From andrewm at object-craft.com.au Wed Mar 2 15:12:55 2005 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Wed, 02 Mar 2005 15:12:55 +1100 Subject: [albatross-users] How to configure Albatross auth with existing LDAP ? In-Reply-To: <74077C8AA24C5047AA55164003DFBE88038DB262@exchange.universe.dart.spb> References: <74077C8AA24C5047AA55164003DFBE88038DB262@exchange.universe.dart.spb> Message-ID: <20050302041255.0BF7C3C74C@coffee.object-craft.com.au> >How to configure Albatross auth with existing LDAP ? >I know that it is possible to configure Apache to use LDAP, also it is >possible to use LDAP directly in python using python-ldap. What is >recommended way to handle authorization/authentification in web >application with LDAP? You could, of course, just have Apache authenticate via PAM and configure PAM to use LDAP. If I remember correctly, Apache puts the authenticated user name in an environment variable. There are also python bindings for OpenLDAP - this is probably a better way to go, since LDAP is good for far more than just authentication, and this path would give you access to other LDAP data. Albatross doesn't provide any support in this area. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From luci at wolfheart.ro Sun Mar 6 01:31:08 2005 From: luci at wolfheart.ro (Luci Stanescu) Date: Sat, 5 Mar 2005 16:31:08 +0200 Subject: [albatross-users] Module generated content inserted in template Message-ID: <20050305143108.GB26150@odin.wolfheart.ro> How can I insert in a template (or a response (but neither at beginning, nor end)) the content generated by a module? I'm using ModularSessionApp? Using an url in might work (I think), but I'm not using RandomModularSessionApp (because I don't understand how it works). It's the first time I use Albatross, so I don't know if what I want is even possible, but I don't see why it wouldn't be. Details: I have a module called tree that generates some xml data with a tree. I would like to use the output of this module in other modules (I want to include the xml document fragment generated by the tree module in the xml documents generated by other modules). Can't see how to do this at this time. Thank you for your help. Luci Stanescu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From djc at object-craft.com.au Mon Mar 7 11:17:36 2005 From: djc at object-craft.com.au (Dave Cole) Date: Mon, 07 Mar 2005 11:17:36 +1100 Subject: [albatross-users] Module generated content inserted in template In-Reply-To: <20050305143108.GB26150@odin.wolfheart.ro> References: <20050305143108.GB26150@odin.wolfheart.ro> Message-ID: <422B9DA0.6030104@object-craft.com.au> Luci Stanescu wrote: > How can I insert in a template (or a response (but neither at beginning, > nor end)) the content generated by a module? I'm using > ModularSessionApp? Using an url in might work (I think), > but I'm not using RandomModularSessionApp (because I don't understand > how it works). It's the first time I use Albatross, so I don't know if what I > want is even possible, but I don't see why it wouldn't be. > > Details: > I have a module called tree that generates some xml data with a tree. > I would like to use the output of this module in other modules (I want > to include the xml document fragment generated by the tree module in the xml > documents generated by other modules). Can't see how to do this at this > time. > > Thank you for your help. Shouldn't you just install the tree module in (or below) site-packages and then import it in every page module that you wish to use the XML fragment? - Dave -- http://www.object-craft.com.au From toporov at dataart.com Sat Mar 12 04:18:16 2005 From: toporov at dataart.com (Denis Toporov) Date: Fri, 11 Mar 2005 20:18:16 +0300 Subject: [albatross-users] sessions vars question Message-ID: <74077C8AA24C5047AA55164003DFBE8803839D89@exchange.universe.dart.spb> Hello, it is very fun to work with server sessions in albatross. for example I have session variable 'name' I create local contex variable ctx.locals.name = 'username' Add it to session ctx.add_session_vars('name'). And after it I felt myself relaxed about value stored in session 'name' variable. So I need this session variable value from time to time. I'm using RandomModularSessionAppication. In my code I have method: def process_request(ctx): ..... ..... user.name = ctx.locals.name #(I dont sure that this is correct way how to get session variable value) .... .... And actually this works. BUT if I add to browser request string something like http://host/mypage?name='qqqqqqq' I have in my code that user name not 'username' any more, but 'qqqqqqq'. So I cannot belive that it could be so "secure" have server side session vars. It's same to store session vars in input hidden fields in browser. What's wrong with it? -------------- next part -------------- An HTML attachment was scrubbed... URL: From gabriel.cooper at mediapulse.com Sat Mar 12 05:29:12 2005 From: gabriel.cooper at mediapulse.com (Gabriel Cooper) Date: Fri, 11 Mar 2005 13:29:12 -0500 Subject: [albatross-users] sessions vars question In-Reply-To: <74077C8AA24C5047AA55164003DFBE8803839D89@exchange.universe.dart.spb> References: <74077C8AA24C5047AA55164003DFBE8803839D89@exchange.universe.dart.spb> Message-ID: <4231E378.6070506@mediapulse.com> For a secured session variable, prepend the variable name with an underscore to avoid this. e.g. ``ctx.locals._name`` Denis Toporov wrote: > Hello, > > it is very fun to work with server sessions in albatross. > for example I have session variable 'name' > I create local contex variable ctx.locals.name = 'username' > Add it to session ctx.add_session_vars('name'). > > And after it I felt myself relaxed about value stored in session > 'name' variable. > > So I need this session variable value from time to time. I'm using > RandomModularSessionAppication. > In my code I have method: > def process_request(ctx): > ..... > ..... > user.name = ctx.locals.name #(I dont sure that this is correct > way how to get session variable value) > .... > .... > > And actually this works. BUT if I add to browser request string > something like > http://host/mypage?name='qqqqqqq' > > > I have in my code that user name not 'username' any more, but > 'qqqqqqq'. > > So I cannot belive that it could be so "secure" have server side > session vars. > It's same to store session vars in input hidden fields in browser. > > What's wrong with it? > -- __________________________________ *gabriel.cooper*@mediapulse.com internet developer 865.675.4455 x32 800.380.4514 www.mediapulse.com __________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewm at object-craft.com.au Mon Mar 14 10:27:07 2005 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Mon, 14 Mar 2005 10:27:07 +1100 Subject: [albatross-users] sessions vars question In-Reply-To: <74077C8AA24C5047AA55164003DFBE8803839D89@exchange.universe.dart.spb> References: <74077C8AA24C5047AA55164003DFBE8803839D89@exchange.universe.dart.spb> Message-ID: <20050313232707.ABEC33C74C@coffee.object-craft.com.au> > for example I have session variable 'name' > I create local contex variable ctx.locals.name = 'username' > Add it to session ctx.add_session_vars('name'). [...] > And actually this works. BUT if I add to browser request string >something like > http://host/mypage?name='qqqqqqq' > > I have in my code that user name not 'username' any more, but >'qqqqqqq'. Gabriel has given you the correct answer, but to explain the motivation - the session variables are sourced from both the URL and the posted form inputs to allow navigation within apps to use URL's. It certainly makes some types of application much easier, but for other types of application, it's too dangerous. The leading underscore prevents that specific variable accepting it's value from a form submission. With the benefit of hindsight, I now feel that this merging of context with form submissions is too powerful to be safe. Done again, I think I would provide separate form "workspace" and "application context" namespaces. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From toporov at dataart.com Wed Mar 23 02:56:29 2005 From: toporov at dataart.com (Denis Toporov) Date: Tue, 22 Mar 2005 18:56:29 +0300 Subject: [albatross-users] Session and validate_request() Message-ID: <74077C8AA24C5047AA55164003DFBE8803839DBF@exchange.universe.dart.spb> Hi again, it seems like I'm in trouble again:) lets imagine I have modular random session application, and initialize session variables in main script (specified as start_page script in application constructor) in validate_request() method. I hoped that validate_request() called on each request. The problem: if user have no actions for a while, session is dead because of session timeout. And if user try to request after dead session any page he gets an exception, because of session is dead, and no session variables any more. So he got no variable exception trace. The way to avoid this is to put check of session variables existence in each .py module, but this is brute force method. Is any smart solution already exists for this kind of problem? thanks in advance, denis -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrewm at object-craft.com.au Thu Mar 24 22:19:30 2005 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Thu, 24 Mar 2005 22:19:30 +1100 Subject: [albatross-users] Session and validate_request() In-Reply-To: <74077C8AA24C5047AA55164003DFBE8803839DBF@exchange.universe.dart.spb> References: <74077C8AA24C5047AA55164003DFBE8803839DBF@exchange.universe.dart.spb> Message-ID: <20050324111930.20BA73C252@coffee.object-craft.com.au> >it seems like I'm in trouble again:) >lets imagine I have modular random session application, The random apps make my brain hurt, so I'm not surprised you're having trouble. >and initialize session variables in main script (specified as start_page >script in application >constructor) in validate_request() method. >I hoped that validate_request() called on each request. >The problem: if user have no actions for a while, session is dead >because of session timeout. >And if user try to request after dead session any page he gets an >exception, because of session is dead, >and no session variables any more. So he got no variable exception >trace. > >The way to avoid this is to put check of session >variables existence in each .py module, but this is brute force method. >Is any smart solution already exists for this kind of problem? The SessionServerContextMixin raises SessionExpired, which would be caught in the top level script (around the bit that looks like "app.run(Request())"). I would have expected this to also occur with RandomPage apps, but I can't immediately see the code path that would result in this happening. Dave is the expert on the RandomPage stuff - I had hoped he would spot your message and reply. Unfortunately, it will be Tuesday at least before he replies - he's on leave now. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From djc at object-craft.com.au Tue Mar 29 11:57:35 2005 From: djc at object-craft.com.au (Dave Cole) Date: Tue, 29 Mar 2005 11:57:35 +1000 Subject: [albatross-users] Session and validate_request() In-Reply-To: <74077C8AA24C5047AA55164003DFBE8803839DBF@exchange.universe.dart.spb> References: <74077C8AA24C5047AA55164003DFBE8803839DBF@exchange.universe.dart.spb> Message-ID: <4248B60F.4070109@object-craft.com.au> Denis Toporov wrote: > Hi again, > it seems like I'm in trouble again:) > lets imagine I have modular random session application, > and initialize session variables in main script (specified as start_page > script in application > constructor) in validate_request() method. > I hoped that validate_request() called on each request. > The problem: if user have no actions for a while, session is dead > because of session timeout. > And if user try to request after dead session any page he gets an > exception, because of session is dead, > and no session variables any more. So he got no variable exception trace. > > The way to avoid this is to put check of session > variables existence in each .py module, but this is brute force method. > Is any smart solution already exists for this kind of problem? Random access applications are inherently difficult. There is no escaping that. The best approach to this sort of problem is to make your own execution context class that tests the contents of the session and enforce exceptional processing in the absence of required variables. Something like this: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - from albatross import RandomModularSessionApp, SessionAppContext from albatross.cgiapp import Request class AppContext(SessionAppContext): def assert_user(self): if not hasattr(self.locals, '_user'): self.redirect('login') def assert_something_else(self): self.assert_user() if not hasattr(self.locals, '_something_else'): self.redirect('somepage') class App(RandomModularSessionApp): def create_context(self): return AppContext(self) app = App(base_url='myapp', page_path='pages', start_page='login', secret='mysecret', session_appid='myapp') if __name__ == '__main__': app.run(Request()) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Then for each page you need to do something like this: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - def page_process(ctx): ctx.assert_user() # prepare to display thispage def page_display(ctx): ctx.run_template('thispage.html') - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The redirect method on the execution context will raise Redirect exception that is handled within the normal application run() method. Taking that sort of approach should make things easier. Once that is working you might want to be able to go back to the originally requested page. You could probably do that by doing something similar to the following: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - class AppContext(SessionAppContext): def memo_redirect(self, page): ctx.locals._memo_page = self.locals.__page__ self.add_session_vars('_memo_page') self.redirect(page) def memo_restore(self): try: page = ctx.locals._memo_page except AttributeError: return self.del_session_vars('_memo_page') self.redirect(page) class App(RandomModularSessionApp): def load_page_module(self, ctx, page): RandomModularSessionApp.load_page_module(self, ctx, page) ctx.locals.__page__ = page - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Then instead of calling redirect() in your assert methods you would call memo_redirect(). The extension of the load_page_module() method is required because (for some reason) Albatross does not seem to be maintaining __page__ for random applications. In the page_process() function for the assertion handling pages you can then call ctx.memo_restore(). If the method returns then the user was not visiting the page in response to an assertion, so some sort of normal application processing would need to be performed. Hopefully that makes sense. Note that none of the above code has been tested - it is only provided as an illustration. - Dave -- http://www.object-craft.com.au From rmfendt at web.de Tue Mar 29 01:10:29 2005 From: rmfendt at web.de (Robert Fendt) Date: Mon, 28 Mar 2005 17:10:29 +0200 Subject: [albatross-users] xhtml 'strict' conformance Message-ID: <20050328171029.7ffbe57c@vulcan> Hi all, I have a suggestion for a slight change of the behaviour of the tag. Depending on what Context class one is using, hidden -tags containing __albform__ and/or __albstate__ are appended just before closing the form. Since in 'strict' XHTML putting an tag directly inside a