probably skip it and just use a > standard list (but I haven't played with albatross's pagination > support before). Yes, I would think so, too. Which is why I tried that first. Oh well, will try again later tonight... Thanks for the sanity check. -- Sheila King http://www.thinkspot.net/sheila/ http://www.k12groups.org