I’ve been having some difficulty implementing student homework submission. I’ve gotten a crude hack working, but trying to improve it has been more difficult than I imagined. The following excerpt from http://www.zopelabs.com/cookbook/1029298314 will help, I wanted to copy it here so I can refer to it later. (For a while I had forgotten how to access this page!)


I used your idea but ran into a problem because the default action after a change in status is to view the object (at the old location), which results in an object-not-found error.To fix this, I went into portal_properties/navigation and changed default.content_status_modify.success from "action:view" to "url:../folder_contents" Now when I publish an item, it dumps me into a view of the folder where it came from.It would be nice if it would go to a view of the newly-moved object, but I haven't been able to get necessary redirects working.Fixing Plone's response (was Re: Re: Use one script for many types of objects.) by sh23 - 2004-10-14
I wanted to only be placed in the directory when the object was no
longer there. In /Plone/portal_properties/navigation_properties
instead of modifying default.content_status_modify.success, I created
a new entry:

I have been trying to convert my course website code to work with the new Plone 2.5.2 install. Typically, new features aren’t documented clearly or at all. The biggest hangup is the PlonePAS setup, that has changed the way membership data is accessed. No longer do portal_membership calls work, or at least not completely.  For example, context.portal_membership.listMemberIds() works, but only for the users defined in the default member plugin. I use SQLPASPlugin, and the above code does not list members defined in an SQL database.

The only way I’ve been able to get access to them programmatically is to use context.acl_users.X which I am not sure is the right way. Some test code below:

# Test code for new PAS Plugin architecture---NOT hooked into portal_membership
# print "Current User: ",context.portal_membership.getAuthenticatedMember()
# print "Users: ",context.portal_membership.listMemberIds()
# print "Search Users: ",context.portal_membership.searchForMembers(name='staff1')[0].getRoles()
# print "Search Roles: ",context.portal_membership.searchForMembers(roles='cscishstaff')
# print "acl_users: "
# users=context.acl_users.searchUsers(roles='staff')
# for u in users:
#     print "%s(%s)"%(u['userid'],u['title'])
#     print u
# return printed


I have been ignoring going into details of web security in my introductory web class, partly because we cover so much (HTML, CSS, Javascript, SQL, python) that we really don’t have time to cover it, and partly because I’ve been too busy to come up with some slides for it.

With the prevalence of XSS (Cross Site Scripting) hacks, it looks like this year I will be spending at least a few slides on security.

Some resources:

• http://www.cgisecurity.com/articles/xss-faq.shtml
• http://www.cert.org/tech_tips/cgi_metacharacters.html

An informative post on slashdot outlined a few points to consider when designing a site to be robust against XSS (I’ve highlighted his points, but the words are mostly his):

by Fireflymantis (670938)on Friday June 15, @04:21AM (#19516455)

•  Are you making sure, without fail that if a user changes view.php?id=32 to view.php?id=33 that they are not getting access to content they shouldn’t be?

• What about cookies? Assuming the malicious user can (and will) build cookies of their choosing and content, are you making sure that this cannot somehow be used to hijack another users account?
• Are you 100% certain, that every time you read get/post/put data that it has been marked as tainted, validated, and only after it has made it through some very harsh sanity checks it is allowed any where /close/ to a DB insert/query?
• It gets even more muddeled in the world of XmlHttprequests when you have to validate against a plethora of other constraints
• Simply checking form data is almost 99% of the time not enough. For a non-trivial web app, even the above is not easy to do unless you pay attention to it every step of development. And even if you do that, you will probabaly miss something.

I’ve just spent the last 2 hours or so installing ZMySQLDA on a Plone 2.5.3 site. It was considerably more painful than I thought, as I never used to have troubles with this product before.

The problem? PIL is required to be installed for Plone, and its ImageFile package conflicts with a similarly named package that is part of Zope (App.ImageFile)

 This is fixed in the DA.py file of ZMySQLDA by explicitly importing the App.ImageFile package, not the PIL version.

 After having the ZMySQLDA product finally appear in the Control Panel, it still wasn’t showing up on the drop down “add” menu. I am not sure what I did to fix this, but for a while only a single ZEO client had the menu option visible. Although I had rebooted/restarted the ZEO client/server multuple times and multiple ways (through the control panel and using the restartcluster.sh script) I think I still had the problem.

In anycase, it now works and I have both ZEO clients showing “Add Z MySQL Database Connection.”

I had planned on getting SQLPASPlugin setup, but it is already 1227, and I need to go to bed.