Hi ZMS developers,

I read this thread and thought generating this sort of information should be
possible mostly using ZMS API methods.

The aspect of multiple links to the same URL can be prevented when using
getHref2IndexHtml(REQUEST, deep=0). Indeed the parameter 'deep' is true by
default and this method traverses to the first object containing objects of type
PAGEELEMENTS. Folders that contain just other folders do not contain
PAGEELEMENTS.

To filter certain types AND pay regard to custom developed ZMS types you should
consider those API methods:

getType()
isPageContainer()
isPage()
isPageElement()
isMetaType()


If I run these methods on a 'ZMSFolder' I get these results:

type: ZMSDocument
meta_id: ZMSFolder
isMetaType(PAGES): True
isPage: True
isPageElement: False
isPageContainer: True

If I run these methods on a 'ZMSDocument' I get these results:

type: ZMSDocument
meta_id: ZMSDocument
isMetaType(PAGES): True
isPage: True
isPageElement: False
isPageContainer: True

Both 'ZMSFolder' and 'ZMSDocument' return 'ZMSDocument' as their ZMS type - they
just differ in attribute 'meta_id'.

Furthermore the code does not need to call isActive() on every item in the
innermost loop since the call to filteredTreeNodes() calls isVisible()
internally. This method checks for active items and checks multi-language topics
as well (read the source) since the outermost loop is for multi-language ZMS
sites. Nils/syndicat code does checking for isActive() as well.

The latest code for skipping certain folders can be replaced with a call to:

filteredChildNodes(meta_types=PAGES) - to scan for any item with ZMS Type PAGE

filteredChildNodes(meta_types=['ZMSDocument']) - to make sure any PAGE item
contains at least one ZMSDocument / or any other list of types

filteredChildNodes(meta_types=PAGEELEMENTS) - if a PAGE element contains a
single PAGEELEMENT this expression is true - (I think this is the requirement of
Sebastian - but the filtering approaches of Sebastian and Torsten differed)

I placed a code sample at Gist that does the filtering that was required - but
it is a developer version that lists meta_id and URL for every item as well.
Remove them for production use.
https://gist.github.com/1718080

At least the example shows that the API available misses expressiveness in this
certain use case.

I found a function isPageWithElements() in module zmscontainerobject.py. This
should be available as an instance method - that could do the filtering in the
innermost loop.
Furthermore filteredTreeNodes() is not possible to skip 'resource' objects. This
has to be done in the innermost loop as well.
For another use case to query all tree objects it lacks the possibility to
return inactive/invisible objects by unconditionally calling isVisible()
internally.

Good luck with your sitemaps!

--- In zms-developers@yahoogroups.com, Sebastian Tänzer <st@...> wrote:
>
> Hi Thorsten,
>
> great to hear. I thought about the dynamic generation which actually isn't too
hard to do:
>
> request = container.REQUEST
> response =  request.response
>
> nodes = context.filteredChildNodes()
>
> folder_types = []
>
> meta = context.content.getMetaobjIds()
> for m in meta:
>     obj = context.getMetaobj(m)
>     if obj['type'] == 'ZMSDocument':
>         folder_types.append( obj['id'] )
>
> content = []
>
> for n in nodes:
>     if n.meta_id not in folder_types:
>         content.append(n.meta_id)
>
> if content:
>     return True
> else:
>     return False
>
>
> Am 27.01.2012 um 12:36 schrieb Thorsten Weber:
>
> > Hi Sebastian,
> >
> >
> > that´s what i thought ...
> >
> > thanks for sharing the script - works perfect for me!
> >
> > a way to optimize might be to build the list of folder_types dynamically
from metaobj_manager.
> >
> >
> > kind regards,
> > Thorsten Weber
> >
> > 			 thorsten weber
> > 			 software development
> >
> > 			 pro in space gmbh
> > 			 spichernstrasse 34a
> > 			 50672 köln
> >
> > 			 tweber@...
> > 			 http://www.proinspace.com
> >
> > 			 T: 0049 221.29 21 79.26
> > 			 F: 0049 221.29 21 79.94
> >
> > 			 managing directors:
> > 			 uli wilkes
> > 			 jürgen brandt
> > 			 oliver blaum
> >
> > 			 amtsgericht köln
> > 			 hrb 33 444
> > 			 ust-idnr DE209049800
> >
> > Am 27.01.2012 um 12:12 schrieb Sebastian Tänzer:
> >
> >>
> >> I found the problem:
> >>
> >> getHref2IndexHtml() generated the URL of the next child if the parent
doesn't have any content (i.e. there's only folders in there).
> >> I solved this for now by using a python script checking for content like
this:
> >>
> >> request = container.REQUEST
> >> response = request.response
> >>
> >> nodes = context.filteredChildNodes()
> >> folder_types = ['ZMSFolder', 'ZMSDocument']
> >> content = []
> >>
> >> for n in nodes:
> >> if n.meta_id not in folder_types:
> >> content.append(n.meta_id)
> >>
> >> if content:
> >> return True
> >> else:
> >> return False
> >>
> >> and including it in the sitemap generation:
> >>
> >> ...
> >> <dtml-in "content.filteredTreeNodes(REQUEST=REQUEST,
meta_types=['ZMSFolder'])">
> >> <dtml-if "checkContent() and not isResource(REQUEST) and
isActive(REQUEST)">
> >> <url>
> >> <loc><dtml-var domain><dtml-var "getHref2IndexHtml(REQUEST)"
html_quote></loc>
> >> <lastmod><dtml-var "getLangFmtDate(ZopeTime(),'eng','%Y-%m-%d')"></lastmod>
> >> <dtml-comment><lastmod><dtml-var
"getLangFmtDate(getObjProperty('change_dt',REQUEST),'eng','%Y-%m-%d')"></lastmod\
></dtml-comment>
> >> <dtml-if
"getObjProperty('attr_zmsgoogle_bot_priority',REQUEST)"><priority><dtml-var
"getObjProperty('attr_zmsgoogle_bot_priority',REQUEST)"
fmt="%.5f"></priority><dtml-else></dtml-if>
> >> <dtml-if
"getObjProperty('attr_zmsgoogle_bot_changefreq',REQUEST)"><changefreq><dtml-var
"getObjProperty('attr_zmsgoogle_bot_changefreq',REQUEST)"></changefreq><dtml-els\
e></dtml-if>
> >> </url>
> >> </dtml-if>
> >> </dtml-in>
> >> ...
> >>
> >> This works as expected for now.
> >>
> >> Optimizations highly welcome!
> >>
> >> Cheers, Sebastian
> >>
> >> Am 27.01.2012 um 11:32 schrieb Niels Dettenbach:
> >>
> >> > Am Freitag, 27. Januar 2012, 11:12:28 schrieben Sie:
> >> >> any idea about the double output of some folders?
> >> > ...not yet, as i can't reproduce this (at least with my published
version).
> >> >
> >> > Will check this (i.e. if it relies on some hidden folders or something
like
> >> > that) on wednesday next week in detail and come back then.
> >> >
> >> >
> >> > best regards,
> >> >
> >> >
> >> > Niels.
> >> > --
> >> > ---
> >> > Niels Dettenbach
> >> > Syndicat IT&Internet
> >> > http://www.syndicat.com/
> >>
> >
> >
> >
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Thorsten Weber <tweber@...> schrieb:

>It seems as if a script (like onChangeObjEvt) is triggered from
>ZMSAuthors it does not have the right to execute localfs_commands.
>
>Is there a quick fix for that?

hmm,
such things are usually done inn Zope by assigning proxy roles to the accessing
method etc..

Another way could be setting up an own product just allowing the things to roles
you require - overriding the acls in existing objects without to touch them.


hth
best regards,


Niels.
- --
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iIEEAREIAEEFAk9h+J46HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDbCwAJsFG+feOkvT
DRcXv6ADv1NHeSgPeACggGAUQBnKxsjz6t7PmRTYE8OFFJ4=
=j1JD
-----END PGP SIGNATURE-----

Hi Niels,
what you did as well is giving a script all zope permissions available. This
script is available for anybody in the web. With this script you access
resources in your file system.

Welcome to secure web applications. Hello OWASP Top 10 Security Risks.

Zope has a lot of secure answers for that stuff. If you want to know, why this
worked in ZMS a couple of months ago and what you really need to do, ask me. But
I am not sure, if you need a quick fix or a secure solution for your customers.

Sascha

--- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@...> wrote:
>
> Hi Niels,
>
> that does the trick ! :)
> i forgot that one can assign the proxy role manager to the onChangeObjEvent
methode as well.
>
> thanx !
>
>
> kind regards, Thorsten
>
>
>
> Am 15.03.2012 um 15:11 schrieb Niels Dettenbach (Syndicat IT&Internet):
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Thorsten Weber <tweber@...> schrieb:
> >
> > >It seems as if a script (like onChangeObjEvt) is triggered from
> > >ZMSAuthors it does not have the right to execute localfs_commands.
> > >
> > >Is there a quick fix for that?
> >
> > hmm,
> > such things are usually done inn Zope by assigning proxy roles to the
accessing method etc..
> >
> > Another way could be setting up an own product just allowing the things to
roles you require - overriding the acls in existing objects without to touch
them.
> >
> > hth
> > best regards,
> >
> > Niels.
> > - --
> > Niels Dettenbach
> > Syndicat IT&Internet
> > http://www.syndicat.com
> > -----BEGIN PGP SIGNATURE-----
> > Version: APG v1.0.8
> >
> > iIEEAREIAEEFAk9h+J46HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
> > dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDbCwAJsFG+feOkvT
> > DRcXv6ADv1NHeSgPeACggGAUQBnKxsjz6t7PmRTYE8OFFJ4=
> > =j1JD
> > -----END PGP SIGNATURE-----
> >
> >
>

Am Dienstag, 3. April 2012, 09:21:58 schrieben Sie:

> what you did as well is giving a script all zope permissions available. This

> script is available for anybody in the web. With this script you access

> resources in your file system. 

...shure it does - so it is very (!) important to know what the script does and allows by theory and in practice...

> Zope has a lot of secure answers for that stuff. If you want to know, why

> this worked in ZMS a couple of months ago and what you really need to do,

> ask me. But I am not sure, if you need a quick fix or a secure solution for

> your customers. 

Can you give some more details or examples? "a lot of " is really nothing more then helpless to anyone here on the list...

cheers,

Niels.

--

---

Niels Dettenbach

Syndicat IT & Internet

http://www.syndicat.com

---

Hi Thorsten,
Zope Products (in your case: ZMS) offer an API that is available to restricted
code if the required permission can be acquired in the request context.

ZMS 2.12.1 (more specific: class ZMSGlobals.py) offered the method
'localfs_command' as a public method  without requiring any permission from the
user/context to call it. As of today this method is not available anymore as a
result of a former security review.

That most probably means, that not the call of the method 'locafs_command' is
raising an exception, but the code in your method 'onChangeObjEvt'. Please
provide the traceback to your problem - without I am just guessing. I do not
want to guess.

Another hint - during development please change your zope instance to use
'Verbose Security'. Now a security exception tells you exactly what permission
is required and more. This link shows how to change zope.conf
(http://plone.org/documentation/kb/debug-unauthorized)

If you don't mind provide some application details to your next answer. Please
do not forget the traceback. And if you do not mind tell me more about the task
you are trying to do.



@Nils: I accidently addressed the last answer to you.

A more secure way would be just to find out which permission is needed and to
give this permission to a user. This applies to existing zope permissions
currently not available to ZMSAuthor.

Another way would be to register a new permission in your application and add it
to custom ZMS roles. In your script you could use Zope's API method
checkPermission() or similar to verify that the caller has this permission. Now
it is up to a zope administrator to provide this permission to certain users.

If more methods in ZMS like 'localfs_command' had a proper permission
requirement, it would be more easy to application developers to provide the
permissions needed. Usual zope products contain code like this.

security.declareProtected(permissionName, methodName)

source:
http://docs.zope.org/zope2/zdgbook/Security.html#implementing-security-in-python\
-products

Users need this permission to call this method from restriced code (like any
python script in ZODB). With this in mind - access control to application logic
is a matter of user administration.


That restriction does not apply to file system code like Zope products - but ZMS
developers usually implement business logic in restricted code. That's why it is
important to know the stuff mentioned above.

Looking forward to see the traceback,
Sascha


--- In zms-developers@yahoogroups.com, Niels Dettenbach <nd@...> wrote:
>
> Am Dienstag, 3. April 2012, 09:21:58 schrieben Sie:
> > what you did as well is giving a script all zope permissions available. This
> > script is available for anybody in the web. With this script you access
> > resources in your file system.
> ...shure it does - so it is very (!) important to know what the script does
> and allows by theory and in practice...
>
> > Zope has a lot of secure answers for that stuff. If you want to know, why
> > this worked in ZMS a couple of months ago and what you really need to do,
> > ask me. But I am not sure, if you need a quick fix or a secure solution for
> > your customers.
>
> Can you give some more details or examples? "a lot of " is really nothing more
> then helpless to anyone here on the list...
>
>
> cheers,
>
>
> Niels.
> --
>  ---
>  Niels Dettenbach
>  Syndicat IT & Internet
>  http://www.syndicat.com
>  ---
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Sascha Gottfried <sascha.gottfried@...> schrieb:

>ZMS 2.12.1 (more specific: class ZMSGlobals.py) offered the method
>'localfs_command' as a public method  without requiring any permission
>from the user/context to call it. As of today this method is not
>available anymore as a result of a former security review.

Ok, this - shurely - did not makes sense from a security perspective view and
disabling that was the right way to react here. My recommendations was targeting
a more general level. Proxy roles could be widely compared to unix suid - which
could be very helpful but very dangerous if you handle it not wisely...


>@Nils: I accidently addressed the last answer to you.
ahh, mhhmkay - no prob... ß)

But anyhow, your detailed explanation about localfs-command within ZMS was very
interesting and helpful too.

Many thanks and have a nice evening,


Niels.

- --
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iIEEAREIAEEFAk97K+k6HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDQ41AJ9eEgzgkN5O
W7NB/2iUO6tllUybtgCcD9rVVAgr/TnEolMwjr1r+R5jviA=
=NKK7
-----END PGP SIGNATURE-----

Hi Niels,
your comparison of zope proxy roles with unix suid made me really curious. I
need to think about what I read online.

A difference is definitely that a linux application/script in the filesystem is
not available to unauthorized users. A Zope python script COULD be available to
unauthorized users per direct URL traversal.

http://your_zope_root/path_to_zms/content/proxy_roled_script?param1=value1

I think a python script that evaluates parameters from the request is even more
dangerous if proxy roled as manager. A developer needs to make careful
assertions on the values provided to this script or at least manage access
control to this script.

Anyway, I am waiting for Thorsten submitting his traceback.

Sascha

--- In zms-developers@yahoogroups.com, "Niels Dettenbach (Syndicat IT&Internet)"
<nd@...> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> Sascha Gottfried <sascha.gottfried@...> schrieb:
>
> >ZMS 2.12.1 (more specific: class ZMSGlobals.py) offered the method
> >'localfs_command' as a public method  without requiring any permission
> >from the user/context to call it. As of today this method is not
> >available anymore as a result of a former security review.
>
> Ok, this - shurely - did not makes sense from a security perspective view and
disabling that was the right way to react here. My recommendations was targeting
a more general level. Proxy roles could be widely compared to unix suid - which
could be very helpful but very dangerous if you handle it not wisely...
>
>
> >@Nils: I accidently addressed the last answer to you.
> ahh, mhhmkay - no prob... ß)
>
> But anyhow, your detailed explanation about localfs-command within ZMS was
very interesting and helpful too.
>
> Many thanks and have a nice evening,
>
>
> Niels.
>
> - --
> Niels Dettenbach
> Syndicat IT&Internet
> http://www.syndicat.com
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.0.8
>
> iIEEAREIAEEFAk97K+k6HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
> dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDQ41AJ9eEgzgkN5O
> W7NB/2iUO6tllUybtgCcD9rVVAgr/TnEolMwjr1r+R5jviA=
> =NKK7
> -----END PGP SIGNATURE-----
>

Hi Thorsten,

your traceback has no details about the line of YOUR code that is raising this
traceback. A full traceback is usually in event.log in the filesystem (in
INSTANCE_HOME/log/)

This is where i read the source code for your version.

http://zmslabs.org/trac/browser/ZMS/trunk?rev=1047
http://zmslabs.org/trac/browser/ZMS/trunk/ZMSGlobals.py?rev=1047

Both localfs_write() and localfs_command in this revision are just thin wrappers
(3 lines) for common python code PLUS a simple log message. In ZMS 'debug' mode
they write a log message to your log file. Add error_log and enable 'debug' mode
in your ZMS instance. Remove NotFound and Unauthorized from the ignored
exception in error_log. Then check error_log object and event.log in filesystem
for information while your application is working with the object that is
calling 'onChangeObjEvt()'.

This way you should see which call raised the exception or at least what did not
raise the exception.

Much better would be debugging this code - you are able to do this with
http://pypi.python.org/pypi/Products.PDBDebugMode ? With this product an import
of the pdb module is also allowed in unprotected code such as python scripts. If
you already used pdb go for it!

Another pointer you provided is that you are the anonymous user. What kind of
authentication you are using? Please provide name and version of additional zope
products you are using for this - like cookiecrumbler or simpleuserfolder or
similiar.

If you investigate more I will do too.
Now I will setup a zope instance and provide a verbose security log message this
evening or tomorrow.

See you later.
Sascha

--- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@...> wrote:
>
> Hello again,
>
> I just proceeded as suggested by Sascha and activated verbose-security (
zope.conf, line 622 )
>
>     security-policy-implementation python
>     verbose-security on
>
> when calling the onChangeObjEvt i find this as Traceback in error_log
>
>
> Time 2012/04/12 16:07:42.074109 GMT+2
> User Name (User Id) Anonymous User (None)
> Request URL http://my_nackend_url/content/e94/manage_main
> Exception Type Unauthorized
> Exception Value <strong>You are not authorized to access this
resource.</strong>
> Traceback (innermost last):
>   Module ZPublisher.Publish, line 116, in publish
>   Module ZPublisher.BaseRequest, line 609, in traverse
>   Module ZPublisher.HTTPResponse, line 718, in unauthorized
> Unauthorized: <strong>You are not authorized to access this resource.</strong>
>
> This does not say so much to me ... does this help in any way? ( or did i miss
something? )
>
> but it is strange that the User is Anonymous !
>
>
>
> kind regards,
> Thorsten Weber
>
>
> Am 04.04.2012 um 09:51 schrieb Thorsten Weber:
>
> > Hello Sascha,
> >
> >
> > thanks a lot for your detailed and very insightful explanation!
> > and you are probably right concerning the exception - which might be raised
silently.
> >
> > until the 10. of april I'm out of the office ...
> > but i will come back to this as soon as possible and will apply verbose
security on a dev instance and provide the traceback.
> >
> >
> > this for now:
> >
> > ZMS: ZMS2 2.12.1.1047 (Build #132e)
> > ZOPE: (2.12.3, python 2.5.2, linux2)
> > PYTHON: 2.5.2
> >
> > we generate some xml to feed a flash application when storing an object
within zms and store it in local filesystem (for performance reasons)
> > (localfs_write(path_to_xml, xml_structur_text, mode='b'))
> >
> > and purge that object from cache afterwards
> > (localfs_command('/usr/bin/squidclient  -h my_squid_ipaddress  -p 80 -m
PURGE http://my_frontend_url')
> >
> > all triggered by onChangeObjEvt
> >
> > but we were facing the problem that the method seems not have the right to
execute the commands
> > 1. write the new xml file
> > 2. calling the squidclient
> >
> > Giving proxy manager rights to that method solved the problem so far.
> >
> >
> > but from a web application developer view one may expect that these
"batteries" might be included within these zms-api calls
> > if only when called by with a rather privileged account as ZMSAuthor   ...
no?
> >
> >
> > kind regards,
> > Thorsten Weber
> >
> >
> >
> > Am 03.04.2012 um 16:10 schrieb Sascha Gottfried:
> >
> >>
> >> Hi Thorsten,
> >> Zope Products (in your case: ZMS) offer an API that is available to
restricted code if the required permission can be acquired in the request
context.
> >>
> >> ZMS 2.12.1 (more specific: class ZMSGlobals.py) offered the method
'localfs_command' as a public method without requiring any permission from the
user/context to call it. As of today this method is not available anymore as a
result of a former security review.
> >>
> >> That most probably means, that not the call of the method 'locafs_command'
is raising an exception, but the code in your method 'onChangeObjEvt'. Please
provide the traceback to your problem - without I am just guessing. I do not
want to guess.
> >>
> >> Another hint - during development please change your zope instance to use
'Verbose Security'. Now a security exception tells you exactly what permission
is required and more. This link shows how to change zope.conf
(http://plone.org/documentation/kb/debug-unauthorized)
> >>
> >> If you don't mind provide some application details to your next answer.
Please do not forget the traceback. And if you do not mind tell me more about
the task you are trying to do.
> >>
> >> @Nils: I accidently addressed the last answer to you.
> >>
> >> A more secure way would be just to find out which permission is needed and
to give this permission to a user. This applies to existing zope permissions
currently not available to ZMSAuthor.
> >>
> >> Another way would be to register a new permission in your application and
add it to custom ZMS roles. In your script you could use Zope's API method
checkPermission() or similar to verify that the caller has this permission. Now
it is up to a zope administrator to provide this permission to certain users.
> >>
> >> If more methods in ZMS like 'localfs_command' had a proper permission
requirement, it would be more easy to application developers to provide the
permissions needed. Usual zope products contain code like this.
> >>
> >> security.declareProtected(permissionName, methodName)
> >>
> >> source:
> >>
http://docs.zope.org/zope2/zdgbook/Security.html#implementing-security-in-python\
-products
> >>
> >> Users need this permission to call this method from restriced code (like
any python script in ZODB). With this in mind - access control to application
logic is a matter of user administration.
> >>
> >> That restriction does not apply to file system code like Zope products -
but ZMS developers usually implement business logic in restricted code. That's
why it is important to know the stuff mentioned above.
> >>
> >> Looking forward to see the traceback,
> >> Sascha
> >>
> >> --- In zms-developers@yahoogroups.com, Niels Dettenbach <nd@> wrote:
> >> >
> >> > Am Dienstag, 3. April 2012, 09:21:58 schrieben Sie:
> >> > > what you did as well is giving a script all zope permissions available.
This
> >> > > script is available for anybody in the web. With this script you access
> >> > > resources in your file system.
> >> > ...shure it does - so it is very (!) important to know what the script
does
> >> > and allows by theory and in practice...
> >> >
> >> > > Zope has a lot of secure answers for that stuff. If you want to know,
why
> >> > > this worked in ZMS a couple of months ago and what you really need to
do,
> >> > > ask me. But I am not sure, if you need a quick fix or a secure solution
for
> >> > > your customers.
> >> >
> >> > Can you give some more details or examples? "a lot of " is really nothing
more
> >> > then helpless to anyone here on the list...
> >> >
> >> >
> >> > cheers,
> >> >
> >> >
> >> > Niels.
> >> > --
> >> > ---
> >> > Niels Dettenbach
> >> > Syndicat IT & Internet
> >> > http://www.syndicat.com
> >> > ---
> >> >
> >>
> >
> >
> >
>

An additional note to my fist reply.

I did setup a clean Zope 2.13.13/ZMS 2.13.4 using zc.buildout. I enabled
verbose-security and the python security implementation and wrote a small python
script that should call a common ObjectManager method that REQUIRES the user to
have a special permission 'import_export_objects'. Before running this sample
you need to edit  error_log in Zope Root Folder, remove 'Unauthorized' from
'ignored exception types' and enable 'Copy exceptions to the event log'. Usually
this permission is assigned to role Manager. When running this script as
anonymous user with a valid id pointing to an item in this folder the security
policy is raising the exception below.


-> export.py - in line number 8
context.manage_exportObject(id=id, download=True)



-> OFS.ObjectManager.py

security.declareProtected(import_export_objects, 'manage_exportObject')
def manage_exportObject(self, id='', download=None, toxml=None,
                             RESPONSE=None,REQUEST=None):
     """Exports an object to a file and returns that file."""


-> event.log

2012-04-18 14:24:29 ERROR Zope.SiteErrorLog 1334751869.040.833954688385
http://localhost:8080/sites/export
Traceback (innermost last):
   Module ZPublisher.Publish, line 126, in publish
   Module ZPublisher.mapply, line 77, in mapply
   Module ZPublisher.Publish, line 46, in call_object
   Module Shared.DC.Scripts.Bindings, line 322, in __call__
   Module Shared.DC.Scripts.Bindings, line 359, in _bindAndExec
   Module Products.PythonScripts.PythonScript, line 344, in _exec
   Module script, line 8, in export
    - <PythonScript at /sites/export>
    - Line 8
   Module AccessControl.ImplPython, line 716, in guarded_getattr
   Module AccessControl.ImplPython, line 658, in aq_validate
   Module AccessControl.ImplPython, line 552, in validate
   Module AccessControl.ImplPython, line 450, in validate
   Module AccessControl.ImplPython, line 797, in raiseVerbose
Unauthorized: Your user account does not have the required permission.  Access
to 'manage_exportObject' of (Folder at /sites) denied. Your user account,
Anonymous User, exists at

/acl_users. Access requires Import_Export_objects_Permission, granted to the
following roles: ['Manager']. Your roles in this context are ['Anonymous'].

This information really helps a lot. The line in my one-liner (export - line 8)
is identified, you can see that the python security implementation is handling
the security check caused by the security attributes of method definition 
OFS.ObjectManager.manage_exportObject()

The accessed method 'manage_exportObject' is mentioned and even the object that
was used (Folder at /sites). The current user is specified, followed by the user
folder.  At last the security framework tells you details about the current
permission/role mapping,  even providing you with details about your current
roles. I could not imagine a more useful message.

Try this and provide a traceback as shown above. Then we do not guess anymore.


Good luck.
Sascha

--- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@...> wrote:
>
> Hello again,
>
> I just proceeded as suggested by Sascha and activated verbose-security (
zope.conf, line 622 )
>
>     security-policy-implementation python
>     verbose-security on
>
> when calling the onChangeObjEvt i find this as Traceback in error_log
>
>
> Time 2012/04/12 16:07:42.074109 GMT+2
> User Name (User Id) Anonymous User (None)
> Request URL http://my_nackend_url/content/e94/manage_main
> Exception Type Unauthorized
> Exception Value <strong>You are not authorized to access this
resource.</strong>
> Traceback (innermost last):
>   Module ZPublisher.Publish, line 116, in publish
>   Module ZPublisher.BaseRequest, line 609, in traverse
>   Module ZPublisher.HTTPResponse, line 718, in unauthorized
> Unauthorized: <strong>You are not authorized to access this resource.</strong>
>
> This does not say so much to me ... does this help in any way? ( or did i miss
something? )
>
> but it is strange that the User is Anonymous !
>
>
>
> kind regards,
> Thorsten Weber
>
>
> Am 04.04.2012 um 09:51 schrieb Thorsten Weber:
>
> > Hello Sascha,
> >
> >
> > thanks a lot for your detailed and very insightful explanation!
> > and you are probably right concerning the exception - which might be raised
silently.
> >
> > until the 10. of april I'm out of the office ...
> > but i will come back to this as soon as possible and will apply verbose
security on a dev instance and provide the traceback.
> >
> >
> > this for now:
> >
> > ZMS: ZMS2 2.12.1.1047 (Build #132e)
> > ZOPE: (2.12.3, python 2.5.2, linux2)
> > PYTHON: 2.5.2
> >
> > we generate some xml to feed a flash application when storing an object
within zms and store it in local filesystem (for performance reasons)
> > (localfs_write(path_to_xml, xml_structur_text, mode='b'))
> >
> > and purge that object from cache afterwards
> > (localfs_command('/usr/bin/squidclient  -h my_squid_ipaddress  -p 80 -m
PURGE http://my_frontend_url')
> >
> > all triggered by onChangeObjEvt
> >
> > but we were facing the problem that the method seems not have the right to
execute the commands
> > 1. write the new xml file
> > 2. calling the squidclient
> >
> > Giving proxy manager rights to that method solved the problem so far.
> >
> >
> > but from a web application developer view one may expect that these
"batteries" might be included within these zms-api calls
> > if only when called by with a rather privileged account as ZMSAuthor   ...
no?
> >
> >
> > kind regards,
> > Thorsten Weber
> >
> >
> >
> > Am 03.04.2012 um 16:10 schrieb Sascha Gottfried:
> >
> >>
> >> Hi Thorsten,
> >> Zope Products (in your case: ZMS) offer an API that is available to
restricted code if the required permission can be acquired in the request
context.
> >>
> >> ZMS 2.12.1 (more specific: class ZMSGlobals.py) offered the method
'localfs_command' as a public method without requiring any permission from the
user/context to call it. As of today this method is not available anymore as a
result of a former security review.
> >>
> >> That most probably means, that not the call of the method 'locafs_command'
is raising an exception, but the code in your method 'onChangeObjEvt'. Please
provide the traceback to your problem - without I am just guessing. I do not
want to guess.
> >>
> >> Another hint - during development please change your zope instance to use
'Verbose Security'. Now a security exception tells you exactly what permission
is required and more. This link shows how to change zope.conf
(http://plone.org/documentation/kb/debug-unauthorized)
> >>
> >> If you don't mind provide some application details to your next answer.
Please do not forget the traceback. And if you do not mind tell me more about
the task you are trying to do.
> >>
> >> @Nils: I accidently addressed the last answer to you.
> >>
> >> A more secure way would be just to find out which permission is needed and
to give this permission to a user. This applies to existing zope permissions
currently not available to ZMSAuthor.
> >>
> >> Another way would be to register a new permission in your application and
add it to custom ZMS roles. In your script you could use Zope's API method
checkPermission() or similar to verify that the caller has this permission. Now
it is up to a zope administrator to provide this permission to certain users.
> >>
> >> If more methods in ZMS like 'localfs_command' had a proper permission
requirement, it would be more easy to application developers to provide the
permissions needed. Usual zope products contain code like this.
> >>
> >> security.declareProtected(permissionName, methodName)
> >>
> >> source:
> >>
http://docs.zope.org/zope2/zdgbook/Security.html#implementing-security-in-python\
-products
> >>
> >> Users need this permission to call this method from restriced code (like
any python script in ZODB). With this in mind - access control to application
logic is a matter of user administration.
> >>
> >> That restriction does not apply to file system code like Zope products -
but ZMS developers usually implement business logic in restricted code. That's
why it is important to know the stuff mentioned above.
> >>
> >> Looking forward to see the traceback,
> >> Sascha
> >>
> >> --- In zms-developers@yahoogroups.com, Niels Dettenbach <nd@> wrote:
> >> >
> >> > Am Dienstag, 3. April 2012, 09:21:58 schrieben Sie:
> >> > > what you did as well is giving a script all zope permissions available.
This
> >> > > script is available for anybody in the web. With this script you access
> >> > > resources in your file system.
> >> > ...shure it does - so it is very (!) important to know what the script
does
> >> > and allows by theory and in practice...
> >> >
> >> > > Zope has a lot of secure answers for that stuff. If you want to know,
why
> >> > > this worked in ZMS a couple of months ago and what you really need to
do,
> >> > > ask me. But I am not sure, if you need a quick fix or a secure solution
for
> >> > > your customers.
> >> >
> >> > Can you give some more details or examples? "a lot of " is really nothing
more
> >> > then helpless to anyone here on the list...
> >> >
> >> >
> >> > cheers,
> >> >
> >> >
> >> > Niels.
> >> > --
> >> > ---
> >> > Niels Dettenbach
> >> > Syndicat IT & Internet
> >> > http://www.syndicat.com
> >> > ---
> >> >
> >>
> >
> >
> >
>

Hi Thorsten,

1) please add the source code for http://myObj_url/FS_home.xml
Is it a more python script or DTML method?

2) Explain your need for using http_import()! Did you often used this method
before? Try to explain why it is not possible with plain DTML tags. Look at the
sample code below

onChangeObjEvt() explained:
http://www.zms-publishing.com/dokumentation/literatur/professional_manual/api_tr\
icks/onchangeobjevt/index_ger.html

3) Switch to a simple call of whatever FS_Home.xml is and pass parameters
appropriately. This should be possible because FS_Home.xml and onChangeObjEvt()
are in the scope of the same special object definition. Right?

4)What about implementing onChangeObjEvt() in python?

See you later!
Sascha


--- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@...> wrote:
>
> Hi Sascha,
>
> first of all - thank you so much for your efforts and explanations!
> this really opens a door for me...
> my first post was more a guess than knowledge ...
> based on what the behaviors we observed (it worked for admin, not for
ZMSAuthors).
>
> so I tried my best to provide a traceback as required ... but i am afraid i
fail to do so.
>
> anyway ...
>
> i took away the proxy role manager from the methode
myObj_meta_id.onChangeObjEvent
>
> this is what the methode looks like:
>
> <dtml-comment> -- // prerender FS_Home.xml from myObj // -- </dtml-comment>
> <dtml-let
xml_text="http_import('http://myObj_url/FS_home.xml?prerender=true&rand='+ZopeTi\
me().strftime('%Y%m%d%H%M%S'))"
>           path="'/srv/project/virtualenv/xml/'">
>
>      <dtml-if xml_text>
> <dtml-comment> -- // write FS_Home.xml to disk // -- </dtml-comment>
>         <dtml-call "localfs_write(path+'FS_home.xml',xml_text,mode='b')">
>      </dtml-if>
>
> <dtml-comment> -- // remove FS_Home.xml from Squid cache // -- </dtml-comment>
> <dtml-call "localfs_command('/usr/bin/squidclient  -h 85.25.124.231  -p 80 -m
PURGE http://myObj_url/FS_home.xml')">
>
> </dtml-let>
>
> ZMS.localfs_read is granted for path.
>
> and called the methode with user credentials of ZMSAuthor (HTTP_Auth with IE8
Browser and with Firefox/MacOSX)
>
> and this is what i find in event_log:
>
> ------
> 2012-04-19T15:11:29 ERROR Zope.SiteErrorLog 1334841089.320.269759942749
http://my_url/content/metaobj_manager/myObj_meta_id.onChangeObjEvt
> Traceback (innermost last):
>   Module ZPublisher.Publish, line 116, in publish
>   Module ZPublisher.BaseRequest, line 609, in traverse
>   Module ZPublisher.HTTPResponse, line 718, in unauthorized
> Unauthorized: <strong>You are not authorized to access this
resource.</strong><p>
> No Authorization header found.</p>
> ------
> 2012-04-19T15:11:29 ERROR root Exception while rendering an error message
> Traceback (most recent call last):
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/SimpleItem.py", line 287, in raise_standardErrorMessage
>     v = s(client, REQUEST, **kwargs)
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/DTMLMethod.py", line 149, in __call__
>     r = apply(HTML.__call__, (self, client, REQUEST), kw)
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_String.py", line 477, in __call__
>     try: result = render_blocks(self._v_blocks, md)
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_Util.py", line 202, in eval
>     return eval(code, d)
>   File "<string>", line 1, in <expression>
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/DTMLMethod.py", line 149, in __call__
>     r = apply(HTML.__call__, (self, client, REQUEST), kw)
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_String.py", line 477, in __call__
>     try: result = render_blocks(self._v_blocks, md)
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/DTMLMethod.py", line 140, in __call__
>     r = apply(HTML.__call__, (self, client, REQUEST), kw)
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_String.py", line 477, in __call__
>     try: result = render_blocks(self._v_blocks, md)
>   File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_Util.py", line 202, in eval
>     return eval(code, d)
>   File "<string>", line 1, in <expression>
> NameError: name 'lang' is not defined
>
>
> Me (and probably you) would have expected to see something different ... not
to say more ;) ... but this is what i got.
>
>
> regards, Thorsten
>
>
>
> Am 18.04.2012 um 15:50 schrieb Sascha Gottfried:
>
> > An additional note to my fist reply.
> >
> > I did setup a clean Zope 2.13.13/ZMS 2.13.4 using zc.buildout. I enabled
verbose-security and the python security implementation and wrote a small python
script that should call a common ObjectManager method that REQUIRES the user to
have a special permission 'import_export_objects'. Before running this sample
you need to edit error_log in Zope Root Folder, remove 'Unauthorized' from
'ignored exception types' and enable 'Copy exceptions to the event log'. Usually
this permission is assigned to role Manager. When running this script as
anonymous user with a valid id pointing to an item in this folder the security
policy is raising the exception below.
> >
> > -> export.py - in line number 8
> > context.manage_exportObject(id=id, download=True)
> >
> > -> OFS.ObjectManager.py
> >
> > security.declareProtected(import_export_objects, 'manage_exportObject')
> > def manage_exportObject(self, id='', download=None, toxml=None,
> > RESPONSE=None,REQUEST=None):
> > """Exports an object to a file and returns that file."""
> >
> > -> event.log
> >
> > 2012-04-18 14:24:29 ERROR Zope.SiteErrorLog 1334751869.040.833954688385
http://localhost:8080/sites/export
> > Traceback (innermost last):
> > Module ZPublisher.Publish, line 126, in publish
> > Module ZPublisher.mapply, line 77, in mapply
> > Module ZPublisher.Publish, line 46, in call_object
> > Module Shared.DC.Scripts.Bindings, line 322, in __call__
> > Module Shared.DC.Scripts.Bindings, line 359, in _bindAndExec
> > Module Products.PythonScripts.PythonScript, line 344, in _exec
> > Module script, line 8, in export
> > - <PythonScript at /sites/export>
> > - Line 8
> > Module AccessControl.ImplPython, line 716, in guarded_getattr
> > Module AccessControl.ImplPython, line 658, in aq_validate
> > Module AccessControl.ImplPython, line 552, in validate
> > Module AccessControl.ImplPython, line 450, in validate
> > Module AccessControl.ImplPython, line 797, in raiseVerbose
> > Unauthorized: Your user account does not have the required permission.
Access to 'manage_exportObject' of (Folder at /sites) denied. Your user account,
Anonymous User, exists at
> >
> > /acl_users. Access requires Import_Export_objects_Permission, granted to the
following roles: ['Manager']. Your roles in this context are ['Anonymous'].
> >
> > This information really helps a lot. The line in my one-liner (export - line
8) is identified, you can see that the python security implementation is
handling the security check caused by the security attributes of method
definition OFS.ObjectManager.manage_exportObject()
> >
> > The accessed method 'manage_exportObject' is mentioned and even the object
that was used (Folder at /sites). The current user is specified, followed by the
user folder. At last the security framework tells you details about the current
permission/role mapping, even providing you with details about your current
roles. I could not imagine a more useful message.
> >
> > Try this and provide a traceback as shown above. Then we do not guess
anymore.
> >
> > Good luck.
> > Sascha
> >
> > --- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@> wrote:
> > >
> > > Hello again,
> > >
> > > I just proceeded as suggested by Sascha and activated verbose-security (
zope.conf, line 622 )
> > >
> > > security-policy-implementation python
> > > verbose-security on
> > >
> > > when calling the onChangeObjEvt i find this as Traceback in error_log
> > >
> > >
> > > Time 2012/04/12 16:07:42.074109 GMT+2
> > > User Name (User Id) Anonymous User (None)
> > > Request URL http://my_nackend_url/content/e94/manage_main
> > > Exception Type Unauthorized
> > > Exception Value <strong>You are not authorized to access this
resource.</strong>
> > > Traceback (innermost last):
> > > Module ZPublisher.Publish, line 116, in publish
> > > Module ZPublisher.BaseRequest, line 609, in traverse
> > > Module ZPublisher.HTTPResponse, line 718, in unauthorized
> > > Unauthorized: <strong>You are not authorized to access this
resource.</strong>
> > >
> > > This does not say so much to me ... does this help in any way? ( or did i
miss something? )
> > >
> > > but it is strange that the User is Anonymous !
> > >
> > >
> > >
> > > kind regards,
> > > Thorsten Weber
> > >
> > >
> > > Am 04.04.2012 um 09:51 schrieb Thorsten Weber:
> > >
> > > > Hello Sascha,
> > > >
> > > >
> > > > thanks a lot for your detailed and very insightful explanation!
> > > > and you are probably right concerning the exception - which might be
raised silently.
> > > >
> > > > until the 10. of april I'm out of the office ...
> > > > but i will come back to this as soon as possible and will apply verbose
security on a dev instance and provide the traceback.
> > > >
> > > >
> > > > this for now:
> > > >
> > > > ZMS: ZMS2 2.12.1.1047 (Build #132e)
> > > > ZOPE: (2.12.3, python 2.5.2, linux2)
> > > > PYTHON: 2.5.2
> > > >
> > > > we generate some xml to feed a flash application when storing an object
within zms and store it in local filesystem (for performance reasons)
> > > > (localfs_write(path_to_xml, xml_structur_text, mode='b'))
> > > >
> > > > and purge that object from cache afterwards
> > > > (localfs_command('/usr/bin/squidclient -h my_squid_ipaddress -p 80 -m
PURGE http://my_frontend_url')
> > > >
> > > > all triggered by onChangeObjEvt
> > > >
> > > > but we were facing the problem that the method seems not have the right
to execute the commands
> > > > 1. write the new xml file
> > > > 2. calling the squidclient
> > > >
> > > > Giving proxy manager rights to that method solved the problem so far.
> > > >
> > > >
> > > > but from a web application developer view one may expect that these
"batteries" might be included within these zms-api calls
> > > > if only when called by with a rather privileged account as ZMSAuthor ...
no?
> > > >
> > > >
> > > > kind regards,
> > > > Thorsten Weber
> > > >
> > > >
> > > >
> > > > Am 03.04.2012 um 16:10 schrieb Sascha Gottfried:
> > > >
> > > >>
> > > >> Hi Thorsten,
> > > >> Zope Products (in your case: ZMS) offer an API that is available to
restricted code if the required permission can be acquired in the request
context.
> > > >>
> > > >> ZMS 2.12.1 (more specific: class ZMSGlobals.py) offered the method
'localfs_command' as a public method without requiring any permission from the
user/context to call it. As of today this method is not available anymore as a
result of a former security review.
> > > >>
> > > >> That most probably means, that not the call of the method
'locafs_command' is raising an exception, but the code in your method
'onChangeObjEvt'. Please provide the traceback to your problem - without I am
just guessing. I do not want to guess.
> > > >>
> > > >> Another hint - during development please change your zope instance to
use 'Verbose Security'. Now a security exception tells you exactly what
permission is required and more. This link shows how to change zope.conf
(http://plone.org/documentation/kb/debug-unauthorized)
> > > >>
> > > >> If you don't mind provide some application details to your next answer.
Please do not forget the traceback. And if you do not mind tell me more about
the task you are trying to do.
> > > >>
> > > >> @Nils: I accidently addressed the last answer to you.
> > > >>
> > > >> A more secure way would be just to find out which permission is needed
and to give this permission to a user. This applies to existing zope permissions
currently not available to ZMSAuthor.
> > > >>
> > > >> Another way would be to register a new permission in your application
and add it to custom ZMS roles. In your script you could use Zope's API method
checkPermission() or similar to verify that the caller has this permission. Now
it is up to a zope administrator to provide this permission to certain users.
> > > >>
> > > >> If more methods in ZMS like 'localfs_command' had a proper permission
requirement, it would be more easy to application developers to provide the
permissions needed. Usual zope products contain code like this.
> > > >>
> > > >> security.declareProtected(permissionName, methodName)
> > > >>
> > > >> source:
> > > >>
http://docs.zope.org/zope2/zdgbook/Security.html#implementing-security-in-python\
-products
> > > >>
> > > >> Users need this permission to call this method from restriced code
(like any python script in ZODB). With this in mind - access control to
application logic is a matter of user administration.
> > > >>
> > > >> That restriction does not apply to file system code like Zope products
- but ZMS developers usually implement business logic in restricted code. That's
why it is important to know the stuff mentioned above.
> > > >>
> > > >> Looking forward to see the traceback,
> > > >> Sascha
> > > >>
> > > >> --- In zms-developers@yahoogroups.com, Niels Dettenbach <nd@> wrote:
> > > >> >
> > > >> > Am Dienstag, 3. April 2012, 09:21:58 schrieben Sie:
> > > >> > > what you did as well is giving a script all zope permissions
available. This
> > > >> > > script is available for anybody in the web. With this script you
access
> > > >> > > resources in your file system.
> > > >> > ...shure it does - so it is very (!) important to know what the
script does
> > > >> > and allows by theory and in practice...
> > > >> >
> > > >> > > Zope has a lot of secure answers for that stuff. If you want to
know, why
> > > >> > > this worked in ZMS a couple of months ago and what you really need
to do,
> > > >> > > ask me. But I am not sure, if you need a quick fix or a secure
solution for
> > > >> > > your customers.
> > > >> >
> > > >> > Can you give some more details or examples? "a lot of " is really
nothing more
> > > >> > then helpless to anyone here on the list...
> > > >> >
> > > >> >
> > > >> > cheers,
> > > >> >
> > > >> >
> > > >> > Niels.
> > > >> > --
> > > >> > ---
> > > >> > Niels Dettenbach
> > > >> > Syndicat IT & Internet
> > > >> > http://www.syndicat.com
> > > >> > ---
> > > >> >
> > > >>
> > > >
> > > >
> > > >
> > >
> >
> >
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Thorsten Weber <tweber@...> schrieb:

>> > <dtml-let
>xml_text="http_import('http://myObj_url/FS_home.xml?prerender=true&rand='+ZopeT\
ime().strftime('%Y%m%d%H%M%S'))"
>> > path="'/srv/project/virtualenv/xml/'">
>> >
>> > <dtml-if xml_text>
>> > <dtml-comment> -- // write FS_Home.xml to disk // --
></dtml-comment>
>> > <dtml-call "localfs_write(path+'FS_home.xml',xml_text,mode='b')">
>> > </dtml-if>
>> >
>> > <dtml-comment> -- // remove FS_Home.xml from Squid cache // --
></dtml-comment>
>> > <dtml-call "localfs_command('/usr/bin/squidclient -h 85.25.124.231
>-p 80 -m PURGE http://myObj_url/FS_home.xml')">
>> >
>> > </dtml-let>

...just a small btw:
I usually put such things which must hardly/directly interact with the local OS
and/or fetching external ressources into my own External Methods by
planning/checking the code against any (more or less) "thinkable" security
implications, especially by offered parameters etc..

On the other hand - i did not understand why (if i read right) your XML has to
get into a local filesystem and not a typical Zope object (file or similiar).
Local FS (from my view) makes only sense i.e. for store large file bases and to
interact with a Filesystem if really required. As you xml seems small i can't
get it really here... ß)


May be that helps here too in any way...



best regards,


Niels.

- --
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iIEEAREIAEEFAk+RH1g6HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDf2QAJ9xetqSkDx3
Ajx8zINPYYysekfGxQCeLUVNcRjQsCPdzC/Y+rlir/Vbsfw=
=KSnp
-----END PGP SIGNATURE-----

Hi Thorsten,

XSS or Code Injection are common to scripts that process user supplied data. You
know if this is true for your scripts. If true - you can tell us here - but
change the names and the URLs, you provided too much detail in the last answers.

If not - there is another attack vector - Failure to Restrict URL Access. Both
scripts FS_home.xml and your myObj_meta_id.onChangeObjEvt are callable for
anonymous users. Try it!

This way you expose this functionality to anybody. Anybody knowing this URL can
always trigger it - depending on your application this is not what you want. If
you care about your server load, this is an issue. Exploitability is now a
matter of time and value for the attacker.

To address this issue - you can remove 'View' permission for Anonymous users for
both scripts. This is not done by default by ZMS while creating hook scripts
('onChangeObjEvt') for a special object. Usage of those scripts should only be
allowed to use in a context where the user has the role 'Authorized'. Thats true
for people who logged in with credentials - like ZMSAuthors.


A more recent programming model to solve your use case would be using zope event
publishing system. ZMS content base classes need to notify the application
server about beeing modified through publishing an event. Then your custom XML
generating code could subscribe for this event. The event knows which object
published this event and the event subscriber could proceed by iteration over
the object children (getObjChildren('tabs',REQUEST))

You could use powerful libraries like lxml and you do not expose any
functionality to the outside world. But all needs to be done in filesystem code.
You can contact me for any details.

Sascha

--- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@...> wrote:
>
> Hi Sascha,
>
> 1) FS_home.xml is a dtml-methode which generates a xml-file to tell a flash
app to load external resources
> in the backend there are various container object where links to special
objects can be added
> from these special objects details like text, images or videos are retrieved
in a loop (<dtml-in "getObjChildren('tabs',REQUEST)">)
> in order to minimize the render- and/or load time of the xml onChangeObjEvent
is called with a pre-render param to tell FS_home.xml to be rendered into local
file system. when FS_home.xml is called from the frontend, when it is loaded
from squid => apache => file-system.
>
> 2) we use http_import to get the rendered source code of FS_home.xml.
> within the source code the substring of the backend url is striped out.
> afterwards localfs_write with mode=b writes the codes into path + filename.
>
> I dont use http_import often - only if it is necessary to process/parse the
source code of a external resource.
>
> 3) yes. they are in the same scope but - as mentioned above - we are trying to
reduce load time by this.
>
> 4) to port onChangeObjEvent as python script could be a way ...
> but as we do not trigger security related stuff (like creating objects) it
might be ok to set proxy role.
> NO?
>
> Or is it still a security risk?
> Maybe you can explain a bit more how such a script could be abused?
> Is there - in theory - a way like XSS or Code injection?
>
> regards, Thorsten
>
>
>
>
> Am 19.04.2012 um 18:04 schrieb Sascha Gottfried:
>
> > Hi Thorsten,
> >
> > 1) please add the source code for http://myObj_url/FS_home.xml
> > Is it a more python script or DTML method?
> >
> > 2) Explain your need for using http_import()! Did you often used this method
before? Try to explain why it is not possible with plain DTML tags. Look at the
sample code below
> >
> > onChangeObjEvt() explained:
> >
http://www.zms-publishing.com/dokumentation/literatur/professional_manual/api_tr\
icks/onchangeobjevt/index_ger.html
> >
> > 3) Switch to a simple call of whatever FS_Home.xml is and pass parameters
appropriately. This should be possible because FS_Home.xml and onChangeObjEvt()
are in the scope of the same special object definition. Right?
> >
> > 4)What about implementing onChangeObjEvt() in python?
> >
> > See you later!
> > Sascha
> >
> > --- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@> wrote:
> > >
> > > Hi Sascha,
> > >
> > > first of all - thank you so much for your efforts and explanations!
> > > this really opens a door for me...
> > > my first post was more a guess than knowledge ...
> > > based on what the behaviors we observed (it worked for admin, not for
ZMSAuthors).
> > >
> > > so I tried my best to provide a traceback as required ... but i am afraid
i fail to do so.
> > >
> > > anyway ...
> > >
> > > i took away the proxy role manager from the methode
myObj_meta_id.onChangeObjEvent
> > >
> > > this is what the methode looks like:
> > >
> > > <dtml-comment> -- // prerender FS_Home.xml from myObj // --
</dtml-comment>
> > > <dtml-let
xml_text="http_import('http://myObj_url/FS_home.xml?prerender=true&rand='+ZopeTi\
me().strftime('%Y%m%d%H%M%S'))"
> > > path="'/srv/project/virtualenv/xml/'">
> > >
> > > <dtml-if xml_text>
> > > <dtml-comment> -- // write FS_Home.xml to disk // -- </dtml-comment>
> > > <dtml-call "localfs_write(path+'FS_home.xml',xml_text,mode='b')">
> > > </dtml-if>
> > >
> > > <dtml-comment> -- // remove FS_Home.xml from Squid cache // --
</dtml-comment>
> > > <dtml-call "localfs_command('/usr/bin/squidclient -h 85.25.124.231 -p 80
-m PURGE http://myObj_url/FS_home.xml')">
> > >
> > > </dtml-let>
> > >
> > > ZMS.localfs_read is granted for path.
> > >
> > > and called the methode with user credentials of ZMSAuthor (HTTP_Auth with
IE8 Browser and with Firefox/MacOSX)
> > >
> > > and this is what i find in event_log:
> > >
> > > ------
> > > 2012-04-19T15:11:29 ERROR Zope.SiteErrorLog 1334841089.320.269759942749
http://my_url/content/metaobj_manager/myObj_meta_id.onChangeObjEvt
> > > Traceback (innermost last):
> > > Module ZPublisher.Publish, line 116, in publish
> > > Module ZPublisher.BaseRequest, line 609, in traverse
> > > Module ZPublisher.HTTPResponse, line 718, in unauthorized
> > > Unauthorized: <strong>You are not authorized to access this
resource.</strong><p>
> > > No Authorization header found.</p>
> > > ------
> > > 2012-04-19T15:11:29 ERROR root Exception while rendering an error message
> > > Traceback (most recent call last):
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/SimpleItem.py", line 287, in raise_standardErrorMessage
> > > v = s(client, REQUEST, **kwargs)
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/DTMLMethod.py", line 149, in __call__
> > > r = apply(HTML.__call__, (self, client, REQUEST), kw)
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_String.py", line 477, in __call__
> > > try: result = render_blocks(self._v_blocks, md)
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_Util.py", line 202, in eval
> > > return eval(code, d)
> > > File "<string>", line 1, in <expression>
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/DTMLMethod.py", line 149, in __call__
> > > r = apply(HTML.__call__, (self, client, REQUEST), kw)
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_String.py", line 477, in __call__
> > > try: result = render_blocks(self._v_blocks, md)
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/OFS/DTMLMethod.py", line 140, in __call__
> > > r = apply(HTML.__call__, (self, client, REQUEST), kw)
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_String.py", line 477, in __call__
> > > try: result = render_blocks(self._v_blocks, md)
> > > File
"/srv/my_url/virtualenv/zope/lib/python2.5/site-packages/Zope2-2.12.3-py2.5-linu\
x-x86_64.egg/DocumentTemplate/DT_Util.py", line 202, in eval
> > > return eval(code, d)
> > > File "<string>", line 1, in <expression>
> > > NameError: name 'lang' is not defined
> > >
> > >
> > > Me (and probably you) would have expected to see something different ...
not to say more ;) ... but this is what i got.
> > >
> > >
> > > regards, Thorsten
> > >
> > >
> > >
> > > Am 18.04.2012 um 15:50 schrieb Sascha Gottfried:
> > >
> > > > An additional note to my fist reply.
> > > >
> > > > I did setup a clean Zope 2.13.13/ZMS 2.13.4 using zc.buildout. I enabled
verbose-security and the python security implementation and wrote a small python
script that should call a common ObjectManager method that REQUIRES the user to
have a special permission 'import_export_objects'. Before running this sample
you need to edit error_log in Zope Root Folder, remove 'Unauthorized' from
'ignored exception types' and enable 'Copy exceptions to the event log'. Usually
this permission is assigned to role Manager. When running this script as
anonymous user with a valid id pointing to an item in this folder the security
policy is raising the exception below.
> > > >
> > > > -> export.py - in line number 8
> > > > context.manage_exportObject(id=id, download=True)
> > > >
> > > > -> OFS.ObjectManager.py
> > > >
> > > > security.declareProtected(import_export_objects, 'manage_exportObject')
> > > > def manage_exportObject(self, id='', download=None, toxml=None,
> > > > RESPONSE=None,REQUEST=None):
> > > > """Exports an object to a file and returns that file."""
> > > >
> > > > -> event.log
> > > >
> > > > 2012-04-18 14:24:29 ERROR Zope.SiteErrorLog 1334751869.040.833954688385
http://localhost:8080/sites/export
> > > > Traceback (innermost last):
> > > > Module ZPublisher.Publish, line 126, in publish
> > > > Module ZPublisher.mapply, line 77, in mapply
> > > > Module ZPublisher.Publish, line 46, in call_object
> > > > Module Shared.DC.Scripts.Bindings, line 322, in __call__
> > > > Module Shared.DC.Scripts.Bindings, line 359, in _bindAndExec
> > > > Module Products.PythonScripts.PythonScript, line 344, in _exec
> > > > Module script, line 8, in export
> > > > - <PythonScript at /sites/export>
> > > > - Line 8
> > > > Module AccessControl.ImplPython, line 716, in guarded_getattr
> > > > Module AccessControl.ImplPython, line 658, in aq_validate
> > > > Module AccessControl.ImplPython, line 552, in validate
> > > > Module AccessControl.ImplPython, line 450, in validate
> > > > Module AccessControl.ImplPython, line 797, in raiseVerbose
> > > > Unauthorized: Your user account does not have the required permission.
Access to 'manage_exportObject' of (Folder at /sites) denied. Your user account,
Anonymous User, exists at
> > > >
> > > > /acl_users. Access requires Import_Export_objects_Permission, granted to
the following roles: ['Manager']. Your roles in this context are ['Anonymous'].
> > > >
> > > > This information really helps a lot. The line in my one-liner (export -
line 8) is identified, you can see that the python security implementation is
handling the security check caused by the security attributes of method
definition OFS.ObjectManager.manage_exportObject()
> > > >
> > > > The accessed method 'manage_exportObject' is mentioned and even the
object that was used (Folder at /sites). The current user is specified, followed
by the user folder. At last the security framework tells you details about the
current permission/role mapping, even providing you with details about your
current roles. I could not imagine a more useful message.
> > > >
> > > > Try this and provide a traceback as shown above. Then we do not guess
anymore.
> > > >
> > > > Good luck.
> > > > Sascha
> > > >
> > > > --- In zms-developers@yahoogroups.com, Thorsten Weber <tweber@> wrote:
> > > > >
> > > > > Hello again,
> > > > >
> > > > > I just proceeded as suggested by Sascha and activated verbose-security
( zope.conf, line 622 )
> > > > >
> > > > > security-policy-implementation python
> > > > > verbose-security on
> > > > >
> > > > > when calling the onChangeObjEvt i find this as Traceback in error_log
> > > > >
> > > > >
> > > > > Time 2012/04/12 16:07:42.074109 GMT+2
> > > > > User Name (User Id) Anonymous User (None)
> > > > > Request URL http://my_nackend_url/content/e94/manage_main
> > > > > Exception Type Unauthorized
> > > > > Exception Value <strong>You are not authorized to access this
resource.</strong>
> > > > > Traceback (innermost last):
> > > > > Module ZPublisher.Publish, line 116, in publish
> > > > > Module ZPublisher.BaseRequest, line 609, in traverse
> > > > > Module ZPublisher.HTTPResponse, line 718, in unauthorized
> > > > > Unauthorized: <strong>You are not authorized to access this
resource.</strong>
> > > > >
> > > > > This does not say so much to me ... does this help in any way? ( or
did i miss something? )
> > > > >
> > > > > but it is strange that the User is Anonymous !
> > > > >
> > > > >
> > > > >
> > > > > kind regards,
> > > > > Thorsten Weber
> > > > >
> > > > >
> > > > > Am 04.04.2012 um 09:51 schrieb Thorsten Weber:
> > > > >
> > > > > > Hello Sascha,
> > > > > >
> > > > > >
> > > > > > thanks a lot for your detailed and very insightful explanation!
> > > > > > and you are probably right concerning the exception - which might be
raised silently.
> > > > > >
> > > > > > until the 10. of april I'm out of the office ...
> > > > > > but i will come back to this as soon as possible and will apply
verbose security on a dev instance and provide the traceback.
> > > > > >
> > > > > >
> > > > > > this for now:
> > > > > >
> > > > > > ZMS: ZMS2 2.12.1.1047 (Build #132e)
> > > > > > ZOPE: (2.12.3, python 2.5.2, linux2)
> > > > > > PYTHON: 2.5.2
> > > > > >
> > > > > > we generate some xml to feed a flash application when storing an
object within zms and store it in local filesystem (for performance reasons)
> > > > > > (localfs_write(path_to_xml, xml_structur_text, mode='b'))
> > > > > >
> > > > > > and purge that object from cache afterwards
> > > > > > (localfs_command('/usr/bin/squidclient -h my_squid_ipaddress -p 80
-m PURGE http://my_frontend_url')
> > > > > >
> > > > > > all triggered by onChangeObjEvt
> > > > > >
> > > > > > but we were facing the problem that the method seems not have the
right to execute the commands
> > > > > > 1. write the new xml file
> > > > > > 2. calling the squidclient
> > > > > >
> > > > > > Giving proxy manager rights to that method solved the problem so
far.
> > > > > >
> > > > > >
> > > > > > but from a web application developer view one may expect that these
"batteries" might be included within these zms-api calls
> > > > > > if only when called by with a rather privileged account as ZMSAuthor
... no?
> > > > > >
> > > > > >
> > > > > > kind regards,
> > > > > > Thorsten Weber
> > > > > >
> > > > > >
> > > > > >
> > > > > > Am 03.04.2012 um 16:10 schrieb Sascha Gottfried:
> > > > > >
> > > > > >>
> > > > > >> Hi Thorsten,
> > > > > >> Zope Products (in your case: ZMS) offer an API that is available to
restricted code if the required permission can be acquired in the request
context.
> > > > > >>
> > > > > >> ZMS 2.12.1 (more specific: class ZMSGlobals.py) offered the method
'localfs_command' as a public method without requiring any permission from the
user/context to call it. As of today this method is not available anymore as a
result of a former security review.
> > > > > >>
> > > > > >> That most probably means, that not the call of the method
'locafs_command' is raising an exception, but the code in your method
'onChangeObjEvt'. Please provide the traceback to your problem - without I am
just guessing. I do not want to guess.
> > > > > >>
> > > > > >> Another hint - during development please change your zope instance
to use 'Verbose Security'. Now a security exception tells you exactly what
permission is required and more. This link shows how to change zope.conf
(http://plone.org/documentation/kb/debug-unauthorized)
> > > > > >>
> > > > > >> If you don't mind provide some application details to your next
answer. Please do not forget the traceback. And if you do not mind tell me more
about the task you are trying to do.
> > > > > >>
> > > > > >> @Nils: I accidently addressed the last answer to you.
> > > > > >>
> > > > > >> A more secure way would be just to find out which permission is
needed and to give this permission to a user. This applies to existing zope
permissions currently not available to ZMSAuthor.
> > > > > >>
> > > > > >> Another way would be to register a new permission in your
application and add it to custom ZMS roles. In your script you could use Zope's
API method checkPermission() or similar to verify that the caller has this
permission. Now it is up to a zope administrator to provide this permission to
certain users.
> > > > > >>
> > > > > >> If more methods in ZMS like 'localfs_command' had a proper
permission requirement, it would be more easy to application developers to
provide the permissions needed. Usual zope products contain code like this.
> > > > > >>
> > > > > >> security.declareProtected(permissionName, methodName)
> > > > > >>
> > > > > >> source:
> > > > > >>
http://docs.zope.org/zope2/zdgbook/Security.html#implementing-security-in-python\
-products
> > > > > >>
> > > > > >> Users need this permission to call this method from restriced code
(like any python script in ZODB). With this in mind - access control to
application logic is a matter of user administration.
> > > > > >>
> > > > > >> That restriction does not apply to file system code like Zope
products - but ZMS developers usually implement business logic in restricted
code. That's why it is important to know the stuff mentioned above.
> > > > > >>
> > > > > >> Looking forward to see the traceback,
> > > > > >> Sascha
> > > > > >>
> > > > > >> --- In zms-developers@yahoogroups.com, Niels Dettenbach <nd@>
wrote:
> > > > > >> >
> > > > > >> > Am Dienstag, 3. April 2012, 09:21:58 schrieben Sie:
> > > > > >> > > what you did as well is giving a script all zope permissions
available. This
> > > > > >> > > script is available for anybody in the web. With this script
you access
> > > > > >> > > resources in your file system.
> > > > > >> > ...shure it does - so it is very (!) important to know what the
script does
> > > > > >> > and allows by theory and in practice...
> > > > > >> >
> > > > > >> > > Zope has a lot of secure answers for that stuff. If you want to
know, why
> > > > > >> > > this worked in ZMS a couple of months ago and what you really
need to do,
> > > > > >> > > ask me. But I am not sure, if you need a quick fix or a secure
solution for
> > > > > >> > > your customers.
> > > > > >> >
> > > > > >> > Can you give some more details or examples? "a lot of " is really
nothing more
> > > > > >> > then helpless to anyone here on the list...
> > > > > >> >
> > > > > >> >
> > > > > >> > cheers,
> > > > > >> >
> > > > > >> >
> > > > > >> > Niels.
> > > > > >> > --
> > > > > >> > ---
> > > > > >> > Niels Dettenbach
> > > > > >> > Syndicat IT & Internet
> > > > > >> > http://www.syndicat.com
> > > > > >> > ---
> > > > > >> >
> > > > > >>
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > >
> >
> >
>

Hi,

I noticed a  small bug with regard to the timezone in the function
getLangFmtDate :

quote:

1564           if tz < 0:
1565             tch = '-'

unquote

but the sign is defined as

quote ( http://docs.python.org/library/time.html)

time.timezone
The offset of the local (non-DST) timezone, in seconds west of UTC
(negative in most of Western Europe, positive in the US, zero in the
UK).

unquote

which is quite the opposite to the usual definition as eg in RFC 822 .

so line 1564 should be changed into:

1564           if tz > 0:


regards,

Wolfgang Huber

--
Wolfgang Huber
Informationsmanagement, Anwendersysteme
Web Engineer

Johannes Kepler Universität
Altenbergerstraße 69
4040 Linz, Österreich

Hello ZMS-Developers,

when putting more than 1000 objects in a folder ZMS starts to randomly
sort the items when one is moved up or down or a new item is added to
the folder. Is this because of the sort_id being formated to a 4-digit
number? Is there a solution for that?

Is it possible to sort the items for example like this or will this mess
with ZMS?

<dtml-call "REQUEST.setObjProperty('sort_id','s0010')">


ZMS2 2.12.1-12 (Build #132e)

Kind Regards
Tobias Greitzke



--
tog.is - information design

Tobias Greitzke
Johannes-Mynsinger-Weg 18
89075 Ulm

Fon: +49 (0)731 / 509 4567
Fax: +49 (0)731 / 509 4568
Mobil: +49 (0)163 / 632 32 60
Skype: tobias.greitzke

http://www.togis.com
tobias.greitzke@...

=========================================
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
die unbefugte Weitergabe dieser Mail ist nicht gestattet.

Hello,
a thousand objects within a folder may prohibit fast ZMI nvigation. It is
recommended to place them into a folder hierarchy or in a external database (if
these objects are of the same object type).
Anyway:
you can change the ZMS code to enlarge the sort id:
_globals.format_sort_id()

Best regards
fh. moderator


--- In zms-developers@yahoogroups.com, Tobias Greitzke <tobias.greitzke@...>
wrote:
>
> Hello ZMS-Developers,
>
> when putting more than 1000 objects in a folder ZMS starts to randomly
> sort the items when one is moved up or down or a new item is added to
> the folder. Is this because of the sort_id being formated to a 4-digit
> number? Is there a solution for that?
>
> Is it possible to sort the items for example like this or will this mess
> with ZMS?
>
> <dtml-call "REQUEST.setObjProperty('sort_id','s0010')">
>
>
> ZMS2 2.12.1-12 (Build #132e)
>
> Kind Regards
> Tobias Greitzke
>
>
>
> --
> tog.is - information design
>
> Tobias Greitzke
> Johannes-Mynsinger-Weg 18
> 89075 Ulm
>
> Fon: +49 (0)731 / 509 4567
> Fax: +49 (0)731 / 509 4568
> Mobil: +49 (0)163 / 632 32 60
> Skype: tobias.greitzke
>
> http://www.togis.com
> tobias.greitzke@...
>
> =========================================
> Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
> E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den
> Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
> die unbefugte Weitergabe dieser Mail ist nicht gestattet.
>

Thank you very much for the fix:
http://zmslabs.org/trac/changeset/1878
It is in the latest build now:
http://zmslabs.org/download/ZMS-latest.tar.gz

Best regards
fh. moderator

--- In zms-developers@yahoogroups.com, "Wolfgang Huber" <Wolfgang.Huber@...>
wrote:
>
> Hi,
>
> I noticed a  small bug with regard to the timezone in the function
> getLangFmtDate :
>
> quote:
>
> 1564           if tz < 0:
> 1565             tch = '-'
>
> unquote
>
> but the sign is defined as
>
> quote ( http://docs.python.org/library/time.html)
>
> time.timezone
> The offset of the local (non-DST) timezone, in seconds west of UTC
> (negative in most of Western Europe, positive in the US, zero in the
> UK).
>
> unquote
>
> which is quite the opposite to the usual definition as eg in RFC 822 .
>
> so line 1564 should be changed into:
>
> 1564           if tz > 0:
>
>
> regards,
>
> Wolfgang Huber
>
> --
> Wolfgang Huber
> Informationsmanagement, Anwendersysteme
> Web Engineer
>
> Johannes Kepler Universität
> Altenbergerstraße 69
> 4040 Linz, Österreich
>