|
Joshua Ginsberg
listspam at flowtheory.net
Sat Feb 25 12:19:21 EST 2006
Interesting essay. If you're interested I've posted a rebuttal for the list administrators' consideration: http://starboard.flowtheory.net/blog/?q=node/170 -jag On Feb 25, 2006, at 3:32 AM, Nicolas Lehuen wrote: > That is called "Reply-To Munging" and is considered harmful by some. > > http://www.unicom.com/pw/reply-to-harmful.html > > Regards, > Nicolas > > 2006/2/25, Joshua Ginsberg <listspam at flowtheory.net>: >> Wow -- I'm the administrivia whore today... sorry about that... >> >> Why don't we configure the list to have the reply-to be back to the >> list? :-) I can't tell you the number of times I hit reply instead of >> remembering to hit "Reply All", a button which I generally consider to >> be the brainchild of Satan. >> >> -jag >> >> On Feb 24, 2006, at 7:59 PM, Graham Dumpleton wrote: >> >>> Please keep followups on mailing list. :-( >>> >>> On 25/02/2006, at 11:28 AM, Robert Thomas Davis wrote: >>> >>>> Graham >>>> >>>> ...finally got everything up and running with the new >>>> version :) Now I get a NameError exception on the >>>> call to validate_user (which, at least, is a step in >>>> the right direction)!! >>>> >>>> Do you have any suggestions as to what would be a >>>> better way to structure this so I don't encounter that >>>> issue? Basically what I am trying to accomplish is >>>> the following... >>>> >>>> There will be more defs in index.py (like the devices >>>> def) whose contents I want to protect. I want to >>>> ensure that the user will have to enter their >>>> user/passwd anytime attempts are made to access these >>>> functions (unless the current session is still valid >>>> of course). After reading that article you references >>>> it seems I would need to move the validate_user >>>> function to an outside module and then import it >>>> inside the def __auth__()?? >>> >>> Personally I wouldn't use the mod_python.publisher authentication, >>> but that is a topic for another time. >>> >>> If you must use the mod_python.publisher support for basic >>> authentication, >>> then use a wrapper class to do it. If you have Python 2.4, you could >>> even >>> use decorators for the purpose to make it a really clean solution. >>> >>> Basic code is: >>> >>> from mod_python import apache >>> >>> class Restricted: >>> def __init__(self,method,realm="Restricted Access"): >>> self.__call__ = method >>> self.__auth_realm__ = realm >>> def __auth__(self,req,user,password): >>> apache.log_error("__auth__") >>> return user == "mickey" and password == "mouse" >>> >>> def index(req): >>> return "index" >>> >>> def page1(req): >>> return "page1" >>> >>> def page2(req): >>> return "page2" >>> >>> page2 = Restricted(page2) >>> >>> The "Restricted" class acts as a wrapper around the published >>> function. >>> The auth functions are actually in the wrapper class. Because the >>> wrapper >>> class is at global scope, you don't have the problem with nested >>> functions >>> that you are seeing. >>> >>> I don't have Python 2.4, so can't give you a solution which uses >>> decorators, >>> but I am sure that someone else on the mailing list who has and >>> understands >>> decorators could provide so code pretty quick. The ideas with >>> decorators >>> is you should be able to setup the code so all you need to do is >>> something >>> like: >>> >>> def index(req): >>> return "index" >>> >>> def page1(req): >>> return "page1" >>> >>> @restricted >>> def page2(req): >>> return "page2" >>> >>> The decorator would do the magic of wrapping the function for you >>> automatically. >>> To me this would be a really clean solution, although possibly >>> restricted to use >>> of functions. >>> >>> Anyone want to step up and provide a decorator solution for this? >>> >>>> Also, do any RPMs exist for these more recent versions >>>> of mod_python OR is there a documented procedure for >>>> building a mod_python RPM from the recent releases? >>> >>> I imagine someone will put together an RPM for 3.2.7/3.2.8 >>> at some stage. This is usually done by someone attached to >>> the maintainers of the Linux distribution and not the mod_python >>> folks though. >>> >>> Graham >>> >>>> --- Graham Dumpleton <grahamd at dscpl.com.au> wrote: >>>> >>>>> Robert Thomas Davis wrote .. >>>>>> Graham >>>>>> >>>>>> Sorry...your replies were be sent to the "bulk" >>>>>> folder...glad I checked it before just deleting >>>>> all! >>>>>> >>>>>> I am using mod_python 3.1.3 with apache 2.0.53 on >>>>>> Fedora Core 3. >>>>> >>>>> Any chance you can upgrade to mod_python 3.2.7? I >>>>> really can't find >>>>> any problem with the basic structure of what you are >>>>> doing, but there >>>>> have been fixes to publisher in 3.2.7 that may mean >>>>> I am not seeing >>>>> the problem. >>>>> >>>>>> The url I use to access the "devices" page (the >>>>> one I >>>>>> would like to protect) is >>>>> http://localhost/devices. >>>>>> >>>>>> I do agree about having the info on the mailing >>>>> list >>>>>> so others could learn from it; maybe we can post >>>>> the >>>>>> results. >>>>> >>>>> The ongoing discussion is also useful, as the actual >>>>> debugging process >>>>> itself can be just as useful as the final result. >>>>> Thus, use reply-all. >>>>> >>>>> Graham >>>>> >>>>>> Thanks, >>>>>> >>>>>> --- Graham Dumpleton <grahamd at dscpl.com.au> wrote: >>>>>> >>>>>>> BTW, I can't seem to find that you have ever >>>>> said >>>>>>> exactly which version >>>>>>> of mod_python you are using. Are you using the >>>>>>> latest version? >>>>>>> >>>>>>> Graham >>>>>>> >>>>>>> Graham Dumpleton wrote .. >>>>>>>> Still generally prefer it to be on the mailing >>>>>>> list as other people can >>>>>>>> learn from it and it is in the mailing list >>>>>>> archive as well, so people >>>>>>>> down the track may find it as well and it may >>>>>>> solve a problem for >>>>>>>> them also. >>>>>>>> >>>>>>>> One more question. What URLs are you using to >>>>>>> access the resources >>>>>>>> so I can relate that properly to the Apache >>>>>>> configuration and the >>>>>>>> published functions in the file? >>>>>>>> >>>>>>>> Graham >>>>>>>> >>>>>>>> Robert Thomas Davis wrote .. >>>>>>>>> Hell graham >>>>>>>>> >>>>>>>>> I really appreciate your help with >>>>> this...and >>>>>>> since >>>>>>>>> you have been the only one responding I >>>>> thought >>>>>>> I >>>>>>>>> might as well just mail you the files in >>>>>>> question >>>>>>>>> (index.py and httpd.conf, attached as a >>>>> .tgz) >>>>>>>>> >>>>>>>>> The file index.py would normally live in the >>>>>>>>> directory: >>>>>>>>> /usr/local/lap/http/ >>>>>>>>> >>>>>>>>> Based on your last reply I am wondering if >>>>> it is >>>>>>> my >>>>>>>>> httpd.conf file that is setup incorrectly (i >>>>> do >>>>>>> not >>>>>>>>> get the 500 error at all). When the >>>>> enclosed >>>>>>> code >>>>>>>>> gets executed it appears as though it skips >>>>>>> right over >>>>>>>>> the nested __auth__ fuction. However, if >>>>> that >>>>>>>>> function is moved to the module scope >>>>> (index.py) >>>>>>> it >>>>>>>>> always gets called and subsequently calls >>>>> the >>>>>>>>> validate_users function. >>>>>>>>> >>>>>>>>> Again...your help is much appreciated. >>>>>>>>> >>>>>>>>> Rob >>>>>>>> >>>>> _______________________________________________ >>>>>>>> Mod_python mailing list >>>>>>>> Mod_python at modpython.org >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> http://mailman.modpython.org/mailman/listinfo/mod_python >>>>>>> >>>>> >>> >>> _______________________________________________ >>> Mod_python mailing list >>> Mod_python at modpython.org >>> http://mailman.modpython.org/mailman/listinfo/mod_python >> >> _______________________________________________ >> Mod_python mailing list >> Mod_python at modpython.org >> http://mailman.modpython.org/mailman/listinfo/mod_python >>
|