[web2py] Re: Which is faster?

[mdipierro]

I have done some tests in the past. On sqlite the like operator is
slow, slower then the join.


On 30 Giu, 01:38, weheh  wrote:
> I have a table 'x' with Field('z'), which is set via a multiselect.
> The value will be a string like '|1|2|3|5|8|'. These correspond to the
> ids of another table 'z'.
>
> I'm trying to figure out which would be a faster search:
>
> 1) use the 'like' operator to match the db.z.id stored in the x.z
> field
>
> or
>
> 2) first, parse x.z and then create a many-to-many table "foo", which
> stores x.id and z.id in order to link the x and z tables. Then, do a
> db(db.z.id==8).select(...,left=(db.foo.on(db.foo.x==db.x.id),db.foo.on(db.foo.z==db.z.id))
>
> Obviously, the storage overhead of 1 is lower. But is there going to
> be any significant speedup from 2?

[web2py] Re: WordPressClone/PyPress GAE fix

[mdmcginn]

I'd prefer a web2py solution, of course. but meanwhile I'm planning to
use Micolog . Micolog is
currently the most actively developed Python blog for GAE, with the
most features that work out of the box (easy themes and plugins, for
example). The developers are almost all Chinese, but Google Translate
is somewhat helpful...

On Jun 26, 8:52 am, mdmcginn  wrote:
> I deployedPypress(based on Wordpress Clone) for Google App Engine 
> athttp://writers-ear.appspot.com/earblog/but it's still horribly slow:
> 06-26 06:27AM 23.966 /earblog 200 5275ms 661cpu_ms 467api_cpu_ms 2kb
>
> Any suggestions, or should I try another GAE blog solution?
>
> I'm now an owner 
> ofhttp://code.google.com/p/pypress4gae/andhttp://github.com/mdmcginn/pp4gae, 
> so if anybody else wants to work on
> this project, contact me. I've made it more compatible with the latest
> Wordpress theme (http://2010dev.wordpress.com/) but I won't continue
> if it can't be sped up.
>
> On Jun 26, 6:47 am, mdmcginn  wrote:
>
>
>
> > Correction: the owner of pp4gae has just contacted me, saying he has
> > "stopped working on this project since last update" and has given up
> > on further work. Too bad. I have cloned the project 
> > athttp://github.com/mdmcginn/pp4gae/andhave asked him if he could make
> > me the owner of his Google Code project. Not that I know what I'm
> > doing, but I could add competent coders as owners and could continue
> > the project that way. Unless someone plans to release the blog code
> > from KPAX soon...
>
> > On Jun 26, 5:32 am, mdmcginn  wrote:
>
> > > molhokwai, note that we have both filed issues at Google Code, but we
> > > shouldn't have. The pp4gae project has moved to 
> > > Github:http://github.com/zrenx/pp4gae
>
> > > On Jun 22, 10:38 am, molhokwai  wrote:
>
> > > > A reply to the message I saw while in a google search for "pypress"...
> > > > Saw it on osdir.com (I'm sent in a redirection loop when I try to 
> > > > access the
> > > > web2py-users group).
>
> > > > Arghh... would have eventually saved me time if I had found out about 
> > > > the
> > > >pypressfor gae project...
> > > > But we can merge and have an even better app (if there is anything
> > > > interesting to merge, from my code)...
>
> > > > Voilà.
> > > > --
> > > > *M*ayou *N*kensa *P*enda *N*gué -*H*ervé
> > > > +32 489 33 71 
> > > > 51,molhok...@gmail.com,skype:molhokwaihttp://www.google.com/profiles/molhokwai
>
> > > > On Tue, Jun 15, 2010 at 11:12 AM, molhokwai  wrote:
> > > > > Hello there...
>
> > > > > Implemented fixes to runPyPresson GAE 
> > > > > (Seehttp://www.molhokwai.net/blogforhowit'sworking...).
> > > > > Code fixes attached, and complete .w2p app also.
>
> > > > > Thanks all.

[web2py] form.custom: form.hidden_fields() no formkey

[selecta]

i created a form with
form = form_factory(
Field('role', requires = IS_NOT_EMPTY(), label="Name"),
Field('description', 'text')
)

and rendered it with
{{=form.custom.begin}}

Description


Name
{{=form.custom.widget.role}}


Description
{{=form.custom.widget.description}}


Select Members
{{=select_members_table}}

{{=form.hidden_fields()}}
{{=form.custom.end}}


now i would expect form.hidden_fields() to render the formkey, but it
does not, it just renders


(yes twice, no clue why)

did I miss something?

[web2py] Re: form.custom: form.hidden_fields() no formkey

[selecta]

just found out that
http://www.web2py.com/AlterEgo/default/show/205
is WRONG

{{=form.hidden_fields()}}
{{=form.custom.end}}

do not play well together, just using

{{=form.custom.end}}

will do the trick, would be nice to change 
http://www.web2py.com/AlterEgo/default/show/205


On Jun 30, 11:47 am, selecta  wrote:
> i created a form with
> form = form_factory(
>             Field('role', requires = IS_NOT_EMPTY(), label="Name"),
>             Field('description', 'text')
>             )
>
> and rendered it with
> {{=form.custom.begin}}
> 
>     Description
>     
>         
>             Name
>             {{=form.custom.widget.role}}
>         
>         
>             Description
>             {{=form.custom.widget.description}}
>         
>     
>     Select Members
>     {{=select_members_table}}
>     
>     {{=form.hidden_fields()}}
> {{=form.custom.end}}
> 
>
> now i would expect form.hidden_fields() to render the formkey, but it
> does not, it just renders
>  value="no_table_create" />
>  value="no_table_create" />
> (yes twice, no clue why)
>
> did I miss something?

[web2py] Re: web2py with AppStats

[mdmcginn]

I've added a appengine_config.py file in a comment to that blog post,
since AppStats didn't work for me without it.

Guido van Rossum (who wrote AppStats) says, "it adds some overhead to
your application."

On Jun 29, 8:27 pm, Richard  wrote:
> neat!
> Does AppStats add much overhead? If not it would be good to commit
> that gaehandler.py change to trunk.
>
> On Jun 30, 3:30 am, PanosJee  wrote:
>
>
>
> > if you are on GAE it s to have AppStats on
> > it s quite easyhttp://blog.socialcaddy.com/appstats-for-web2py-0

[web2py] Re: form.custom: form.hidden_fields() no formkey

[mdipierro]

1) Do not use form.hidden_field() since that is called automatically
2) the formkey should be added when you call
form.accepts(...,session). If you do not pass session, no formkey.

On 30 Giu, 04:59, selecta  wrote:
> just found out thathttp://www.web2py.com/AlterEgo/default/show/205
> is WRONG
>
> {{=form.hidden_fields()}}
> {{=form.custom.end}}
>
> do not play well together, just using
>
> {{=form.custom.end}}
>
> will do the trick, would be nice to 
> changehttp://www.web2py.com/AlterEgo/default/show/205
>
> On Jun 30, 11:47 am, selecta  wrote:
>
> > i created a form with
> > form = form_factory(
> >             Field('role', requires = IS_NOT_EMPTY(), label="Name"),
> >             Field('description', 'text')
> >             )
>
> > and rendered it with
> > {{=form.custom.begin}}
> > 
> >     Description
> >     
> >         
> >             Name
> >             {{=form.custom.widget.role}}
> >         
> >         
> >             Description
> >             {{=form.custom.widget.description}}
> >         
> >     
> >     Select Members
> >     {{=select_members_table}}
> >     
> >     {{=form.hidden_fields()}}
> > {{=form.custom.end}}
> > 
>
> > now i would expect form.hidden_fields() to render the formkey, but it
> > does not, it just renders
> >  > value="no_table_create" />
> >  > value="no_table_create" />
> > (yes twice, no clue why)
>
> > did I miss something?

Re: [web2py] Re: OAuth and Web2Py Tutorial

[Albert Abril]

Nice :)

In the article you used python-oauth2.

As an alternative, if you want to use it with twitter, you can use
tweepy. It adds client functions.
http://joshthecoder.github.com/tweepy/docs/index.html


Regards!

On Tue, Jun 22, 2010 at 10:24 AM, Mathieu Clabaut  wrote:

> Nice..
> Thank you for sharing!
>
>
> On Mon, Jun 21, 2010 at 18:45, mdipierro  wrote:
>
>> +1
>>
>> On Jun 21, 10:44 am, Doug Warren  wrote:
>> > I wrote a small tutorial on how to use OAuth with web2py by linking a
>> > session with a Twitter account.  A future update will include
>> > embedding the access token with auth and creating an oauth
>> > login_method class.  It can be found athttp://
>> dougwarren.org/2010/06/oauth-and-web2py-part-1/
>
>
>

[web2py] problem with global variables

[pk]

hi together,

i need help to solve this problem: i have a global variable in the
model like:

test = None

def changingtest():
global test
test = 5
return None

how can i access to the variable test in every controllerfunction?
thanks for your fast help

peter

[web2py] Re: Problem trying to insert an image with CKEditor and SQLFORM

[MikeEllis]

I now have a workaround, but I don't like it very much.  By checking
the length of request.vars before calling form.accepts(), I can force
the request formkey to match the session formkey, e.g.

if len(request.vars):
request.vars._formkey =  session['_formkey[page_create]']
if form.accepts(request.vars,session):
... etc ...

The unwanted submit from the CKEditor image dialog is still occurring,
but forcing the keys to match when there's a real submit is avoiding
the failure in form.accepts().   I don't like it as a solution
because:
1. It relies on knowledge of web2py's internal form naming
conventions.
2. It only works if the unwanted submit has an empty request.vars
3. I suspect I may be defeating the purpose of the formkey and
possibly creating a security hole.

Is there a better way?

thanks,
Mike

On Jun 29, 6:10 pm, MikeEllis  wrote:
> This one still has me stumped so I'm taking the liberty of adding some
> more info to make it current in the discussions.  As I noted in the
> earlier post,  the problem has to to do with CKEditor's image
> insertion dialog somehow triggering a form submission.  This is really
> puzzling, because the link insertion dialog is nearly identical but
> doesn't trigger a submit.  Below is a modified version of the index
> function with some write statements to print the request vars and
> session formkeys.
>
> Any help much appreciated!
>
> def index():
>     form = SQLFORM(db.page, showid=False,keepvalues=True)
>     sys.stderr.write("\n\nsession formkey:
> %s"%session['_formkey[page_create]'])
>     sys.stderr.write("\nrequest.vars:%s"%repr(request.vars))
>     if form.accepts(request.vars,session):
>         response.flash = "Form accepted"
>         redirect(URL(r=request,f="show"))
>     elif form.errors:
>         response.flash = "Uh-oh!"
>     else:
>         response.flash = "Fill out the form"
>     sys.stderr.write("\n%s\n"%response.flash)
>     return dict(form=form)
>
> So when I visit the index page and use the CKEditor to insert a link,
> I see the following output in the console.
>
> (initial display)
> session formkey:bf5ec584-0ec9-4e74-90ff-ba53971ea2f5
> request.vars:
> Fill out the form
>
> (after inserting link, clicking ok to insert dialog, then clicking
> submit)
> session formkey:f95327b1-6152-4fb3-abd2-00444c9cc298
> request.vars:\r\n\thttp://web2py.com/
> book/static/tree.jpg">link\r\n', '_formkey':
> 'f95327b1-6152-4fb3-abd2-00444c9cc298', '_formname': 'page_create'}>
>
> If I try the same thing except that this time I insert an image,  I
> get an extra submit and the session formkey gets out of sync with the
> request.vars formkey.
>
> (initial display)
> session formkey:76e5e1fe-365c-401d-aaac-f2a751c8873e
> request.vars:
> Fill out the form
>
> (after inserting image and clicking ok in dialog)
> session formkey:a143b2f1-bc5c-41b0-90e6-ef01fdc8e913
> request.vars:
> Fill out the form
>
> (after clicking Submit)
> session formkey:9ee58f15-c1cd-4fa1-8766-b69b9a4478ac
> request.vars:\r\n\t\r\n', '_formkey': 'a143b2f1-bc5c-41b0-90e6-ef01fdc8e913',
> '_formname': 'page_create'}>
> Fill out the form
>
> The formkeys don't match, so form.accepts fails and the data never
> gets into the table.
>
> Thanks,
> Mike
>
> On Jun 21, 2:01 pm, Michael Ellis  wrote:
>
>
>
> > Not sure if this is a web2py or ckeditor problem or just some
> > misunderstanding on my part.  Here's what's happening:
>
> > If I create a CKEditor instance in a SQLFORM, things work as expected until
> > I try to insert an image. Clicking the Ok button in ckeditor's image dialog
> > appears to be causing an immediate and unwanted form submission with a
> > formkey that doesn't match the real formkey. This doesn't raise a form
> > error. Instead it triggers the final else branch of the form.accepts logic
> > (see below) and the image along with any other text that was entered is
> > lost.
>
> > I recently ran into this in a larger app, but am able to reproduce it in the
> > following minimal model and controller. Has anyone else run into this and is
> > there a workaround other than switching the CKEditor to Source mode and
> > manually entering the  tag? I'm using web2py1.79.2 and CKEditor 3.3.1
> > (revision 5586) but have also seen the problem in CKEditor 3.2.
>
> > MODEL
> > db.define_table('page',
> >     Field('body', 'text'),
> >     )
>
> > def advanced_editor(field, value):
> >     eid = str(field).replace('.','_')
> >     return TEXTAREA(_id = eid, _name=field.name,
> >                     _class='text ckeditor', value=value,
> >                     _cols=80, _rows=10)
>
> > db.page.body.widget = advanced_editor
>
> > VIEW (default.py/index.html)
> > {{extend 'layout.html'}}
> > 

[web2py] Re: problem with global variables

[mdipierro]

I think you want a session variable, not a global variable

test=session.test

def changingtest():
session.test = 5
return None

On 30 Giu, 07:42, pk  wrote:
> hi together,
>
> i need help to solve this problem: i have a global variable in the
> model like:
>
> test = None
>
> def changingtest():
>     global test
>     test = 5
>     return None
>
> how can i access to the variable test in every controllerfunction?
> thanks for your fast help
>
> peter

[web2py] Needed Help

[nadeem jafar]

I want to know that is it possible to code a home automation system
with web2py platform i need such type of automation system which can
automate A/C and another  home appliances and give me complete
reporting graph please suggest me

[web2py] Re: elFinder-web2py , Filemanager for Web2py!

[Troex Nevelin]

Hello, I'm author of elFinder.py

In about a month we plan to release new version of elFinder, mostly
bugfixes but I also plan to rewrite python version to be more library
like.

I know there are problems integrating elfinder with different
frameworks on python, current version was written for use under pure
CGI. This is my first major experience with python and so I have many
questions about the "right way" how to write connector so it can be
easy to integrate and write plugins.

The biggest question to me is how to implement handling POST and GET
data, I've seen many different ways how it is done in different
frameworks. Currently this is done using:
import cgi
self._form = cgi.FieldStorage()
Maybe I should put this outside elFinder.py and only pass parameters
to connector?

Feedback is welcome.

[web2py] Re: elFinder-web2py , Filemanager for Web2py!

[Troex Nevelin]

Hello, I'm author of elFinder.py

In about a month we plan to release new version of elFinder, mostly
bugfixes but I also plan to rewrite python version to be more library
like.

I know there are problems integrating elfinder with different
frameworks on python, current version was written for use under pure
CGI. This is my first major experience with python and so I have many
questions about the "right way" how to write connector so it can be
easy to integrate and write plugins.

The biggest question to me is how to implement handling POST and GET
data, I've seen many different ways how it is done in different
frameworks. Currently this is done using:
import cgi
self._form = cgi.FieldStorage()
Maybe I should put this outside elFinder.py and only pass parameters
to connector?

Feedback is welcome.

On Jun 24, 5:47 am, Phyo Arkar  wrote:
> Finally after 2 days of hacking elfinder backend for Django 
> fromhttp://www.elrte.ru/redmine/issues/128
> , i have managed to get elFinder working (about 90% of features)
>
> Attached is elFinder-web2py , still alot of improvement needed.
>
> -Downloading files is not working yet but should be easy to fix.
> -Help me make it more integrated into web2py
> -Their method of DIrectory scanning is so slow , going to replace with
> os.walk.
>
> Please note that this is not for Production use.
>
> I started a project , download and test there.
>
> Note URL (Both in View and web2py_elcon) need to be change to your host:port
> (i did with port 8080)
>
> http://code.google.com/p/elfinder-web2py/downloads/list

[web2py] Re: Needed Help

[mdipierro]

yes. Some people here use it to control robots. Do you have already
python API to the automation system?

On 30 Giu, 07:13, nadeem jafar  wrote:
> I want to know that is it possible to code a home automation system
> with web2py platform i need such type of automation system which can
> automate A/C and another  home appliances and give me complete
> reporting graph please suggest me

[web2py] Re: web2py security - keep it up!

[mdipierro]

Hi Craig,

You may also want to ask some questions about form validation, default
validators and directory traversal attacks in file uploads.

Massimo

On 29 Giu, 11:08, Craig Younkins  wrote:
> Hello there! My name is Craig Younkins. I'm a summer intern at OWASP,
> the Open Web Application Security Project. This summer I'm working
> heavily on web security in Python.
>
> First, I would like to praise Dr. Di Pierro and all the web2py
> contributors for their focus on security. Examining the OWASP Top 10
> (http://www.web2py.com/examples/default/security) is a great way to
> start. Keep it up!
>
> Second, I'd like to invite the web2py community over to a site I've
> started about security in Python -http://www.pythonsecurity.org. The
> site aims to be the central hub for security in Python, and right now
> has a focus on web security. Inside there are articles specific to
> software like frameworks as well as articles related to security
> topics like cross-site scripting. We also have a Google Group (http://
> groups.google.com/group/python-security/topics) which I encourage the
> developers to join. There you can get answers to your Python security
> questions. I hope you check it out!
>
> Lastly, I'd like to encourage you to take a look at web2py's page on
> PythonSecurity.org -http://www.pythonsecurity.org/wiki/web2py/. I
> haven't had the time yet to examine web2py in detail, but on that page
> there is a pretty well-defined template of questions to be answered.
> Going through the list there will help the developers see areas in
> web2py that could use improvement, as well as documenting the
> strengths for other frameworks to model off of.
>
> Thanks!
>
> Craig Younkins

[web2py] Re: problem with global variables

[pk]

ok thanks, and what can i do now with the variable test in the first
line.
can i use this now in every function in each controller?

On 30 Jun., 15:12, mdipierro  wrote:
> I think you want a session variable, not a global variable
>
> test=session.test
>
> def changingtest():
>     session.test = 5
>     return None
>
> On 30 Giu, 07:42, pk  wrote:
>
> > hi together,
>
> > i need help to solve this problem: i have a global variable in the
> > model like:
>
> > test = None
>
> > def changingtest():
> >     global test
> >     test = 5
> >     return None
>
> > how can i access to the variable test in every controllerfunction?
> > thanks for your fast help
>
> > peter

[web2py] Re: Which is faster?

[weheh]

How about postgresql & mysql? Can you quantify slower - by what %?

On Jun 30, 3:21 am, mdipierro  wrote:
> I have done some tests in the past. On sqlite the like operator is
> slow, slower then the join.
>
> On 30 Giu, 01:38, weheh  wrote:
>
> > I have a table 'x' with Field('z'), which is set via a multiselect.
> > The value will be a string like '|1|2|3|5|8|'. These correspond to the
> > ids of another table 'z'.
>
> > I'm trying to figure out which would be a faster search:
>
> > 1) use the 'like' operator to match the db.z.id stored in the x.z
> > field
>
> > or
>
> > 2) first, parse x.z and then create a many-to-many table "foo", which
> > stores x.id and z.id in order to link the x and z tables. Then, do a
> > db(db.z.id==8).select(...,left=(db.foo.on(db.foo.x==db.x.id),db.foo.on(db.foo.z==db.z.id))
>
> > Obviously, the storage overhead of 1 is lower. But is there going to
> > be any significant speedup from 2?

[web2py] Re: problem with global variables

[weheh]

If the statement "test=session.test" is within a controller and
outside all defs, then it is global to that controller, but that's
all. It's not accessible to other controllers. It probably is visible
to the controller's views -- you'll have to check to be sure. However,
session.test is accessible to all controllers and views.

If the statement "test=session.test" is within a model, it will be
global to all models that come after the statement and appear in files
that are alphabetically after the model file that contains the
statement. It will also be global to all controllers and views.

I'm pretty sure the accuracy of the above statements, but you can
easily test to verify.

On Jun 30, 10:03 am, pk  wrote:
> ok thanks, and what can i do now with the variable test in the first
> line.
> can i use this now in every function in each controller?
>
> On 30 Jun., 15:12, mdipierro  wrote:
>
> > I think you want a session variable, not a global variable
>
> > test=session.test
>
> > def changingtest():
> >     session.test = 5
> >     return None
>
> > On 30 Giu, 07:42, pk  wrote:
>
> > > hi together,
>
> > > i need help to solve this problem: i have a global variable in the
> > > model like:
>
> > > test = None
>
> > > def changingtest():
> > >     global test
> > >     test = 5
> > >     return None
>
> > > how can i access to the variable test in every controllerfunction?
> > > thanks for your fast help
>
> > > peter

[web2py] Filtered search of db by dropdown selection

[Giuseppe Luca Scrofani]

After two days of attempts I still can't figure it out. What I want is
a set of dropdown selection, every one with some options and a submit
button. When options are selected and submit pressed it start a search
in a db table and return the list of all occurrence meeting all
selected criteria... Something like this:

Dropdowns
- Category (choose from: a, b, c)
- Year (choose from: 2000, 2001, 2002)

Submit button (label: search)


db model logically is like this:
things
category
year


If someone would be so nice to help me, Im very frustrated. What I
really want now is someone showing me an example or pointing me to a
simple tutorial, I'm sick of this problem.
Thanks in advance, even some psycological support woul be good :D

[web2py] Re: Needed Help

[weheh]

I built a comprehensive voice-controlled home automation system in
python a few years ago. I believe I could easily connect it to web2py
if I were so inclined.

On Jun 30, 9:14 am, mdipierro  wrote:
> yes. Some people here use it to control robots. Do you have already
> python API to the automation system?
>
> On 30 Giu, 07:13, nadeem jafar  wrote:
>
> > I want to know that is it possible to code a home automation system
> > with web2py platform i need such type of automation system which can
> > automate A/C and another  home appliances and give me complete
> > reporting graph please suggest me

[web2py] Re: ajax background function crashes web2py fcgi handler

[ScOut3R]

There's a simple workaround for this problem. I've tested it and it
works fine. The concept is that I have to make the ajax request
synchronous. For this purpose I've used the jQuery.ajax function
instead of the web2py supplied one and I had to put everythin inside a
queue. The code in my first post was rewritten like this:

function dvd() {
$.ajax({
async: false,
url: 'bg_quick_dvd',
data: {
keyword: $('#keyword').val(),
option: $('#option').val()
},
type: 'POST',
success: function(data){
$('div#target_dvd').html(data);
}
})
queue_start();
}
function music_cd() {
$.ajax({
async: false,
url: 'bg_quick_music_cd',
data: {
keyword: $('#keyword').val(),
option: $('#option').val()
},
type: 'POST',
success: function(data){
$('div#target_music_cd').html(data);
}
})
queue_start();
}
function book() {
$.ajax({
async: false,
url: 'bg_quick_book',
data: {
keyword: $('#keyword').val(),
option: $('#option').val()
},
type: 'POST',
success: function(data){
$('div#target_book').html(data);
}
})
}

var queue = [];
function start() {
if(jQuery('#title').attr('checked'))
jQuery('#option').val('1');
if(jQuery('#store').attr('checked'))
jQuery('#option').val('0');

queue.push(book);
queue.push(music_cd);
queue.push(dvd);
queue_start();
}

function queue_start() {
if(queue.length > 0) {
var fn = queue.pop();
fn();
}
}




On Jun 24, 7:14 pm, ScOut3R  wrote:
> Dear List,
>
> theajaxbasedbackgroundsearch crashes my web2py installation. It's
> version 1.77.3 and I'm using the fcgihandler to access the
> application. OS: OpenBSD 4.6, Python version is Python 2.5.4
> (r254:67916, Oct 19 2009, 01:52:14).
>
> As You can see below the search makes three database queries. The
> first search attempt works and the second crashes web2py. Would You be
> so kind to look into it?
>
> The error is the following:
>
> Unhandled exception in thread started by  of >
> Traceback (most recent call last):
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 664, in run
>     self.process_input()
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 700, in process_input
>     self._do_params(rec)
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 799, in _do_params
>     self._start_request(req)
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 783, in _start_request
>     req.run()
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 592, in run
>     self._flush()
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 599, in _flush
>     self.stdout.close()
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 358, in close
>     self._conn.writeRecord(rec)
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 715, in writeRecord
>     rec.write(self._sock)
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 552, in write
>     self._sendall(sock, header)
>   File "/var/www/web2py/prod/gluon/contrib/gateways/fcgi.py", line
> 529, in _sendall
>     sent = sock.send(data)
> socket.error: (32, 'Broken pipe')
>
> The jquery snippet that calls thebackgroundfunctions:
>
> function dvd() {ajax('bg_quick_dvd', ['keyword', 'option'],
> 'target_dvd'); }
> function music_cd() {ajax('bg_quick_music_cd', ['keyword', 'option'],
> 'target_music_cd'); }
> function book() {ajax('bg_quick_book', ['keyword', 'option'],
> 'target_book');
>
> function start() {
>         if(jQuery('#title').attr('checked'))
>                 jQuery('#option').val('1');
>         if(jQuery('#store').attr('checked'))
>                 jQuery('#option').val('0');
>
>         dvd();
>         setTimeout('music_cd()', 150);
>         setTimeout('book()', 300);
>
> }
>
> And the backround functions:
>
> def bg_quick_dvd():
>         if (request.vars.option == '1'):
>                 pattern = '%' + request.vars.keyword + '%'
>                 dvds = db((db.dvds.user==user_id) &
> (db.dvds.title.like(pattern))).select(orderby=db.dvds.title)
>         else:
>                 dvds = db((db.dvds.user==user_id) &
> (db.dvds.store==request.vars.keyword)).select(orderby=db.dvds.title)
>         items = [A(row.title, _href=URL(c='dvd', r=request, f='show',
> args=row.id)) for row in dvds]
>         return UL(

[web2py] How to insert _blank in A html helper

[Giuseppe Luca Scrofani]

I can't find this little piece of information anywhere in the cyberspace...

a simple plain link with html helpers:

A(B('link name'), _href=URL(r=request, f='show', args=x.id))

How to put a _black attribute inside this?

[web2py] Re: problem with global variables

[pk]

thanks massimo:
i still get errors here my model:

import time
from naoqi import ALBroker
from naoqi import ALProxy

broker = session.broker
behaviorProxy = session.behaviorProxy
ttsProxy = session.ttsProxy
motionProxy = session.motionProxy
testvariable = session.testvariable

def connectRobo(roboip):
RoboIP   = roboip
RoboPORT = 9559

BrokerIP   = "127.0.0.1"
BrokerPORT = 

session.broker =
ALBroker("pythonBroker",BrokerIP,BrokerPORT,RoboIP,RoboPORT)
session.ttsProxy= ALProxy ("ALTextToSpeech")
session.ttsProxy.setVolume(1.0)
session.ttsProxy.setLanguage("English")
session.ttsProxy.setVoice("Heather22Enhanced")
session.behaviorProxy = ALProxy ("ALBehaviorManager")
session.motionProxy= ALProxy("ALMotion")
stiffnesses  = 1.0
session.motionProxy.setStiffnesses('Body', stiffnesses)
leftArmEnable  = True
rightArmEnable  = True
session.motionProxy.setWalkArmsEnable(leftArmEnable,
rightArmEnable)
return None

in the first controller:
def startConnection():
   connect = connectRobo(request.vars.iptext)
   #testingfunction()
   print(request.vars.iptext)
   return None


in the second controller:
def automatic_control():
if auth.is_logged_in():
aktsession=auth.user.id
userfirstname=auth.user.first_name
userlastname=auth.user.last_name
behaviours = behaviorProxy.getInstalledBehaviors()
return dict(session=aktsession, firstname=userfirstname,
lastname=userlastname, behaviours=behaviours)
redirect(URL(r=request,c='default/user',f='login'))

i get the error:

POST http://127.0.0.1:8000/NetAVATAR_neu/roboconnect/startConnection
500 INTERNAL SERVER ERROR
1.28s



On 30 Jun., 15:12, mdipierro  wrote:
> I think you want a session variable, not a global variable
>
> test=session.test
>
> def changingtest():
>     session.test = 5
>     return None
>
> On 30 Giu, 07:42, pk  wrote:
>
> > hi together,
>
> > i need help to solve this problem: i have a global variable in the
> > model like:
>
> > test = None
>
> > def changingtest():
> >     global test
> >     test = 5
> >     return None
>
> > how can i access to the variable test in every controllerfunction?
> > thanks for your fast help
>
> > peter

[web2py] Disabling registration

[Deepan]

Hi,

I am relatively new to web2py. It would be great if somebody can guide
me through this issues.

1. way to disable registration for anonymous users of the app.

2. When I am logged in as a authenticated user I'm redirected to my
profile page instead of registration page.

Please let me know how to fix this issues.

Thanks for the help!

[web2py] Re: Which is faster?

[mdipierro]

I cannot quantify. If I run more tests I let you know.

On 30 Giu, 09:04, weheh  wrote:
> How about postgresql & mysql? Can you quantify slower - by what %?
>
> On Jun 30, 3:21 am, mdipierro  wrote:
>
> > I have done some tests in the past. On sqlite the like operator is
> > slow, slower then the join.
>
> > On 30 Giu, 01:38, weheh  wrote:
>
> > > I have a table 'x' with Field('z'), which is set via a multiselect.
> > > The value will be a string like '|1|2|3|5|8|'. These correspond to the
> > > ids of another table 'z'.
>
> > > I'm trying to figure out which would be a faster search:
>
> > > 1) use the 'like' operator to match the db.z.id stored in the x.z
> > > field
>
> > > or
>
> > > 2) first, parse x.z and then create a many-to-many table "foo", which
> > > stores x.id and z.id in order to link the x and z tables. Then, do a
> > > db(db.z.id==8).select(...,left=(db.foo.on(db.foo.x==db.x.id),db.foo.on(db.foo.z==db.z.id))
>
> > > Obviously, the storage overhead of 1 is lower. But is there going to
> > > be any significant speedup from 2?

[web2py] Re: How to insert _blank in A html helper

[mdipierro]

what is a _black attribute? Can you provide an HTML example of the
output you want?

On 30 Giu, 09:18, Giuseppe Luca Scrofani  wrote:
> I can't find this little piece of information anywhere in the cyberspace...
>
> a simple plain link with html helpers:
>
> A(B('link name'), _href=URL(r=request, f='show', args=x.id))
>
> How to put a _black attribute inside this?

[web2py] Re: problem with global variables

[pk]

does session work with:

session.broker =
ALBroker("pythonBroker",BrokerIP,BrokerPORT,RoboIP,RoboPORT)

than here i get an error




On 30 Jun., 16:19, pk  wrote:
> thanks massimo:
> i still get errors here my model:
>
> import time
> from naoqi import ALBroker
> from naoqi import ALProxy
>
> broker = session.broker
> behaviorProxy = session.behaviorProxy
> ttsProxy = session.ttsProxy
> motionProxy = session.motionProxy
> testvariable = session.testvariable
>
> def connectRobo(roboip):
>     RoboIP   = roboip
>     RoboPORT = 9559
>
>     BrokerIP   = "127.0.0.1"
>     BrokerPORT = 
>
>     session.broker =
> ALBroker("pythonBroker",BrokerIP,BrokerPORT,RoboIP,RoboPORT)
>     session.ttsProxy= ALProxy ("ALTextToSpeech")
>     session.ttsProxy.setVolume(1.0)
>     session.ttsProxy.setLanguage("English")
>     session.ttsProxy.setVoice("Heather22Enhanced")
>     session.behaviorProxy = ALProxy ("ALBehaviorManager")
>     session.motionProxy= ALProxy("ALMotion")
>     stiffnesses  = 1.0
>     session.motionProxy.setStiffnesses('Body', stiffnesses)
>     leftArmEnable  = True
>     rightArmEnable  = True
>     session.motionProxy.setWalkArmsEnable(leftArmEnable,
> rightArmEnable)
>     return None
>
> in the first controller:
> def startConnection():
>    connect = connectRobo(request.vars.iptext)
>    #testingfunction()
>    print(request.vars.iptext)
>    return None
>
> in the second controller:
> def automatic_control():
>     if auth.is_logged_in():
>         aktsession=auth.user.id
>         userfirstname=auth.user.first_name
>         userlastname=auth.user.last_name
>         behaviours = behaviorProxy.getInstalledBehaviors()
>         return dict(session=aktsession, firstname=userfirstname,
> lastname=userlastname, behaviours=behaviours)
>     redirect(URL(r=request,c='default/user',f='login'))
>
> i get the error:
>
> POSThttp://127.0.0.1:8000/NetAVATAR_neu/roboconnect/startConnection
> 500 INTERNAL SERVER ERROR
>                 1.28s
>
> On 30 Jun., 15:12, mdipierro  wrote:
>
> > I think you want a session variable, not a global variable
>
> > test=session.test
>
> > def changingtest():
> >     session.test = 5
> >     return None
>
> > On 30 Giu, 07:42, pk  wrote:
>
> > > hi together,
>
> > > i need help to solve this problem: i have a global variable in the
> > > model like:
>
> > > test = None
>
> > > def changingtest():
> > >     global test
> > >     test = 5
> > >     return None
>
> > > how can i access to the variable test in every controllerfunction?
> > > thanks for your fast help
>
> > > peter

[web2py] Re: problem with global variables

[pk]

but without session, it works. but i need for example broker in every
controllerfunction (in each controller)

On 30 Jun., 16:38, pk  wrote:
> does session work with:
>
> session.broker =
> ALBroker("pythonBroker",BrokerIP,BrokerPORT,RoboIP,RoboPORT)
>
> than here i get an error
>
> On 30 Jun., 16:19, pk  wrote:
>
> > thanks massimo:
> > i still get errors here my model:
>
> > import time
> > from naoqi import ALBroker
> > from naoqi import ALProxy
>
> > broker = session.broker
> > behaviorProxy = session.behaviorProxy
> > ttsProxy = session.ttsProxy
> > motionProxy = session.motionProxy
> > testvariable = session.testvariable
>
> > def connectRobo(roboip):
> >     RoboIP   = roboip
> >     RoboPORT = 9559
>
> >     BrokerIP   = "127.0.0.1"
> >     BrokerPORT = 
>
> >     session.broker =
> > ALBroker("pythonBroker",BrokerIP,BrokerPORT,RoboIP,RoboPORT)
> >     session.ttsProxy= ALProxy ("ALTextToSpeech")
> >     session.ttsProxy.setVolume(1.0)
> >     session.ttsProxy.setLanguage("English")
> >     session.ttsProxy.setVoice("Heather22Enhanced")
> >     session.behaviorProxy = ALProxy ("ALBehaviorManager")
> >     session.motionProxy= ALProxy("ALMotion")
> >     stiffnesses  = 1.0
> >     session.motionProxy.setStiffnesses('Body', stiffnesses)
> >     leftArmEnable  = True
> >     rightArmEnable  = True
> >     session.motionProxy.setWalkArmsEnable(leftArmEnable,
> > rightArmEnable)
> >     return None
>
> > in the first controller:
> > def startConnection():
> >    connect = connectRobo(request.vars.iptext)
> >    #testingfunction()
> >    print(request.vars.iptext)
> >    return None
>
> > in the second controller:
> > def automatic_control():
> >     if auth.is_logged_in():
> >         aktsession=auth.user.id
> >         userfirstname=auth.user.first_name
> >         userlastname=auth.user.last_name
> >         behaviours = behaviorProxy.getInstalledBehaviors()
> >         return dict(session=aktsession, firstname=userfirstname,
> > lastname=userlastname, behaviours=behaviours)
> >     redirect(URL(r=request,c='default/user',f='login'))
>
> > i get the error:
>
> > POSThttp://127.0.0.1:8000/NetAVATAR_neu/roboconnect/startConnection
> > 500 INTERNAL SERVER ERROR
> >                 1.28s
>
> > On 30 Jun., 15:12, mdipierro  wrote:
>
> > > I think you want a session variable, not a global variable
>
> > > test=session.test
>
> > > def changingtest():
> > >     session.test = 5
> > >     return None
>
> > > On 30 Giu, 07:42, pk  wrote:
>
> > > > hi together,
>
> > > > i need help to solve this problem: i have a global variable in the
> > > > model like:
>
> > > > test = None
>
> > > > def changingtest():
> > > >     global test
> > > >     test = 5
> > > >     return None
>
> > > > how can i access to the variable test in every controllerfunction?
> > > > thanks for your fast help
>
> > > > peter

Re: [web2py] Re: How to insert _blank in A html helper

[Philip Kilner]

Hi Massimo,

On 30/06/10 15:33, mdipierro wrote:

what is a _black attribute? Can you provide an HTML example of the
output you want?



As I read it, the OP wants to set the target attribute = _blank, e.g. to 
open the link in a new window.


HTH


--

Regards,

PhilK


'work as if you lived in the early days of a better nation'
- alasdair gray

Re: [web2py] Re: How to insert _blank in A html helper

[Giuseppe Luca Scrofani]

Sorry for the typo, it is exactly a _blank target attribute

desidered output

link name

[web2py] What to Use... gluon.dal or gluon.sql ??

[Phyo Arkar]

I am confused ... :?

[web2py] Re: Disabling registration

[Chris S]

Check out the book located at www.web2py.com/book you'll find a lot of
useful information in it.

For 1:
Section 8.1 talks about restricting registration
http://www.web2py.com/book/default/section/8/1?search=Restrictions+on+registration

For 2:
Section 8.2 talks about the settings built into Auth.  I believe
you're looking for login_next
http://www.web2py.com/book/default/section/8/2?search=login_next

The search function on the book is fairly good, once you get use to
some of the words you're looking for.

On Jun 30, 9:24 am, Deepan  wrote:
> Hi,
>
> I am relatively new to web2py. It would be great if somebody can guide
> me through this issues.
>
> 1. way to disable registration for anonymous users of the app.
>
> 2. When I am logged in as a authenticated user I'm redirected to my
> profile page instead of registration page.
>
> Please let me know how to fix this issues.
>
> Thanks for the help!

[web2py] Re: What to Use... gluon.dal or gluon.sql ??

[mdipierro]

gluon/sql.py

dal.py is an experimental rewrite that is stuck because of lack of
time.

On 30 Giu, 10:55, Phyo Arkar  wrote:
> I am confused ... :?

[web2py] Change "submit" text in generic submit button

[Giuseppe Luca Scrofani]

Hi where I have to look to change the default "submit" string of
generic submit button in something else? I'm not interested in
localizing the application (it have to remain english) but if it is
the only way, how I can do this? Creating a "en" locales?

[web2py] Re: patch to dal [Re: bug in SQLFORM?]

[Jose]

I was checking the file sql.py, seeing the way you get the IDs of the
different engine databases. I think the problem might occur with the
use of "SELECT IDENT_CURRENT('tablename'); "in SQLServer, so have the
other databases.

That is, if that was inserted between the registry and retrieves the
ID, someone inserts another record, the ID obtained will be incorrect.
I know that the probability is very small, but it can happen.

For example:
Postgres use: "select currval ('tablename_id_Seq')"

similarly the other engines.

Jose

[web2py] Re: Change "submit" text in generic submit button

[NetAdmin]

Put something like this in your controller.

INPUT( _type = 'submit', _value = 'Save', _style ='width: 100px;' )


On Jun 30, 11:04 am, Giuseppe Luca Scrofani 
wrote:
> Hi where I have to look to change the default "submit" string of
> generic submit button in something else? I'm not interested in
> localizing the application (it have to remain english) but if it is
> the only way, how I can do this? Creating a "en" locales?

[web2py] Re: patch to dal [Re: bug in SQLFORM?]

[mdipierro]

If that can happen, than it is wrong. My understainding is that
because we are in a transaction, before the insert is committed we get
the id of the last record.

On 30 Giu, 11:56, Jose  wrote:
> I was checking the file sql.py, seeing the way you get the IDs of the
> different engine databases. I think the problem might occur with the
> use of "SELECT IDENT_CURRENT('tablename'); "in SQLServer, so have the
> other databases.
>
> That is, if that was inserted between the registry and retrieves the
> ID, someone inserts another record, the ID obtained will be incorrect.
> I know that the probability is very small, but it can happen.
>
> For example:
> Postgres use: "select currval ('tablename_id_Seq')"
>
> similarly the other engines.
>
> Jose

[web2py] Re: Change "submit" text in generic submit button

[mdipierro]

I think what you need is this:

form = SQLFORM(,submit_button=T('click me! me! me!'))

or

crud.messages.submit_button = 'click me to proceed'
form=crud.create()

On 30 Giu, 11:04, Giuseppe Luca Scrofani  wrote:
> Hi where I have to look to change the default "submit" string of
> generic submit button in something else? I'm not interested in
> localizing the application (it have to remain english) but if it is
> the only way, how I can do this? Creating a "en" locales?

[web2py] Re: web2py security - keep it up!

[Craig Younkins]

"You may also want to ask some questions about form validation,
default validators and directory traversal attacks in file uploads. "

Good idea. I'll add those.

I've reviewed what you wrote on the wiki and some parts of the
application code, and I have a few preliminary recommendations to
improve security:

* Drop support for basic auth. It's really insecure -
http://www.pythonsecurity.org/wiki/basicauthentication/

* Drop MD5 as the default hashing algorithm, use SHA512. MD5 is now
considered 'cryptographically broken'

* The HMAC secret is by default '', and I don't see
anywhere in the documentation how to generate a new one or the
recommendation to do so

* Do not use cgi.escape for HTML escaping because it does not escape
single quotes and may lead to XSS - See
http://www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss
and  http://www.pythonsecurity.org/wiki/cgi/

* Session IDs should time out when the authentication information
does, and the user should get a new session ID when they
reauthenticate. This defense will help ensure that even if a session
ID is leaked, it will only be useful for a limited amount of time. It
sounds like users always have the same session ID.

Questions:

"If not key/salt is provided is provided web2py uses MD5, but is a key/
salt is provided (and the scaffolding application generates one
automatically) it uses HMAC+MD5 or HMAC+SHA512."

I ran 'python web2py.py -S testapp' but it did not generate a new
value for auth.settings.hmac_key in db.py. Should it have?
It appears to use MD5 by default unless an alternative is specified,
such as SHA512.

Please feel free to discuss!

Craig Younkins

On Jun 30, 9:58 am, mdipierro  wrote:
> Hi Craig,
>
> You may also want to ask some questions about form validation, default
> validators and directory traversal attacks in file uploads.
>
> Massimo
>
> On 29 Giu, 11:08, Craig Younkins  wrote:
>
>
>
> > Hello there! My name is Craig Younkins. I'm a summer intern at OWASP,
> > the Open Web Application Security Project. This summer I'm working
> > heavily on web security in Python.
>
> > First, I would like to praise Dr. Di Pierro and all the web2py
> > contributors for their focus on security. Examining the OWASP Top 10
> > (http://www.web2py.com/examples/default/security) is a great way to
> > start. Keep it up!
>
> > Second, I'd like to invite the web2py community over to a site I've
> > started about security in Python -http://www.pythonsecurity.org. The
> > site aims to be the central hub for security in Python, and right now
> > has a focus on web security. Inside there are articles specific to
> > software like frameworks as well as articles related to security
> > topics like cross-site scripting. We also have a Google Group (http://
> > groups.google.com/group/python-security/topics) which I encourage the
> > developers to join. There you can get answers to your Python security
> > questions. I hope you check it out!
>
> > Lastly, I'd like to encourage you to take a look at web2py's page on
> > PythonSecurity.org -http://www.pythonsecurity.org/wiki/web2py/. I
> > haven't had the time yet to examine web2py in detail, but on that page
> > there is a pretty well-defined template of questions to be answered.
> > Going through the list there will help the developers see areas in
> > web2py that could use improvement, as well as documenting the
> > strengths for other frameworks to model off of.
>
> > Thanks!
>
> > Craig Younkins

[web2py] Re: patch to dal [Re: bug in SQLFORM?]

[Jose]

On 30 jun, 14:04, mdipierro  wrote:
> If that can happen, than it is wrong. My understainding is that
> because we are in a transaction, before the insert is committed we get
> the id of the last record.
>

Okay, but "I believe" that everything about AUTO_INCREMENT fields are
out of the transactions. They are independent of whether you commit or
rollback.

[web2py] Re: How to insert _blank in A html helper

[Yarko Tymciurak]

In general, any "attribute" for an HTML helper can be set by referring
the the HTML tag name:  this
in the helper as:  _this

So, your original question can change to:   "How do I set the target
tag in the A()  helper?

On Jun 30, 10:36 am, Giuseppe Luca Scrofani 
wrote:
> Sorry for the typo, it is exactly a _blank target attribute
>
> desidered output
>
> link name

Like this:

A( B('link name'),  _href = URL(r=request, f='show', args=x.id),
_target = "_blank" )

Hope this helps,
- Yarko

[web2py] Re: web2py security - keep it up!

[mdipierro]

On 30 Giu, 12:19, Craig Younkins  wrote:
> "You may also want to ask some questions about form validation,
> default validators and directory traversal attacks in file uploads. "
>
> Good idea. I'll add those.
>
> I've reviewed what you wrote on the wiki and some parts of the
> application code, and I have a few preliminary recommendations to
> improve security:
>
> * Drop support for basic auth. It's really insecure 
> -http://www.pythonsecurity.org/wiki/basicauthentication/

Actually this already disabled by default. You have to enable if you
want to use it. People sometimes use it for web services.

> * Drop MD5 as the default hashing algorithm, use SHA512. MD5 is now 
> considered 'cryptographically broken'

When I say that MD5 is the default that applies only to the case that
a hmac_key is not specified. This is 1) for backward compatibility; 2)
because without a key/salt sha512 and md5 are vulnerable to the same
dictionary attacks. In all the other cases...(read next answer)

> * The HMAC secret is by default '', and I don't see
> anywhere in the documentation how to generate a new one or the
> recommendation to do so

If you use "admin" to create a new app, the '' is
automatically replaced with something like

auth.settings.hmac_key = 'sha512:06a78549-cf6c-4767-a847-435541210976'

The 'sha512' forces web2py to use sha512. This is the normal behavior
for all new applications unless the the "admin" interface is bypassed.
In this case the user has to come up with a unique hmac_key on his
own.

> * Do not use cgi.escape for HTML escaping because it does not escape
> single quotes and may lead to XSS - 
> Seehttp://www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss
> and  http://www.pythonsecurity.org/wiki/cgi/

I assume you refer to attribute escaping. When using helpers like
{{=A(link,_href=url)}} then link is escaped using cgi.escape but url
is escaped differently (quotes are escaped). The problem is that the
escape function does not know whether a variable is to be inserted in
html, css, js, attribute, a string in js, etc. etc. and therefore if
the function does know the context it is in it can never always escape
correcly. I do not believe there is a general solution to this
problem. web2py assumes {{=}} is escaping HTML/XML. If you need to
scape attributes we suggest using helpers.  If you need to scape js
code or strings in js code, you may have to do it manually.

> * Session IDs should time out when the authentication information
> does, and the user should get a new session ID when they
> reauthenticate. This defense will help ensure that even if a session
> ID is leaked, it will only be useful for a limited amount of time. It
> sounds like users always have the same session ID.

I disagree but probably I did not explain this very well. web2py has
two things it calls session. One is the general session managed via
cookie session_id. One is the authentication session stored into the
general session file. When a user logs out the authentication session
information into the general session is deleted. If an attacker where
to intercept the cookie session_id and try to use it to gain access to
the system, it would not work. The session_id is used for the general
session and it does not expire because when the user logs in again, if
the user had a state stored in the session file, you want that state
to be retrieved.

Another way to see this is that some application do not use
authentication at all and still they need to use a session to track
users.

> Questions:
>
> "If not key/salt is provided is provided web2py uses MD5, but is a key/
> salt is provided (and the scaffolding application generates one
> automatically) it uses HMAC+MD5 or HMAC+SHA512."
>
> I ran 'python web2py.py -S testapp' but it did not generate a new
> value for auth.settings.hmac_key in db.py. Should it have?

This is a bug. I just fixed it in trunk. Thank you!

> It appears to use MD5 by default unless an alternative is specified,
> such as SHA512.

As mentioned above the "admin" does this and "web2py -S app" should
too (but there is the bug you pointed out). "admin" automatically sets
the hmac_key="sha512:.", i.e. defaults to SHA512.

This is a very useful discussion.

Massimo

> Please feel free to discuss!
>
> Craig Younkins
>
> On Jun 30, 9:58 am, mdipierro  wrote:
>
> > Hi Craig,
>
> > You may also want to ask some questions about form validation, default
> > validators and directory traversal attacks in file uploads.
>
> > Massimo
>
> > On 29 Giu, 11:08, Craig Younkins  wrote:
>
> > > Hello there! My name is Craig Younkins. I'm a summer intern at OWASP,
> > > the Open Web Application Security Project. This summer I'm working
> > > heavily on web security in Python.
>
> > > First, I would like to praise Dr. Di Pierro and all the web2py
> > > contributors for their focus on security. Examining the OWASP Top 10
> > > (http://www.web2py.com/examples/default/security) is a great way to
> > > start. Keep it u

Re: [web2py] Re: elFinder-web2py , Filemanager for Web2py!

[Phyo Arkar]

Hello Torex

Welcome to Web2py Group!
Thats very good to have you here!
I am trying to make elfinder work for web2py , please feel free to reuse my
work in your release.

Here is the Connector initiation:

http://code.google.com/p/elfinder-web2py/source/browse/filemanager/controllers/default.py

Check inside function elcon .

and here is elFinder Backend Class

http://code.google.com/p/elfinder-web2py/source/browse/filemanager/modules/elw2p.py



Currently it is working partially  (atleast for me)

Please review and test , we can work together on this.



On Wed, Jun 30, 2010 at 11:59 AM, Troex Nevelin wrote:

> Hello, I'm author of elFinder.py
>
> In about a month we plan to release new version of elFinder, mostly
> bugfixes but I also plan to rewrite python version to be more library
> like.
>
> I know there are problems integrating elfinder with different
> frameworks on python, current version was written for use under pure
> CGI. This is my first major experience with python and so I have many
> questions about the "right way" how to write connector so it can be
> easy to integrate and write plugins.
>
> The biggest question to me is how to implement handling POST and GET
> data, I've seen many different ways how it is done in different
> frameworks. Currently this is done using:
> import cgi
> self._form = cgi.FieldStorage()
> Maybe I should put this outside elFinder.py and only pass parameters
> to connector?
>
> Feedback is welcome.
>
> On Jun 24, 5:47 am, Phyo Arkar  wrote:
> > Finally after 2 days of hacking elfinder backend for Django fromhttp://
> www.elrte.ru/redmine/issues/128<
> http://www.google.com/url?sa=D&q=http://www.elrte.ru/redmine/issues/1...>
> > , i have managed to get elFinder working (about 90% of features)
> >
> > Attached is elFinder-web2py , still alot of improvement needed.
> >
> > -Downloading files is not working yet but should be easy to fix.
> > -Help me make it more integrated into web2py
> > -Their method of DIrectory scanning is so slow , going to replace with
> > os.walk.
> >
> > Please note that this is not for Production use.
> >
> > I started a project , download and test there.
> >
> > Note URL (Both in View and web2py_elcon) need to be change to your
> host:port
> > (i did with port 8080)
> >
> > http://code.google.com/p/elfinder-web2py/downloads/list
>

[web2py] Doctests keep getting stuck

[Kerem Eryılmaz]

Hi all,
I wonder if anyone encountered similar problems with doctests. I have
a couple of controllers (default.py and etc.py), and a single function
(__addTLI__) in etc.py that has a doctest. When I try to run the tests
through the admin app, default.py passes fine (since it has no tests),
but etc.py just hangs. I have confirmed that there is a line in my
code that determines whether etc.py will hang or return successfully,
however I do not see how it is possible that the specific piece of
code determines anything (basically it produces an xml file through
some db interaction). I tried the same testing code in a function,
opened it up on a browser and it ran fine, error-free. I also checked
http://127.0.0.1:8000/std/etc/_TEST for raw test data, but it also
surprisingly revealed that __addTLI__ had actually passed.

Is it possible for a test to hang even though all subtests pass?

BTW, I use version 1.79.2

Cheers,
Kerem.

[web2py] Re: Disabling registration

[Deepan]

I am clear with first point.

Not with second one.

How can I make only registered users to create new usersright now
when I am logged in and click on register it redirects me to profile
page.

Thanks

On Jun 30, 12:03 pm, Chris S  wrote:
> Check out the book located atwww.web2py.com/bookyou'll find a lot of
> useful information in it.
>
> For 1:
> Section 8.1 talks about restricting 
> registrationhttp://www.web2py.com/book/default/section/8/1?search=Restrictions+on...
>
> For 2:
> Section 8.2 talks about the settings built into Auth.  I believe
> you're looking for 
> login_nexthttp://www.web2py.com/book/default/section/8/2?search=login_next
>
> The search function on the book is fairly good, once you get use to
> some of the words you're looking for.
>
> On Jun 30, 9:24 am, Deepan  wrote:
>
>
>
> > Hi,
>
> > I am relatively new to web2py. It would be great if somebody can guide
> > me through this issues.
>
> > 1. way to disable registration for anonymous users of the app.
>
> > 2. When I am logged in as a authenticated user I'm redirected to my
> > profile page instead of registration page.
>
> > Please let me know how to fix this issues.
>
> > Thanks for the help!

[web2py] Re: sql.py error?

[dlypka]

I will have a look at this tonight, using the WING IDE debugger,
because _last_reference was a new property added at my suggestion,
so I am somewhat familiar with it

Looks like somehow the same SQL Row instance is being 'reused' for
creating a new row
which I would not expect to happen.

- Dave Lypka.

On Jun 30, 1:03 am, Yarko Tymciurak 
wrote:
> On Jun 29, 3:27 pm, Chris S  wrote:
>
> > I'm actually not sure how to set break points.  I'm using Eclipse so
> > I'm sure there's a way but while I'm educating myself.
>
> A bit of an aside, but for completeness:
>
> Not sure about Eclipse...  maybe this will 
> help:http://pydev.org/manual_adv_debugger.html
>
> It sort of looks familiar - like winpdb  (which is a free windowed ---
> NOT windows --- debugger for python;  you could get that separate).
>
> I would (of course) do this with local gae environment.
>
> An alternative is to get a 30-day eval of WingIDE, and debug with
> that either should be fine.
>
> - Yarko
>
>
>
> >  Here's all you
> > should need to know if the above isn't descriptive enough.
>
> > In db.py:
> > auth = Auth(globals(),db)           # authentication/authorization
> > auth.define_tables()                # creates all needed tables
>
> > Using Appadmin
> > -Add a user to auth_users
> > -Create group 'admin' in auth_groups
> > -Make the user a member of admin in auth_memberships
>
> > In the application:
> > def add():
> >     """
> >     Debug Function
> >     """
> >     group=db(db.auth_group.role=='admin').select()[0]
> >     auth.add_permission(group.id,'access','mystuff')
> >     auth.add_permission(group.id,'access','myotherstuff')
> >     redirect(URL(request.application,request.controller,'index'))
>
> > Call /application/controller/add
> > In appadmin view the auth_permissions table.
> > You should see two entries
> > one with the group.id for Admin, access, and table of 'mystuff'.
> > one with the group.id for Admin, access, and table of 'myotherstuff'.
>
> > Instead you'll get the above error and only "mystuff" is added to the
> > auth_permissions.
> > You can comment out either line and add them one at a time with no
> > errors.  In fact you can add the same permission several times and
> > you'll see duplicate enteries.  You can not however, have both of the
> > above added in a single function call.  This use to work but no longer
> > does.  When I get some time maybe I can test which revision broke this
> > but my guess is it's 650:7c531beb7820 with comment
> > "self._last_reference, thanks Dave".
>
> > Sorry I'm not more help. Wish I could just patch this but I'm still
> > learning python/web2py and this one's a bit above me.
>
> > On Jun 29, 3:01 pm, Yarko Tymciurak 
> > wrote:
>
> > > can you give a complete example necessary to reproduce?
>
> > > Alternatively, you can debug yourself:  set a breakpoint at gluon/
> > > tools.py::Auth:add_permission()
>
> > > and analyze what's going on...
>
> > > - Yarko
>
> > > On Jun 29, 2:13 pm, Chris S  wrote:
>
> > > > Crap that should read:
>
> > > > To reproduce:
> > > > def test():
> > > >     auth.add_permission(id,'name','table1')
> > > >     auth.add_permission(id,'name','table2')
> > > > return
>
> > > > I'm trying to assign two different permissions to the same group in a
> > > > single function to get the error.
>
> > > > On Jun 29, 2:11 pm, Chris S  wrote:
>
> > > > > Actually, that's not exactly what's happening.
>
> > > > > The error is produced when trying to make two calls back to back to
> > > > > auth.add_permission().
> > > > > Single calls still create duplicate enteries but back to back calls
> > > > > error on the 2nd call never creating an entry.
>
> > > > > To reproduce:
> > > > > def test():
> > > > >     auth.add_permission(id,'name','table1')
> > > > >     auth.add_permission(id,'name','table1')
> > > > > return
>
> > > > > Either one of the above can be run by itself, but both in the same
> > > > > controller will fail with the above error on the 2nd permission.
>
> > > > > On Jun 29, 1:35 pm, Chris S  wrote:
>
> > > > > > I think the most recent update to trunk I've found a spot in sql.py
> > > > > > where functionality is different though it might be intended.
>
> > > > > > In the last stable release you could make a call:
> > > > > > auth.add_permission(group.id,'name','table_name')
>
> > > > > > You could do this with out first checking for it's existence 
> > > > > > already.
> > > > > > A new entry was created and no errors thrown.
> > > > > > Now if you try to do the above call and that same permission is
> > > > > > already defined you get:
> > > > > > --New Error
> > > > > > raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
> > > > > > SyntaxError: Object exists and cannot be redefined: _last_reference
> > > > > > --/New Error
>
> > > > > > While it's good that this points out that I wasn't checking for 
> > > > > > these
> > > > > > permissions before, it's bad that you find out b

[web2py] Re: Accessing auth_user table

[elfuego1]

Unfortunatelly it doesn't.
I can access any other table that's available through my application
but I can't get any value out of auth_user table.
Is it somehow protected?
Do I need to add some extra piece of code to expose them in my
application in order to be able to acqiure any value out of them?

Desperate searcher.


On 30 Cze, 06:25, Chris S  wrote:
> I don't guess I follow.  Isn't that the same as:
>
> def userexist(namecheck):
>     if db(db.auth_user.username==namecheck).count() > 0:
>         return 'yes'
>     else:
>         return 'no'
>
> So I"m saying your querry should be:
> query = (db.auth_user.username==username)
>
> Hope that helps
>
> On Jun 29, 5:34 pm, elfuego1  wrote:
>
> > Hello,
>
> > On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
> > found a great pice of code  which allows to check on the fly if there
> > is an exact value already in database.
>
> > Oryginal code:
>
> > def ajaxuserexist():
> >     username = request.vars.values()[0]
> >     query = db.users.name.like(username)
> >     numres = db(query).count()
> >     if numres > 0 :
> >         return 'yes'
>
> >     return 'no'
>
> > But when I try to implement the same solution on auth_user table for
> > login column it stops working:
>
> >     query = db.auth_users.login.like(username)
>
> > Do you know some solution/workaround to this problem?
>
> > Best regards.

[web2py] Re: Caching downloads

[Chris S]

I've had this bookmarked and have been looking over it recently.  I
added a c_download (cached download) function as described above to
allow local caching of files.  The above code did not get me there
though I ended up using:

def c_download():
controller=request.vars.c
file=request.vars.f
response.headers['Cache-Control']='private'
del response.headers['Content-Type']
del response.headers['Pragma']
del response.headers['Expires']
filename = os.path.join(request.folder,'static',controller,file)
response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y %H:
%M:%S +", time.localtime(os.path.getmtime(filename)))
return response.stream(open(filename,'rb'))

The key difference being I found I had to set the 'Cache-Control'
header, just deleting it didn't do the trick.
What I'm not clear on is why this is necessary.  From the book:

When static files are downloaded, web2py  does not create a session,
nor does it issue a cookie or execute the models. web2py always
streams static files in chunks of 1MB, and sends PARTIAL CONTENT when
the client sends a RANGE request for a subset of the file. web2py
also supports the IF_MODIFIED_SINCE protocol, and does not send the
file if it is already stored in the browser's cache and if the file
has not changed since that version.

Link:
http://web2py.com/book/default/section/4/2?search=supports+the+IF_MODIFIED_SINCE+protocol%2C+and+does+not+send+the+file+if+it+is+already+stored+in+the+browser%27s+cache+and+if+the+file+has+not+changed+since+that+version.

So then, if I serve a style.css file from static, or build a link from
URL() to a file in static.  Why do these files get downloaded every
time the page is loaded?

Here's an example.  Using http://127.0.0.1:8080/welcome/static/menu.gif
running on the GAE development server I get:
Header:
HTTP/1.0 200
Server: Development/1.0
Date: Wed, 30 Jun 2010 18:37:05 GMT
Content-Type: image/gif
Cache-Control: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Length: 264

Cache:
Last Modified   Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
Time)
Last FetchedWed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time)
Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time)
Data Size   264
Fetch Count 7
Device  disk


Is this working as intended?  I *can* wrap every single download in a
function call to c_download, but should that be necessary?  Am I just
missing a configuration option somewhere?  I feel like I'm re-
inventing the wheel since 'static' files were in my understanding not
meant to change often anyway.

On May 6, 8:15 am, mdipierro  wrote:
> Can you provide an example of code that causes cache failure?
> Remember that you cannot @cache def download because of range
> requests.
>
> On May 6, 2:49 am, Iceberg  wrote:
>
> > It seems Mariano's story has a happy ending. Congratulations. But on a
> > second thought, can anyone explain why "if you quickly reload pages,
> > they fail" in the very first caching-download version? Caching
> > download can improve speed, can with a side effect of bypassing
> > priviledge check, but no matter what, it shall not cause content fail
> > to load.
>
> > I remember I once tried @cache(...) but encounter similar problems,
> > then I give up. :-(  Nice to pick it up if someone can throw some
> > light. Thanks!
>
> > Regards,
> > iceberg
>
> > On May5, 11:39am, Mariano Reingart  wrote:
>
> > > .. after usingfast_download(changing headers and using
> > > stream) it runs really quickly!
>
> > > (I know, serving through apache would be even faster, but in this case
> > > I prefer portability and a easy configuration)
>
> > > You can see how it's running here:
>
> > >http://www.pyday.com.ar/rafaela2010/
>
> > > (look at images at the sidebar)
>
> > > Thanks so much,
>
> > > Mariano >
>
> > > >> On May 4, 9:04 pm, Mariano Reingart  wrote:
> > > >>> I thought so,
>
> > > >>> I had to modify mydownload so browsers do client-side caching,
> > > >>> speeding up the web-page load:
>
> > > >>> deffast_download():
> > > >>>     # very basic security:
> > > >>>     if not request.args(0).startswith("sponsor.logo"):
> > > >>>         return download()
> > > >>>     # remove/add headers that prevent/favors caching
> > > >>>     del response.headers['Cache-Control']
> > > >>>     del response.headers['Pragma']
> > > >>>     del response.headers['Expires']
> > > >>>     filename = os.path.join(request.folder,'uploads',request.args(0))
> > > >>>     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y
> > > >>> %H:%M:%S +", time.localtime(os.path.getmtime(filename)))
> > > >>>     return response.stream(open(filename,'rb'))
>
> > > >>> TODO: handle If-Modified-Since (returning 304 if not modified), but as
> > > >>> you said, let the browser do that if so much performance is needed (so
> > > >>> far,fast_downloadis working fine for me now :-)
>
> > > >>> Thanks very much for your help, and please let me know if there is
> 

[web2py] Re: Accessing auth_user table

[Chris S]

And you've defined auth in db.py with:

from gluon.tools import Auth
auth = Auth(globals(), db)
auth.define_tables()

I've done searches on auth_user before... I think.

On Jun 30, 1:44 pm, elfuego1  wrote:
> Unfortunatelly it doesn't.
> I can access any other table that's available through my application
> but I can't get any value out of auth_user table.
> Is it somehow protected?
> Do I need to add some extra piece of code to expose them in my
> application in order to be able to acqiure any value out of them?
>
> Desperate searcher.
>
> On 30 Cze, 06:25, Chris S  wrote:
>
> > I don't guess I follow.  Isn't that the same as:
>
> > def userexist(namecheck):
> >     if db(db.auth_user.username==namecheck).count() > 0:
> >         return 'yes'
> >     else:
> >         return 'no'
>
> > So I"m saying your querry should be:
> > query = (db.auth_user.username==username)
>
> > Hope that helps
>
> > On Jun 29, 5:34 pm, elfuego1  wrote:
>
> > > Hello,
>
> > > On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
> > > found a great pice of code  which allows to check on the fly if there
> > > is an exact value already in database.
>
> > > Oryginal code:
>
> > > def ajaxuserexist():
> > >     username = request.vars.values()[0]
> > >     query = db.users.name.like(username)
> > >     numres = db(query).count()
> > >     if numres > 0 :
> > >         return 'yes'
>
> > >     return 'no'
>
> > > But when I try to implement the same solution on auth_user table for
> > > login column it stops working:
>
> > >     query = db.auth_users.login.like(username)
>
> > > Do you know some solution/workaround to this problem?
>
> > > Best regards.
>
>

[web2py] Re: Accessing auth_user table

[elfuego1]

Since I had added some fields (and intend to customize it further) to
my auth_user table the code for auth_user in db.py looks like that:

from gluon.tools import *
auth=Auth(globals(),db)

db.define_table('auth_user',
SQLField('login', 'string', length=50, default=''),
SQLField('password', 'password', length=512, readable=False,
label='Password'),
SQLField('registration_key', length=512, default= '',
writable=False, readable=False),
SQLField('reset_password_key', length=512, default='',
writable=False, readable=False),
SQLField('first_name', length=128,default=''),
SQLField('last_name', length=128,default=''),
SQLField('email', length=128,default='', unique=True),
SQLField('phone', 'string', length=30, default=''),
)




On 30 Cze, 20:59, Chris S  wrote:
> And you've defined auth in db.py with:
>
> from gluon.tools import Auth
> auth = Auth(globals(), db)
> auth.define_tables()
>
> I've done searches on auth_user before... I think.
>
> On Jun 30, 1:44 pm, elfuego1  wrote:
>
> > Unfortunatelly it doesn't.
> > I can access any other table that's available through my application
> > but I can't get any value out of auth_user table.
> > Is it somehow protected?
> > Do I need to add some extra piece of code to expose them in my
> > application in order to be able to acqiure any value out of them?
>
> > Desperate searcher.
>
> > On 30 Cze, 06:25, Chris S  wrote:
>
> > > I don't guess I follow.  Isn't that the same as:
>
> > > def userexist(namecheck):
> > >     if db(db.auth_user.username==namecheck).count() > 0:
> > >         return 'yes'
> > >     else:
> > >         return 'no'
>
> > > So I"m saying your querry should be:
> > > query = (db.auth_user.username==username)
>
> > > Hope that helps
>
> > > On Jun 29, 5:34 pm, elfuego1  wrote:
>
> > > > Hello,
>
> > > > On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
> > > > found a great pice of code  which allows to check on the fly if there
> > > > is an exact value already in database.
>
> > > > Oryginal code:
>
> > > > def ajaxuserexist():
> > > >     username = request.vars.values()[0]
> > > >     query = db.users.name.like(username)
> > > >     numres = db(query).count()
> > > >     if numres > 0 :
> > > >         return 'yes'
>
> > > >     return 'no'
>
> > > > But when I try to implement the same solution on auth_user table for
> > > > login column it stops working:
>
> > > >     query = db.auth_users.login.like(username)
>
> > > > Do you know some solution/workaround to this problem?
>
> > > > Best regards.

[web2py] Re: Disabling registration

[Chris S]

Oh I didn't understand the initial question.  Here's one way to go
about it, though I'm sure there are other (possibly easier) ways to do
it.
You first need to create a form for inserting users, and then protect
it.

The form can be created with CRUD.

In your controller:
@auth.requires_login()  #restricts function
def add_user():
form=crud.create(db.auth_user)  #Create form for inserting users
return dict(form=form)  #Return the form to a view

Then in add_user.html the form is inserted with:
{{=form}}

Crud will automatically generate a SQLFORM for the table with self
submission and validation.
You can read on CRUD in the manual here: 
http://web2py.com/book/default/section/7/6?search=CRUD
You can read on Authentication in the manual here:
http://web2py.com/book/default/section/8/2?search=Decorators

I think once you understand how to generate a form based on a table,
and how to require access with decorators or just enforcing
authorization via CRUD you'll fully understand how to do what you're
trying.  What I've shown is just one way to do it, I'm sure there's
many many ways to

On Jun 30, 1:30 pm, Deepan  wrote:
> I am clear with first point.
>
> Not with second one.
>
> How can I make only registered users to create new usersright now
> when I am logged in and click on register it redirects me to profile
> page.
>
> Thanks
>
> On Jun 30, 12:03 pm, Chris S  wrote:
>
> > Check out the book located atwww.web2py.com/bookyou'llfind a lot of
> > useful information in it.
>
> > For 1:
> > Section 8.1 talks about restricting 
> > registrationhttp://www.web2py.com/book/default/section/8/1?search=Restrictions+on...
>
> > For 2:
> > Section 8.2 talks about the settings built into Auth.  I believe
> > you're looking for 
> > login_nexthttp://www.web2py.com/book/default/section/8/2?search=login_next
>
> > The search function on the book is fairly good, once you get use to
> > some of the words you're looking for.
>
> > On Jun 30, 9:24 am, Deepan  wrote:
>
> > > Hi,
>
> > > I am relatively new to web2py. It would be great if somebody can guide
> > > me through this issues.
>
> > > 1. way to disable registration for anonymous users of the app.
>
> > > 2. When I am logged in as a authenticated user I'm redirected to my
> > > profile page instead of registration page.
>
> > > Please let me know how to fix this issues.
>
> > > Thanks for the help!
>
>

[web2py] Re: Accessing auth_user table

[elfuego1]

auth.define_tables() is there as well but bellow auth_user table
definition.




On 30 Cze, 20:59, Chris S  wrote:
> And you've defined auth in db.py with:
>
> from gluon.tools import Auth
> auth = Auth(globals(), db)
> auth.define_tables()
>
> I've done searches on auth_user before... I think.
>
> On Jun 30, 1:44 pm, elfuego1  wrote:
>
> > Unfortunatelly it doesn't.
> > I can access any other table that's available through my application
> > but I can't get any value out of auth_user table.
> > Is it somehow protected?
> > Do I need to add some extra piece of code to expose them in my
> > application in order to be able to acqiure any value out of them?
>
> > Desperate searcher.
>
> > On 30 Cze, 06:25, Chris S  wrote:
>
> > > I don't guess I follow.  Isn't that the same as:
>
> > > def userexist(namecheck):
> > >     if db(db.auth_user.username==namecheck).count() > 0:
> > >         return 'yes'
> > >     else:
> > >         return 'no'
>
> > > So I"m saying your querry should be:
> > > query = (db.auth_user.username==username)
>
> > > Hope that helps
>
> > > On Jun 29, 5:34 pm, elfuego1  wrote:
>
> > > > Hello,
>
> > > > On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
> > > > found a great pice of code  which allows to check on the fly if there
> > > > is an exact value already in database.
>
> > > > Oryginal code:
>
> > > > def ajaxuserexist():
> > > >     username = request.vars.values()[0]
> > > >     query = db.users.name.like(username)
> > > >     numres = db(query).count()
> > > >     if numres > 0 :
> > > >         return 'yes'
>
> > > >     return 'no'
>
> > > > But when I try to implement the same solution on auth_user table for
> > > > login column it stops working:
>
> > > >     query = db.auth_users.login.like(username)
>
> > > > Do you know some solution/workaround to this problem?
>
> > > > Best regards.

[web2py] Re: Accessing auth_user table

[Chris S]

Probably a dumb question, but what are you checking the user against?

Both my and your example above are checking for username and you
didn't define a username in your auth_user.

Your query then is not working as:

def userexist(emailcheck):
if db(db.auth_user.email==emailcheck).count() > 0:
return 'yes'
else:
return 'no'

I know I've returned searches on auth_user it's no different than
other tables.  Just gotta find whey your getting no results.  Might
help if you post the exact search code that goes with the above
auth_user and the error message that's generated.


On Jun 30, 2:12 pm, elfuego1  wrote:
> Since I had added some fields (and intend to customize it further) to
> my auth_user table the code for auth_user in db.py looks like that:
>
> from gluon.tools import *
> auth=Auth(globals(),db)
>
> db.define_table('auth_user',
>     SQLField('login', 'string', length=50, default=''),
>     SQLField('password', 'password', length=512, readable=False,
> label='Password'),
>     SQLField('registration_key', length=512, default= '',
> writable=False, readable=False),
>     SQLField('reset_password_key', length=512, default='',
> writable=False, readable=False),
>     SQLField('first_name', length=128,default=''),
>     SQLField('last_name', length=128,default=''),
>     SQLField('email', length=128,default='', unique=True),
>     SQLField('phone', 'string', length=30, default=''),
> )
>
> On 30 Cze, 20:59, Chris S  wrote:
>
> > And you've defined auth in db.py with:
>
> > from gluon.tools import Auth
> > auth = Auth(globals(), db)
> > auth.define_tables()
>
> > I've done searches on auth_user before... I think.
>
> > On Jun 30, 1:44 pm, elfuego1  wrote:
>
> > > Unfortunatelly it doesn't.
> > > I can access any other table that's available through my application
> > > but I can't get any value out of auth_user table.
> > > Is it somehow protected?
> > > Do I need to add some extra piece of code to expose them in my
> > > application in order to be able to acqiure any value out of them?
>
> > > Desperate searcher.
>
> > > On 30 Cze, 06:25, Chris S  wrote:
>
> > > > I don't guess I follow.  Isn't that the same as:
>
> > > > def userexist(namecheck):
> > > >     if db(db.auth_user.username==namecheck).count() > 0:
> > > >         return 'yes'
> > > >     else:
> > > >         return 'no'
>
> > > > So I"m saying your querry should be:
> > > > query = (db.auth_user.username==username)
>
> > > > Hope that helps
>
> > > > On Jun 29, 5:34 pm, elfuego1  wrote:
>
> > > > > Hello,
>
> > > > > On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
> > > > > found a great pice of code  which allows to check on the fly if there
> > > > > is an exact value already in database.
>
> > > > > Oryginal code:
>
> > > > > def ajaxuserexist():
> > > > >     username = request.vars.values()[0]
> > > > >     query = db.users.name.like(username)
> > > > >     numres = db(query).count()
> > > > >     if numres > 0 :
> > > > >         return 'yes'
>
> > > > >     return 'no'
>
> > > > > But when I try to implement the same solution on auth_user table for
> > > > > login column it stops working:
>
> > > > >     query = db.auth_users.login.like(username)
>
> > > > > Do you know some solution/workaround to this problem?
>
> > > > > Best regards.
>
>

[web2py] Re: Accessing auth_user table

[elfuego1]

During registration I want to check on the fly, if login chosen by the
user is already in use or is it not in db and available to be used.

def ajaxuserexist():
username = request.vars.values()[0]
query = (db.auth_user.login==username)
numres = db(query).count()
if numres > 0 :
   return 'yes'
else:
return 'no'

When I test it on any other table that doesn't have prefix auth_ then
the above code works, but unfortunatelly I need to test auth_user
table :-(


On 30 Cze, 21:19, Chris S  wrote:
> Probably a dumb question, but what are you checking the user against?
>
> Both my and your example above are checking for username and you
> didn't define a username in your auth_user.
>
> Your query then is not working as:
>
> def userexist(emailcheck):
>     if db(db.auth_user.email==emailcheck).count() > 0:
>         return 'yes'
>     else:
>         return 'no'
>
> I know I've returned searches on auth_user it's no different than
> other tables.  Just gotta find whey your getting no results.  Might
> help if you post the exact search code that goes with the above
> auth_user and the error message that's generated.
>
> On Jun 30, 2:12 pm, elfuego1  wrote:
>
> > Since I had added some fields (and intend to customize it further) to
> > my auth_user table the code for auth_user in db.py looks like that:
>
> > from gluon.tools import *
> > auth=Auth(globals(),db)
>
> > db.define_table('auth_user',
> >     SQLField('login', 'string', length=50, default=''),
> >     SQLField('password', 'password', length=512, readable=False,
> > label='Password'),
> >     SQLField('registration_key', length=512, default= '',
> > writable=False, readable=False),
> >     SQLField('reset_password_key', length=512, default='',
> > writable=False, readable=False),
> >     SQLField('first_name', length=128,default=''),
> >     SQLField('last_name', length=128,default=''),
> >     SQLField('email', length=128,default='', unique=True),
> >     SQLField('phone', 'string', length=30, default=''),
> > )
>
> > On 30 Cze, 20:59, Chris S  wrote:
>
> > > And you've defined auth in db.py with:
>
> > > from gluon.tools import Auth
> > > auth = Auth(globals(), db)
> > > auth.define_tables()
>
> > > I've done searches on auth_user before... I think.
>
> > > On Jun 30, 1:44 pm, elfuego1  wrote:
>
> > > > Unfortunatelly it doesn't.
> > > > I can access any other table that's available through my application
> > > > but I can't get any value out of auth_user table.
> > > > Is it somehow protected?
> > > > Do I need to add some extra piece of code to expose them in my
> > > > application in order to be able to acqiure any value out of them?
>
> > > > Desperate searcher.
>
> > > > On 30 Cze, 06:25, Chris S  wrote:
>
> > > > > I don't guess I follow.  Isn't that the same as:
>
> > > > > def userexist(namecheck):
> > > > >     if db(db.auth_user.username==namecheck).count() > 0:
> > > > >         return 'yes'
> > > > >     else:
> > > > >         return 'no'
>
> > > > > So I"m saying your querry should be:
> > > > > query = (db.auth_user.username==username)
>
> > > > > Hope that helps
>
> > > > > On Jun 29, 5:34 pm, elfuego1  wrote:
>
> > > > > > Hello,
>
> > > > > > On this page:http://web2pyslices.com/main/slices/take_slice/53Ihave
> > > > > > found a great pice of code  which allows to check on the fly if 
> > > > > > there
> > > > > > is an exact value already in database.
>
> > > > > > Oryginal code:
>
> > > > > > def ajaxuserexist():
> > > > > >     username = request.vars.values()[0]
> > > > > >     query = db.users.name.like(username)
> > > > > >     numres = db(query).count()
> > > > > >     if numres > 0 :
> > > > > >         return 'yes'
>
> > > > > >     return 'no'
>
> > > > > > But when I try to implement the same solution on auth_user table for
> > > > > > login column it stops working:
>
> > > > > >     query = db.auth_users.login.like(username)
>
> > > > > > Do you know some solution/workaround to this problem?
>
> > > > > > Best regards.

[web2py] Re: web2py security - keep it up!

[Craig Younkins]

If you'd like this moved to the developers list, just approve my application
and reply there.

> When I say that MD5 is the default that applies only to the case that
> a hmac_key is not specified. This is 1) for backward compatibility; 2)
> because without a key/salt sha512 and md5 are vulnerable to the same
> dictionary attacks.

Hmm Well, I'm looking at the CRYPT class and it appears that in order to
use HMAC the *caller* needs to pass in the key parameter. Grepping the
source tree I've found a few places where the caller does not supply the
key:

applications/admin/models/access.py:55
applications/admin/controllers/default.py:78
gluon/main.py:480
gluon/main.py:495
gluon/validators.py:2344

I am of course unfamiliar with the internals of the project, but it would
appear to me that admin passwords are never HMAC'd. Can you confirm?

I suggest that the key be pulled in from the configuration inside CRYPT so
that the caller isn't required to pass it in. I would also suggest that the
hash method be placed in configuration. Consolidating the configuration of
security mechanisms greatly aids in a security review. If it were
consolidated, a reviewer would only have to look at the default
configuration. In it's current state, a reviewer needs to look at all the
callers of CRYPT to determine the security of CRYPT.

I realize some of my suggestions may prove difficult to support backwards
compatibility. In many cases this can be worked around to implement and
start using newer, safer security controls while maintaining support for
older methods. In some cases it's more difficult than others.

> If you use "admin" to create a new app, the '' is
> automatically replaced with something like

Thanks for clarifying! This works.

> > * Do not use cgi.escape for HTML escaping because it does not escape
> > single quotes and may lead to XSS - Seehttp://
www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss
> > and  http://www.pythonsecurity.org/wiki/cgi/
>
> I assume you refer to attribute escaping. When using helpers like
 > {{=A(link,_href=url)}} then link is escaped using cgi.escape but url
> is escaped differently (quotes are escaped). The problem is that the
> escape function does not know whether a variable is to be inserted in
> html, css, js, attribute, a string in js, etc. etc. and therefore if
> the function does know the context it is in it can never always escape
> correcly. I do not believe there is a general solution to this
> problem. web2py assumes {{=}} is escaping HTML/XML. If you need to
> scape attributes we suggest using helpers.  If you need to scape js
> code or strings in js code, you may have to do it manually.

That's not quite what I was getting at. You're right about needing the
context in order to escape correctly though. I think the default escaping
should include single and double quotes. cgi.escape escapes double quotes
but not single quotes.

I thought that the default escaping was going through cgi.escape by way of
the xmlescape method, but given the below, that appears to not be the case.
I'm a little confused.

Here's an example of something I don't think I should be able to do:

Controller: return dict(data='" onload="alert(1);" bad="')
View:   
Output:

The same attack works with single quoted attributes. While you're right, we
can't do full proper escaping without knowing the context, I don't think
quotes should be permitted in any web context.

> I disagree but probably I did not explain this very well. web2py has
> two things it calls session. One is the general session managed via
> cookie session_id. One is the authentication session stored into the
> general session file. When a user logs out the authentication session
> information into the general session is deleted. If an attacker where
> to intercept the cookie session_id and try to use it to gain access to
> the system, it would not work. The session_id is used for the general
> session and it does not expire because when the user logs in again, if
> the user had a state stored in the session file, you want that state
> to be retrieved.

Hmmm. I'll have to ponder this.

> As mentioned above the "admin" does this and "web2py -S app" should
> too (but there is the bug you pointed out). "admin" automatically sets
> the hmac_key="sha512:.", i.e. defaults to SHA512.

Thanks, I understand this better now. What's confusing is that the algorithm
could be set by the key or digest_alg params, neither of which the caller
need provide. It gets a little complicated to determine what code path will
execute because of how it depends on these two params. Like I said before,
I'd love to see these be statically set in the application configuration so
there is only one algorithm and one key that is used throughout the
application, with no requirement for the caller.

Best,
Craig Younkins

On Jun 30, 2:16 pm, mdipierro  wrote:
> On 30 Giu, 12:19, Craig Younkins  wrote:
>
> > "You may also wan

[web2py] Re: Accessing auth_user table

[mdipierro]

You can simplify it a bit

def ajaxuserexist():
  username = request.vars.values()[0]
  return  db(db.auth_user.login==username).count() and 'yes' or
'no'

although it will not solve your problem.
There is nothing special in table auth_user so the problem is
somewhere else.

I suggest you insert a print repr(username).
Do you get any thicket? What does it say?

massimo


On 30 Giu, 14:29, elfuego1  wrote:
> During registration I want to check on the fly, if login chosen by the
> user is already in use or is it not in db and available to be used.
>
> def ajaxuserexist():
>     username = request.vars.values()[0]
>     query = (db.auth_user.login==username)
>     numres = db(query).count()
>     if numres > 0 :
>        return 'yes'
>     else:
>         return 'no'
>
> When I test it on any other table that doesn't have prefix auth_ then
> the above code works, but unfortunatelly I need to test auth_user
> table :-(
>
> On 30 Cze, 21:19, Chris S  wrote:
>
> > Probably a dumb question, but what are you checking the user against?
>
> > Both my and your example above are checking for username and you
> > didn't define a username in your auth_user.
>
> > Your query then is not working as:
>
> > def userexist(emailcheck):
> >     if db(db.auth_user.email==emailcheck).count() > 0:
> >         return 'yes'
> >     else:
> >         return 'no'
>
> > I know I've returned searches on auth_user it's no different than
> > other tables.  Just gotta find whey your getting no results.  Might
> > help if you post the exact search code that goes with the above
> > auth_user and the error message that's generated.
>
> > On Jun 30, 2:12 pm, elfuego1  wrote:
>
> > > Since I had added some fields (and intend to customize it further) to
> > > my auth_user table the code for auth_user in db.py looks like that:
>
> > > from gluon.tools import *
> > > auth=Auth(globals(),db)
>
> > > db.define_table('auth_user',
> > >     SQLField('login', 'string', length=50, default=''),
> > >     SQLField('password', 'password', length=512, readable=False,
> > > label='Password'),
> > >     SQLField('registration_key', length=512, default= '',
> > > writable=False, readable=False),
> > >     SQLField('reset_password_key', length=512, default='',
> > > writable=False, readable=False),
> > >     SQLField('first_name', length=128,default=''),
> > >     SQLField('last_name', length=128,default=''),
> > >     SQLField('email', length=128,default='', unique=True),
> > >     SQLField('phone', 'string', length=30, default=''),
> > > )
>
> > > On 30 Cze, 20:59, Chris S  wrote:
>
> > > > And you've defined auth in db.py with:
>
> > > > from gluon.tools import Auth
> > > > auth = Auth(globals(), db)
> > > > auth.define_tables()
>
> > > > I've done searches on auth_user before... I think.
>
> > > > On Jun 30, 1:44 pm, elfuego1  wrote:
>
> > > > > Unfortunatelly it doesn't.
> > > > > I can access any other table that's available through my application
> > > > > but I can't get any value out of auth_user table.
> > > > > Is it somehow protected?
> > > > > Do I need to add some extra piece of code to expose them in my
> > > > > application in order to be able to acqiure any value out of them?
>
> > > > > Desperate searcher.
>
> > > > > On 30 Cze, 06:25, Chris S  wrote:
>
> > > > > > I don't guess I follow.  Isn't that the same as:
>
> > > > > > def userexist(namecheck):
> > > > > >     if db(db.auth_user.username==namecheck).count() > 0:
> > > > > >         return 'yes'
> > > > > >     else:
> > > > > >         return 'no'
>
> > > > > > So I"m saying your querry should be:
> > > > > > query = (db.auth_user.username==username)
>
> > > > > > Hope that helps
>
> > > > > > On Jun 29, 5:34 pm, elfuego1  wrote:
>
> > > > > > > Hello,
>
> > > > > > > On this 
> > > > > > > page:http://web2pyslices.com/main/slices/take_slice/53Ihave
> > > > > > > found a great pice of code  which allows to check on the fly if 
> > > > > > > there
> > > > > > > is an exact value already in database.
>
> > > > > > > Oryginal code:
>
> > > > > > > def ajaxuserexist():
> > > > > > >     username = request.vars.values()[0]
> > > > > > >     query = db.users.name.like(username)
> > > > > > >     numres = db(query).count()
> > > > > > >     if numres > 0 :
> > > > > > >         return 'yes'
>
> > > > > > >     return 'no'
>
> > > > > > > But when I try to implement the same solution on auth_user table 
> > > > > > > for
> > > > > > > login column it stops working:
>
> > > > > > >     query = db.auth_users.login.like(username)
>
> > > > > > > Do you know some solution/workaround to this problem?
>
> > > > > > > Best regards.

[web2py] Re: Caching downloads

[mdipierro]

Unfortunately settings cache-control breaks IE with SSL

http://support.microsoft.com/kb/316431

On 30 Giu, 13:57, Chris S  wrote:
> I've had this bookmarked and have been looking over it recently.  I
> added a c_download (cached download) function as described above to
> allow local caching of files.  The above code did not get me there
> though I ended up using:
>
> def c_download():
>     controller=request.vars.c
>     file=request.vars.f
>     response.headers['Cache-Control']='private'
>     del response.headers['Content-Type']
>     del response.headers['Pragma']
>     del response.headers['Expires']
>     filename = os.path.join(request.folder,'static',controller,file)
>     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y %H:
> %M:%S +", time.localtime(os.path.getmtime(filename)))
>     return response.stream(open(filename,'rb'))
>
> The key difference being I found I had to set the 'Cache-Control'
> header, just deleting it didn't do the trick.
> What I'm not clear on is why this is necessary.  From the book:
>
> When static files are downloaded, web2py  does not create a session,
> nor does it issue a cookie or execute the models. web2py always
> streams static files in chunks of 1MB, and sends PARTIAL CONTENT when
> the client sends a RANGE request for a subset of the file. web2py
> also supports the IF_MODIFIED_SINCE protocol, and does not send the
> file if it is already stored in the browser's cache and if the file
> has not changed since that version.
>
> Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD
>
> So then, if I serve a style.css file from static, or build a link from
> URL() to a file in static.  Why do these files get downloaded every
> time the page is loaded?
>
> Here's an example.  Usinghttp://127.0.0.1:8080/welcome/static/menu.gif
> running on the GAE development server I get:
> Header:
> HTTP/1.0 200
> Server: Development/1.0
> Date: Wed, 30 Jun 2010 18:37:05 GMT
> Content-Type: image/gif
> Cache-Control: no-cache
> Expires: Fri, 01 Jan 1990 00:00:00 GMT
> Content-Length: 264
>
> Cache:
> Last Modified   Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
> Time)
> Last Fetched    Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time)
> Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time)
> Data Size       264
> Fetch Count     7
> Device  disk
>
> Is this working as intended?  I *can* wrap every single download in a
> function call to c_download, but should that be necessary?  Am I just
> missing a configuration option somewhere?  I feel like I'm re-
> inventing the wheel since 'static' files were in my understanding not
> meant to change often anyway.
>
> On May 6, 8:15 am, mdipierro  wrote:
>
> > Can you provide an example of code that causes cache failure?
> > Remember that you cannot @cache def download because of range
> > requests.
>
> > On May 6, 2:49 am, Iceberg  wrote:
>
> > > It seems Mariano's story has a happy ending. Congratulations. But on a
> > > second thought, can anyone explain why "if you quickly reload pages,
> > > they fail" in the very first caching-download version? Caching
> > > download can improve speed, can with a side effect of bypassing
> > > priviledge check, but no matter what, it shall not cause content fail
> > > to load.
>
> > > I remember I once tried @cache(...) but encounter similar problems,
> > > then I give up. :-(  Nice to pick it up if someone can throw some
> > > light. Thanks!
>
> > > Regards,
> > > iceberg
>
> > > On May5, 11:39am, Mariano Reingart  wrote:
>
> > > > .. after usingfast_download(changing headers and using
> > > > stream) it runs really quickly!
>
> > > > (I know, serving through apache would be even faster, but in this case
> > > > I prefer portability and a easy configuration)
>
> > > > You can see how it's running here:
>
> > > >http://www.pyday.com.ar/rafaela2010/
>
> > > > (look at images at the sidebar)
>
> > > > Thanks so much,
>
> > > > Mariano >
>
> > > > >> On May 4, 9:04 pm, Mariano Reingart  wrote:
> > > > >>> I thought so,
>
> > > > >>> I had to modify mydownload so browsers do client-side caching,
> > > > >>> speeding up the web-page load:
>
> > > > >>> deffast_download():
> > > > >>>     # very basic security:
> > > > >>>     if not request.args(0).startswith("sponsor.logo"):
> > > > >>>         return download()
> > > > >>>     # remove/add headers that prevent/favors caching
> > > > >>>     del response.headers['Cache-Control']
> > > > >>>     del response.headers['Pragma']
> > > > >>>     del response.headers['Expires']
> > > > >>>     filename = 
> > > > >>> os.path.join(request.folder,'uploads',request.args(0))
> > > > >>>     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y
> > > > >>> %H:%M:%S +", time.localtime(os.path.getmtime(filename)))
> > > > >>>     return response.stream(open(filename,'rb'))
>
> > > > >>> TODO: handle If-Modified-Since (returning 304 if not modified), but 
> > > > >>> as
> > > > >>> 

[web2py] Re: web2py security - keep it up!

[Yarko Tymciurak]

On Jun 30, 2:44 pm, Craig Younkins  wrote:
> If you'd like this moved to the developers list, just approve my application
> and reply there.
>
> > When I say that MD5 is the default that applies only to the case that
> > a hmac_key is not specified. This is 1) for backward compatibility; 2)
> > because without a key/salt sha512 and md5 are vulnerable to the same
> > dictionary attacks.
>
> Hmm Well, I'm looking at the CRYPT class and it appears that in order to
> use HMAC the *caller* needs to pass in the key parameter. Grepping the
> source tree I've found a few places where the caller does not supply the
> key:
>
> applications/admin/models/access.py:55
> applications/admin/controllers/default.py:78
> gluon/main.py:480
> gluon/main.py:495
> gluon/validators.py:2344
>
> I am of course unfamiliar with the internals of the project, but it would
> appear to me that admin passwords are never HMAC'd. Can you confirm?

... interesting discussion   Let me FIRST point out some things
Craig mentions which should not fall by the wayside:

1. -- There is no documented way to generate {an appropriate}
hmac_key:
  ==>  This is true;   One major way to alleviate this would be to
have an admin function that could be called manually (take your pick:
to do the replacement, as gluon/admin.py:app_create()  does, which
would need a search/replace --- or better, just give a popup with a
newly formed key an admin could readily copy/paste.

  ==>  This is also inconsistently applied --- for example, if you
pack "welcome"  app, and then (as you might with apps from other
sites, such as web2py.com, or other users)  install it as a newly
(re)named application,  persists.At the
surface, the same thing app_create() is doing could be done in
app_install(), but this too would be prone to inconsistencies (i.e.
the user you get an app from to test for them will have already
installed their own hmac_key, so the kind of replacement that
app_create() does - which depends on a "magic string" in the template
app,   will fail.

A better solution would be to make this completely transparent --- a
little thinking about this should come to a solution (hmac_key is
currently persisted in a source file...)

... Good discussion, guys - lovely to see this!

- Yarko

>
> I suggest that the key be pulled in from the configuration inside CRYPT so
> that the caller isn't required to pass it in. I would also suggest that the
> hash method be placed in configuration. Consolidating the configuration of
> security mechanisms greatly aids in a security review. If it were
> consolidated, a reviewer would only have to look at the default
> configuration. In it's current state, a reviewer needs to look at all the
> callers of CRYPT to determine the security of CRYPT.
>
> I realize some of my suggestions may prove difficult to support backwards
> compatibility. In many cases this can be worked around to implement and
> start using newer, safer security controls while maintaining support for
> older methods. In some cases it's more difficult than others.
>
> > If you use "admin" to create a new app, the '' is
> > automatically replaced with something like
>
> Thanks for clarifying! This works.
>
> > > * Do not use cgi.escape for HTML escaping because it does not escape
> > > single quotes and may lead to XSS - Seehttp://
>
> www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss> > and  
> http://www.pythonsecurity.org/wiki/cgi/
>
> > I assume you refer to attribute escaping. When using helpers like
>
>  > {{=A(link,_href=url)}} then link is escaped using cgi.escape but url
>
> > is escaped differently (quotes are escaped). The problem is that the
> > escape function does not know whether a variable is to be inserted in
> > html, css, js, attribute, a string in js, etc. etc. and therefore if
> > the function does know the context it is in it can never always escape
> > correcly. I do not believe there is a general solution to this
> > problem. web2py assumes {{=}} is escaping HTML/XML. If you need to
> > scape attributes we suggest using helpers.  If you need to scape js
> > code or strings in js code, you may have to do it manually.
>
> That's not quite what I was getting at. You're right about needing the
> context in order to escape correctly though. I think the default escaping
> should include single and double quotes. cgi.escape escapes double quotes
> but not single quotes.
>
> I thought that the default escaping was going through cgi.escape by way of
> the xmlescape method, but given the below, that appears to not be the case.
> I'm a little confused.
>
> Here's an example of something I don't think I should be able to do:
>
> Controller:         return dict(data='" onload="alert(1);" bad="')
> View:               
> Output:            
>
> The same attack works with single quoted attributes. While you're right, we
> can't do full proper escaping without knowing the context, I don't think
> quotes should be permitted in any web co

[web2py] Re: Accessing auth_user table

[elfuego1]

There was NO error messages. The code just didn't work.
After inserting:
print repr(username) to default.py I got:

# -*- coding: utf-8 -*-

#
## This is a samples controller
## - index is the default action of any application
## - user is required for authentication and authorization
## - download is for downloading files uploaded in the db (does
streaming)
## - call exposes all registered services (none by default)
#

def index():
"""
example action using the internationalization operator T and flash
rendered by views/default/index.html or views/generic.html
"""
response.flash = T('Welcome to web2py')
return dict(message=T('Hello World'))


def user():
"""
exposes:
http:///[app]/default/user/login
http:///[app]/default/user/logout
http:///[app]/default/user/register
http:///[app]/default/user/profile
http:///[app]/default/user/retrieve_password
http:///[app]/default/user/change_password
use @auth.requires_login()
@auth.requires_membership('group name')
@auth.requires_permission('read','table name',record_id)
to decorate functions that need access control
"""
return dict(form=auth())


def download():
"""
allows downloading of uploaded files
http:///[app]/default/download/[filename]
"""
return response.download(request,db)


def call():
"""
exposes services. for example:
http:///[app]/default/call/jsonrpc
decorate with @services.jsonrpc the functions to expose
supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
"""
session.forget()
return service()



def page2():
name = request.vars.login
#db.auth_user.insert(name=name)
return dict(name=name)

def ajaxuserexist():
  username = request.vars.values()[0]
  return  db(db.auth_user.login==username).count() and 'yes' or
'no'

print repr(username)
response._vars=response._caller(index)




On 30 Cze, 21:51, mdipierro  wrote:
> You can simplify it a bit
>
> def ajaxuserexist():
>       username = request.vars.values()[0]
>       return  db(db.auth_user.login==username).count() and 'yes' or
> 'no'
>
> although it will not solve your problem.
> There is nothing special in table auth_user so the problem is
> somewhere else.
>
> I suggest you insert a print repr(username).
> Do you get any thicket? What does it say?
>
> massimo
>
> On 30 Giu, 14:29, elfuego1  wrote:
>
> > During registration I want to check on the fly, if login chosen by the
> > user is already in use or is it not in db and available to be used.
>
> > def ajaxuserexist():
> >     username = request.vars.values()[0]
> >     query = (db.auth_user.login==username)
> >     numres = db(query).count()
> >     if numres > 0 :
> >        return 'yes'
> >     else:
> >         return 'no'
>
> > When I test it on any other table that doesn't have prefix auth_ then
> > the above code works, but unfortunatelly I need to test auth_user
> > table :-(
>
> > On 30 Cze, 21:19, Chris S  wrote:
>
> > > Probably a dumb question, but what are you checking the user against?
>
> > > Both my and your example above are checking for username and you
> > > didn't define a username in your auth_user.
>
> > > Your query then is not working as:
>
> > > def userexist(emailcheck):
> > >     if db(db.auth_user.email==emailcheck).count() > 0:
> > >         return 'yes'
> > >     else:
> > >         return 'no'
>
> > > I know I've returned searches on auth_user it's no different than
> > > other tables.  Just gotta find whey your getting no results.  Might
> > > help if you post the exact search code that goes with the above
> > > auth_user and the error message that's generated.
>
> > > On Jun 30, 2:12 pm, elfuego1  wrote:
>
> > > > Since I had added some fields (and intend to customize it further) to
> > > > my auth_user table the code for auth_user in db.py looks like that:
>
> > > > from gluon.tools import *
> > > > auth=Auth(globals(),db)
>
> > > > db.define_table('auth_user',
> > > >     SQLField('login', 'string', length=50, default=''),
> > > >     SQLField('password', 'password', length=512, readable=False,
> > > > label='Password'),
> > > >     SQLField('registration_key', length=512, default= '',
> > > > writable=False, readable=False),
> > > >     SQLField('reset_password_key', length=512, default='',
> > > > writable=False, readable=False),
> > > >     SQLField('first_name', length=128,default=''),
> > > >     SQLField('last_name', length=128,default=''),
> > > >     SQLField('email', length=128,default='', unique=True),
> > > >     SQLField('phone', 'string', length=30, default=''),
> > > > )
>
> > > > On 30 Cze, 20:59, Chris S  wrote:
>
> > > > > And you've defined auth in db.py with:
>
> > > > > from gluon.tools import Auth
> > > > > auth = Auth(globals(), db)
> > > > > auth.define_tabl

[web2py] db and variables

[Rick]

Hi,

I'm trying to write loops in db.py:

letters = ['a', 'b', 'c', 'd']
for i in range(len(letters)):
for j in range(len(letters)):

db.define_table('connection'+letters[i]+letters[j],
SQLField('smthng', db.???letters[i]))

What should I use instead of ???  to make the computer understand that
as db.a when i=0 and j=0?

Thanks in advance for help!

Re: [web2py] Re: What to Use... gluon.dal or gluon.sql ??

[Phyo Arkar]

Ok , thanks massimo.

On Wed, Jun 30, 2010 at 4:24 PM, mdipierro  wrote:

> gluon/sql.py
>
> dal.py is an experimental rewrite that is stuck because of lack of
> time.
>
> On 30 Giu, 10:55, Phyo Arkar  wrote:
> > I am confused ... :?

[web2py] Re: web2py security - keep it up!

[mdipierro]

this is how I make my hmac_kay

>>> import uuid
>>> print 'sha512:'+str(uuid.uuid4())

web2py has a function in gluon/admin.py, app_create('name',request)
that clones welcome and replaces hmac_key='<>' with a random key
generated as above.

>From a web2py shell you can also do

>>> from gluon.admin import app_create
>>> app_create('mynewapp',request)

I would not know how to make this transparent. If you have any idea
please let me know. I agree that this is undocumented.


On 30 Giu, 15:01, Yarko Tymciurak  wrote:
> On Jun 30, 2:44 pm, Craig Younkins  wrote:
>
>
>
> > If you'd like this moved to the developers list, just approve my application
> > and reply there.
>
> > > When I say that MD5 is the default that applies only to the case that
> > > a hmac_key is not specified. This is 1) for backward compatibility; 2)
> > > because without a key/salt sha512 and md5 are vulnerable to the same
> > > dictionary attacks.
>
> > Hmm Well, I'm looking at the CRYPT class and it appears that in order to
> > use HMAC the *caller* needs to pass in the key parameter. Grepping the
> > source tree I've found a few places where the caller does not supply the
> > key:
>
> > applications/admin/models/access.py:55
> > applications/admin/controllers/default.py:78
> > gluon/main.py:480
> > gluon/main.py:495
> > gluon/validators.py:2344
>
> > I am of course unfamiliar with the internals of the project, but it would
> > appear to me that admin passwords are never HMAC'd. Can you confirm?
>
> ... interesting discussion   Let me FIRST point out some things
> Craig mentions which should not fall by the wayside:
>
> 1. -- There is no documented way to generate {an appropriate}
> hmac_key:
>   ==>  This is true;   One major way to alleviate this would be to
> have an admin function that could be called manually (take your pick:
> to do the replacement, as gluon/admin.py:app_create()  does, which
> would need a search/replace --- or better, just give a popup with a
> newly formed key an admin could readily copy/paste.
>
>   ==>  This is also inconsistently applied --- for example, if you
> pack "welcome"  app, and then (as you might with apps from other
> sites, such as web2py.com, or other users)  install it as a newly
> (re)named application,      persists.    At the
> surface, the same thing app_create() is doing could be done in
> app_install(), but this too would be prone to inconsistencies (i.e.
> the user you get an app from to test for them will have already
> installed their own hmac_key, so the kind of replacement that
> app_create() does - which depends on a "magic string" in the template
> app,   will fail.
>
> A better solution would be to make this completely transparent --- a
> little thinking about this should come to a solution (hmac_key is
> currently persisted in a source file...)
>
> ... Good discussion, guys - lovely to see this!
>
> - Yarko
>
>
>
> > I suggest that the key be pulled in from the configuration inside CRYPT so
> > that the caller isn't required to pass it in. I would also suggest that the
> > hash method be placed in configuration. Consolidating the configuration of
> > security mechanisms greatly aids in a security review. If it were
> > consolidated, a reviewer would only have to look at the default
> > configuration. In it's current state, a reviewer needs to look at all the
> > callers of CRYPT to determine the security of CRYPT.
>
> > I realize some of my suggestions may prove difficult to support backwards
> > compatibility. In many cases this can be worked around to implement and
> > start using newer, safer security controls while maintaining support for
> > older methods. In some cases it's more difficult than others.
>
> > > If you use "admin" to create a new app, the '' is
> > > automatically replaced with something like
>
> > Thanks for clarifying! This works.
>
> > > > * Do not use cgi.escape for HTML escaping because it does not escape
> > > > single quotes and may lead to XSS - Seehttp://
>
> >www.pythonsecurity.org/wiki/web2py/#cross-site-scripting-xss> > and  
> >http://www.pythonsecurity.org/wiki/cgi/
>
> > > I assume you refer to attribute escaping. When using helpers like
>
> >  > {{=A(link,_href=url)}} then link is escaped using cgi.escape but url
>
> > > is escaped differently (quotes are escaped). The problem is that the
> > > escape function does not know whether a variable is to be inserted in
> > > html, css, js, attribute, a string in js, etc. etc. and therefore if
> > > the function does know the context it is in it can never always escape
> > > correcly. I do not believe there is a general solution to this
> > > problem. web2py assumes {{=}} is escaping HTML/XML. If you need to
> > > scape attributes we suggest using helpers.  If you need to scape js
> > > code or strings in js code, you may have to do it manually.
>
> > That's not quite what I was getting at. You're right about needing the
> > context in order to escape correctly though. I think the defa

[web2py] Re: db and variables

[mdipierro]

What is connectionaa.smthng supposed to reference? You cannot
reference a table that is not yet defined.

Anyway

db.xxx is the same as db['xxx']


On 30 Giu, 13:48, Rick  wrote:
> Hi,
>
> I'm trying to write loops in db.py:
>
> letters = ['a', 'b', 'c', 'd']
> for i in range(len(letters)):
>         for j in range(len(letters)):
>
>                 db.define_table('connection'+letters[i]+letters[j],
>                         SQLField('smthng', db.???letters[i]))
>
> What should I use instead of ???  to make the computer understand that
> as db.a when i=0 and j=0?
>
> Thanks in advance for help!

[web2py] Re: Accessing auth_user table

[mdipierro]

This should give you an error because the print(username) is outside
the funciton the function that defines username, after the function
returns. How are you passing the username to the ajax call? Did you
check with firebug that is calls the correct url?



On 30 Giu, 15:01, elfuego1  wrote:
> There was NO error messages. The code just didn't work.
> After inserting:
> print repr(username) to default.py I got:
>
> # -*- coding: utf-8 -*-
>
> #
> ## This is a samples controller
> ## - index is the default action of any application
> ## - user is required for authentication and authorization
> ## - download is for downloading files uploaded in the db (does
> streaming)
> ## - call exposes all registered services (none by default)
> #
>
> def index():
>     """
>     example action using the internationalization operator T and flash
>     rendered by views/default/index.html or views/generic.html
>     """
>     response.flash = T('Welcome to web2py')
>     return dict(message=T('Hello World'))
>
> def user():
>     """
>     exposes:
>    http:///[app]/default/user/login
>    http:///[app]/default/user/logout
>    http:///[app]/default/user/register
>    http:///[app]/default/user/profile
>    http:///[app]/default/user/retrieve_password
>    http:///[app]/default/user/change_password
>     use @auth.requires_login()
>         @auth.requires_membership('group name')
>         @auth.requires_permission('read','table name',record_id)
>     to decorate functions that need access control
>     """
>     return dict(form=auth())
>
> def download():
>     """
>     allows downloading of uploaded files
>    http:///[app]/default/download/[filename]
>     """
>     return response.download(request,db)
>
> def call():
>     """
>     exposes services. for example:
>    http:///[app]/default/call/jsonrpc
>     decorate with @services.jsonrpc the functions to expose
>     supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
>     """
>     session.forget()
>     return service()
>
> def page2():
>     name = request.vars.login
>     #db.auth_user.insert(name=name)
>     return dict(name=name)
>
> def ajaxuserexist():
>       username = request.vars.values()[0]
>       return  db(db.auth_user.login==username).count() and 'yes' or
> 'no'
>
> print repr(username)
> response._vars=response._caller(index)
>
> On 30 Cze, 21:51, mdipierro  wrote:
>
> > You can simplify it a bit
>
> > def ajaxuserexist():
> >       username = request.vars.values()[0]
> >       return  db(db.auth_user.login==username).count() and 'yes' or
> > 'no'
>
> > although it will not solve your problem.
> > There is nothing special in table auth_user so the problem is
> > somewhere else.
>
> > I suggest you insert a print repr(username).
> > Do you get any thicket? What does it say?
>
> > massimo
>
> > On 30 Giu, 14:29, elfuego1  wrote:
>
> > > During registration I want to check on the fly, if login chosen by the
> > > user is already in use or is it not in db and available to be used.
>
> > > def ajaxuserexist():
> > >     username = request.vars.values()[0]
> > >     query = (db.auth_user.login==username)
> > >     numres = db(query).count()
> > >     if numres > 0 :
> > >        return 'yes'
> > >     else:
> > >         return 'no'
>
> > > When I test it on any other table that doesn't have prefix auth_ then
> > > the above code works, but unfortunatelly I need to test auth_user
> > > table :-(
>
> > > On 30 Cze, 21:19, Chris S  wrote:
>
> > > > Probably a dumb question, but what are you checking the user against?
>
> > > > Both my and your example above are checking for username and you
> > > > didn't define a username in your auth_user.
>
> > > > Your query then is not working as:
>
> > > > def userexist(emailcheck):
> > > >     if db(db.auth_user.email==emailcheck).count() > 0:
> > > >         return 'yes'
> > > >     else:
> > > >         return 'no'
>
> > > > I know I've returned searches on auth_user it's no different than
> > > > other tables.  Just gotta find whey your getting no results.  Might
> > > > help if you post the exact search code that goes with the above
> > > > auth_user and the error message that's generated.
>
> > > > On Jun 30, 2:12 pm, elfuego1  wrote:
>
> > > > > Since I had added some fields (and intend to customize it further) to
> > > > > my auth_user table the code for auth_user in db.py looks like that:
>
> > > > > from gluon.tools import *
> > > > > auth=Auth(globals(),db)
>
> > > > > db.define_table('auth_user',
> > > > >     SQLField('login', 'string', length=50, default=''),
> > > > >     SQLField('password', 'password', length=512, readable=False,
> > > > > label='Password'),
> > > > >     SQLField('registration_key', length=512, default= '',
> > > > > writable=False, readable=False),
> > > > >     SQLField('reset_password_key', length=512,

[web2py] Re: Accessing auth_user table

[elfuego1]

I hope I don't make your eyes bleed by puting all the code here but
there is no other way to show it to you.
I made change only in one place of the code to gather "login" value:
{login:value}
Oryginaly it was: {name:value}.

 $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
{login:value},function(result){

Below is the whole content of index.html

{{extend 'layout.html'}}

http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>



Ajax User Validation with web2py by Martin Sagastume






var submit = false;
$(document).ready(function(){
$("form").submit(function() {
return submit;
});
});

function getData(value){
if(value != ""){
$
("#resultbox").removeClass().addClass('msg').text('Validating...').fadeIn(10);
$.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
{login:value},function(result){
if(result=='yes'){
$
("#resultbox").removeClass().addClass('error').text('Login already
taken').fadeTo(900,1);
submit = false;
}else{
$
("#resultbox").removeClass().addClass('success').text('Login is
available for registration!').fadeTo(900,1);
submit = true;
}
});
}else{
$("#resultbox").removeClass().addClass('msg').text('This
field is required');
}
}





Login:










On 30 Cze, 22:12, mdipierro  wrote:
> This should give you an error because the print(username) is outside
> the funciton the function that defines username, after the function
> returns. How are you passing the username to the ajax call? Did you
> check with firebug that is calls the correct url?
>
> On 30 Giu, 15:01, elfuego1  wrote:
>
> > There was NO error messages. The code just didn't work.
> > After inserting:
> > print repr(username) to default.py I got:
>
> > # -*- coding: utf-8 -*-
>
> > #
> > ## This is a samples controller
> > ## - index is the default action of any application
> > ## - user is required for authentication and authorization
> > ## - download is for downloading files uploaded in the db (does
> > streaming)
> > ## - call exposes all registered services (none by default)
> > #
>
> > def index():
> >     """
> >     example action using the internationalization operator T and flash
> >     rendered by views/default/index.html or views/generic.html
> >     """
> >     response.flash = T('Welcome to web2py')
> >     return dict(message=T('Hello World'))
>
> > def user():
> >     """
> >     exposes:
> >    http:///[app]/default/user/login
> >    http:///[app]/default/user/logout
> >    http:///[app]/default/user/register
> >    http:///[app]/default/user/profile
> >    http:///[app]/default/user/retrieve_password
> >    http:///[app]/default/user/change_password
> >     use @auth.requires_login()
> >         @auth.requires_membership('group name')
> >         @auth.requires_permission('read','table name',record_id)
> >     to decorate functions that need access control
> >     """
> >     return dict(form=auth())
>
> > def download():
> >     """
> >     allows downloading of uploaded files
> >    http:///[app]/default/download/[filename]
> >     """
> >     return response.download(request,db)
>
> > def call():
> >     """
> >     exposes services. for example:
> >    http:///[app]/default/call/jsonrpc
> >     decorate with @services.jsonrpc the functions to expose
> >     supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
> >     """
> >     session.forget()
> >     return service()
>
> > def page2():
> >     name = request.vars.login
> >     #db.auth_user.insert(name=name)
> >     return dict(name=name)
>
> > def ajaxuserexist():
> >       username = request.vars.values()[0]
> >       return  db(db.auth_user.login==username).count() and 'yes' or
> > 'no'
>
> > print repr(username)
> > response._vars=response._caller(index)
>
> > On 30 Cze, 21:51, mdipierro  wrote:
>
> > > You can simplify it a bit
>
> > > def ajaxuserexist():
> > >       username = request.vars.values()[0]
> > >       return  db(db.auth_user.login==username).count() and 'yes' or
> > > 'no'
>
> > > although it will not solve your problem.
> > > There is nothing special in table auth_user so the problem is
> > > somewhere else.
>
> > > I suggest you insert a print rep

[web2py] Re: Accessing auth_user table

[mdipierro]

I do not see anything wrong in this. Do you use firebug?

On 30 Giu, 15:18, elfuego1  wrote:
> I hope I don't make your eyes bleed by puting all the code here but
> there is no other way to show it to you.
> I made change only in one place of the code to gather "login" value:
> {login:value}
> Oryginaly it was: {name:value}.
>
>  $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
> {login:value},function(result){
>
> Below is the whole content of index.html
>
> {{extend 'layout.html'}}
>
>      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> 
> 
>     
>     Ajax User Validation with web2py by Martin Sagastume title>
>     
>     
>     
>      src="{{=URL(r=request,c='static',f='jquery.js')}}">
>     
>
>     var submit = false;
>     $(document).ready(function(){
>         $("form").submit(function() {
>             return submit;
>         });
>     });
>
>     function getData(value){
>         if(value != ""){
>             $
> ("#resultbox").removeClass().addClass('msg').text('Validating...').fadeIn(10);
>             $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
> {login:value},function(result){
>                 if(result=='yes'){
>                     $
> ("#resultbox").removeClass().addClass('error').text('Login already
> taken').fadeTo(900,1);
>                     submit = false;
>                 }else{
>                     $
> ("#resultbox").removeClass().addClass('success').text('Login is
> available for registration!').fadeTo(900,1);
>                     submit = true;
>                 }
>             });
>         }else{
>             $("#resultbox").removeClass().addClass('msg').text('This
> field is required');
>         }
>     }
>
>     
> 
> 
>     
>         Login:
>          onblur="getData(this.value)" />
>         
>          value="Submit" />
>     
> 
> 
>
> On 30 Cze, 22:12, mdipierro  wrote:
>
> > This should give you an error because the print(username) is outside
> > the funciton the function that defines username, after the function
> > returns. How are you passing the username to the ajax call? Did you
> > check with firebug that is calls the correct url?
>
> > On 30 Giu, 15:01, elfuego1  wrote:
>
> > > There was NO error messages. The code just didn't work.
> > > After inserting:
> > > print repr(username) to default.py I got:
>
> > > # -*- coding: utf-8 -*-
>
> > > #
> > > ## This is a samples controller
> > > ## - index is the default action of any application
> > > ## - user is required for authentication and authorization
> > > ## - download is for downloading files uploaded in the db (does
> > > streaming)
> > > ## - call exposes all registered services (none by default)
> > > #
>
> > > def index():
> > >     """
> > >     example action using the internationalization operator T and flash
> > >     rendered by views/default/index.html or views/generic.html
> > >     """
> > >     response.flash = T('Welcome to web2py')
> > >     return dict(message=T('Hello World'))
>
> > > def user():
> > >     """
> > >     exposes:
> > >    http:///[app]/default/user/login
> > >    http:///[app]/default/user/logout
> > >    http:///[app]/default/user/register
> > >    http:///[app]/default/user/profile
> > >    http:///[app]/default/user/retrieve_password
> > >    http:///[app]/default/user/change_password
> > >     use @auth.requires_login()
> > >         @auth.requires_membership('group name')
> > >         @auth.requires_permission('read','table name',record_id)
> > >     to decorate functions that need access control
> > >     """
> > >     return dict(form=auth())
>
> > > def download():
> > >     """
> > >     allows downloading of uploaded files
> > >    http:///[app]/default/download/[filename]
> > >     """
> > >     return response.download(request,db)
>
> > > def call():
> > >     """
> > >     exposes services. for example:
> > >    http:///[app]/default/call/jsonrpc
> > >     decorate with @services.jsonrpc the functions to expose
> > >     supports xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv
> > >     """
> > >     session.forget()
> > >     return service()
>
> > > def page2():
> > >     name = request.vars.login
> > >     #db.auth_user.insert(name=name)
> > >     return dict(name=name)
>
> > > def ajaxuserexist():
> > >       username = request.vars.values()[0]
> > >       return  db(db.auth_user.login==username).count() and 'yes' or
> > > '

[web2py] Re: Caching downloads

[Chris S]

I'm not sure I understand the comment.  Following the link it says
that Microsoft file formats can not be opened if the cache-control is
set to no-cache.

What I'm seeing is cache-control is *always* set to no-cache when I
expected it to allow caching of files in /static.
It seems that with the above support issue IE would be unable to open
any Microsoft document served by Web2py because the cache-control is
always being set to no-cache.

Shouldn't files in static always be served with cache enabeled?

On Jun 30, 3:01 pm, mdipierro  wrote:
> Unfortunately settings cache-control breaks IE with SSL
>
> http://support.microsoft.com/kb/316431
>
> On 30 Giu, 13:57, Chris S  wrote:
>
> > I've had this bookmarked and have been looking over it recently.  I
> > added a c_download (cached download) function as described above to
> > allow local caching of files.  The above code did not get me there
> > though I ended up using:
>
> > def c_download():
> >     controller=request.vars.c
> >     file=request.vars.f
> >     response.headers['Cache-Control']='private'
> >     del response.headers['Content-Type']
> >     del response.headers['Pragma']
> >     del response.headers['Expires']
> >     filename = os.path.join(request.folder,'static',controller,file)
> >     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y %H:
> > %M:%S +", time.localtime(os.path.getmtime(filename)))
> >     return response.stream(open(filename,'rb'))
>
> > The key difference being I found I had to set the 'Cache-Control'
> > header, just deleting it didn't do the trick.
> > What I'm not clear on is why this is necessary.  From the book:
>
> > When static files are downloaded, web2py  does not create a session,
> > nor does it issue a cookie or execute the models. web2py always
> > streams static files in chunks of 1MB, and sends PARTIAL CONTENT when
> > the client sends a RANGE request for a subset of the file. web2py
> > also supports the IF_MODIFIED_SINCE protocol, and does not send the
> > file if it is already stored in the browser's cache and if the file
> > has not changed since that version.
>
> > Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD
>
> > So then, if I serve a style.css file from static, or build a link from
> > URL() to a file in static.  Why do these files get downloaded every
> > time the page is loaded?
>
> > Here's an example.  Usinghttp://127.0.0.1:8080/welcome/static/menu.gif
> > running on the GAE development server I get:
> > Header:
> > HTTP/1.0 200
> > Server: Development/1.0
> > Date: Wed, 30 Jun 2010 18:37:05 GMT
> > Content-Type: image/gif
> > Cache-Control: no-cache
> > Expires: Fri, 01 Jan 1990 00:00:00 GMT
> > Content-Length: 264
>
> > Cache:
> > Last Modified   Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
> > Time)
> > Last Fetched    Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time)
> > Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time)
> > Data Size       264
> > Fetch Count     7
> > Device  disk
>
> > Is this working as intended?  I *can* wrap every single download in a
> > function call to c_download, but should that be necessary?  Am I just
> > missing a configuration option somewhere?  I feel like I'm re-
> > inventing the wheel since 'static' files were in my understanding not
> > meant to change often anyway.
>
> > On May 6, 8:15 am, mdipierro  wrote:
>
> > > Can you provide an example of code that causes cache failure?
> > > Remember that you cannot @cache def download because of range
> > > requests.
>
> > > On May 6, 2:49 am, Iceberg  wrote:
>
> > > > It seems Mariano's story has a happy ending. Congratulations. But on a
> > > > second thought, can anyone explain why "if you quickly reload pages,
> > > > they fail" in the very first caching-download version? Caching
> > > > download can improve speed, can with a side effect of bypassing
> > > > priviledge check, but no matter what, it shall not cause content fail
> > > > to load.
>
> > > > I remember I once tried @cache(...) but encounter similar problems,
> > > > then I give up. :-(  Nice to pick it up if someone can throw some
> > > > light. Thanks!
>
> > > > Regards,
> > > > iceberg
>
> > > > On May5, 11:39am, Mariano Reingart  wrote:
>
> > > > > .. after usingfast_download(changing headers and using
> > > > > stream) it runs really quickly!
>
> > > > > (I know, serving through apache would be even faster, but in this case
> > > > > I prefer portability and a easy configuration)
>
> > > > > You can see how it's running here:
>
> > > > >http://www.pyday.com.ar/rafaela2010/
>
> > > > > (look at images at the sidebar)
>
> > > > > Thanks so much,
>
> > > > > Mariano >
>
> > > > > >> On May 4, 9:04 pm, Mariano Reingart  wrote:
> > > > > >>> I thought so,
>
> > > > > >>> I had to modify mydownload so browsers do client-side caching,
> > > > > >>> speeding up the web-page load:
>
> > > > > >>> deffast_download():
> > > > > >>>     # very basic security:
> > > > > >>>

[web2py] Re: Doctests keep getting stuck

[Kerem Eryılmaz]

I ran the admin application's test page for my controller (i.e.
http://127.0.0.1:8000/admin/default/test/std/etc.py) through firebug,
and it looks like it is an issue with the xml produced by web2py. The
parser fails and the page is never updated (i.e. keeps flashing
"please wait") but the response is received.

Error reads:

XML Parsing Error: junk after document element Location: moz-
nullprincipal:{2bf026d5-ea46-4b0a-9bdd-21128033bf26} Line Number 1,
Column 47:

Testing controller "etc.py" ... done.
--^

Here is the problem, ./gluon/compileapp.py, lines 55-56:

html = 'Testing controller "%s.py" ... done.\n' \
% request.controller

I think starting with  as the root element is the cause.

So really, no one else?


On Jun 30, 9:26 pm, Kerem Eryılmaz  wrote:
> Hi all,
> I wonder if anyone encountered similar problems with doctests. I have
> a couple of controllers (default.py and etc.py), and a single function
> (__addTLI__) in etc.py that has a doctest. When I try to run the tests
> through the admin app, default.py passes fine (since it has no tests),
> but etc.py just hangs. I have confirmed that there is a line in my
> code that determines whether etc.py will hang or return successfully,
> however I do not see how it is possible that the specific piece of
> code determines anything (basically it produces an xml file through
> some db interaction). I tried the same testing code in a function,
> opened it up on a browser and it ran fine, error-free. I also 
> checkedhttp://127.0.0.1:8000/std/etc/_TESTfor raw test data, but it also
> surprisingly revealed that __addTLI__ had actually passed.
>
> Is it possible for a test to hang even though all subtests pass?
>
> BTW, I use version 1.79.2
>
> Cheers,
> Kerem.

Re: [web2py] Re: Anvanced applications in gae

[Carles Gonzalez]

Hi, i was trying this technique but i'm getting this traceback when
using gae_google_account:

Traceback (most recent call last):
  File "/Users/lauer/web2py/gluon/restricted.py", line 178, in restricted
exec ccode in environment
  File 
"/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
line 56, in 
  File "/Users/lauer/web2py/gluon/globals.py", line 96, in 
self._caller = lambda f: f()
  File 
"/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
line 35, in user
  File "/Users/lauer/web2py/gluon/tools.py", line 966, in __call__
return self.login()
  File "/Users/lauer/web2py/gluon/tools.py", line 1419, in login
self.log_event(log % self.user)
  File "/Users/lauer/web2py/gluon/tools.py", line 1180, in log_event
origin=origin, user_id=user_id)
  File "/Users/lauer/web2py/gluon/contrib/gql.py", line 281, in insert
self._last_reference = tmp
  File "/Users/lauer/web2py/gluon/sql.py", line 1611, in __setattr__
raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
SyntaxError: Object exists and cannot be redefined: _last_reference



On Mon, Jun 28, 2010 at 7:04 AM, dlypka  wrote:
> OK I downloaded the trunk and tested this mod.
>
>  myParent = db.ParentTable.insert(name='Bill')
>  myParentNativeRef = myParent._table._last_reference
>
>     works
>
> Thanks again.
>
> On Jun 27, 3:28 pm, mdipierro  wrote:
>> > Maybe just add a new property dynamically to the row
>> > We could call it 'nativeRef'
>>
>> > Would it be something like:
>> >     self.nativeRef = tmp     # Python can add new properties 'on-the-fly', 
>> > right?
>>
>> > as the new 2nd last statement of insert()?
>>
>> If that is useful we can do it. I just did it in trunk so you can test
>> it but I called self._last_reference to avoid possible naming
>> conflicts.
>>
>> Massimo

Any thoughts?

[web2py] Re: Caching downloads

[mdipierro]

I may have sent the wrong link. There are two issues:

1) we tried to set a cache for static files in the past and we run
into problems with ssl and ie. This was discussed at lenght in an old
thread but I cannot find it now.
2) It is unclear whether serving static content should cache. In a
production environment with apache yes.  I am in favor of caching as
long as the expire time is small since we do not have a mechanism for
setting it.

If you send me a patch and we try on different browsers with and
without ssl, than we can include it.

On 30 Giu, 15:25, Chris S  wrote:
> I'm not sure I understand the comment.  Following the link it says
> that Microsoft file formats can not be opened if the cache-control is
> set to no-cache.
>
> What I'm seeing is cache-control is *always* set to no-cache when I
> expected it to allow caching of files in /static.
> It seems that with the above support issue IE would be unable to open
> any Microsoft document served by Web2py because the cache-control is
> always being set to no-cache.
>
> Shouldn't files in static always be served with cache enabeled?
>
> On Jun 30, 3:01 pm, mdipierro  wrote:
>
> > Unfortunately settings cache-control breaks IE with SSL
>
> >http://support.microsoft.com/kb/316431
>
> > On 30 Giu, 13:57, Chris S  wrote:
>
> > > I've had this bookmarked and have been looking over it recently.  I
> > > added a c_download (cached download) function as described above to
> > > allow local caching of files.  The above code did not get me there
> > > though I ended up using:
>
> > > def c_download():
> > >     controller=request.vars.c
> > >     file=request.vars.f
> > >     response.headers['Cache-Control']='private'
> > >     del response.headers['Content-Type']
> > >     del response.headers['Pragma']
> > >     del response.headers['Expires']
> > >     filename = os.path.join(request.folder,'static',controller,file)
> > >     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y %H:
> > > %M:%S +", time.localtime(os.path.getmtime(filename)))
> > >     return response.stream(open(filename,'rb'))
>
> > > The key difference being I found I had to set the 'Cache-Control'
> > > header, just deleting it didn't do the trick.
> > > What I'm not clear on is why this is necessary.  From the book:
>
> > > When static files are downloaded, web2py  does not create a session,
> > > nor does it issue a cookie or execute the models. web2py always
> > > streams static files in chunks of 1MB, and sends PARTIAL CONTENT when
> > > the client sends a RANGE request for a subset of the file. web2py
> > > also supports the IF_MODIFIED_SINCE protocol, and does not send the
> > > file if it is already stored in the browser's cache and if the file
> > > has not changed since that version.
>
> > > Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD
>
> > > So then, if I serve a style.css file from static, or build a link from
> > > URL() to a file in static.  Why do these files get downloaded every
> > > time the page is loaded?
>
> > > Here's an example.  Usinghttp://127.0.0.1:8080/welcome/static/menu.gif
> > > running on the GAE development server I get:
> > > Header:
> > > HTTP/1.0 200
> > > Server: Development/1.0
> > > Date: Wed, 30 Jun 2010 18:37:05 GMT
> > > Content-Type: image/gif
> > > Cache-Control: no-cache
> > > Expires: Fri, 01 Jan 1990 00:00:00 GMT
> > > Content-Length: 264
>
> > > Cache:
> > > Last Modified   Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
> > > Time)
> > > Last Fetched    Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight Time)
> > > Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time)
> > > Data Size       264
> > > Fetch Count     7
> > > Device  disk
>
> > > Is this working as intended?  I *can* wrap every single download in a
> > > function call to c_download, but should that be necessary?  Am I just
> > > missing a configuration option somewhere?  I feel like I'm re-
> > > inventing the wheel since 'static' files were in my understanding not
> > > meant to change often anyway.
>
> > > On May 6, 8:15 am, mdipierro  wrote:
>
> > > > Can you provide an example of code that causes cache failure?
> > > > Remember that you cannot @cache def download because of range
> > > > requests.
>
> > > > On May 6, 2:49 am, Iceberg  wrote:
>
> > > > > It seems Mariano's story has a happy ending. Congratulations. But on a
> > > > > second thought, can anyone explain why "if you quickly reload pages,
> > > > > they fail" in the very first caching-download version? Caching
> > > > > download can improve speed, can with a side effect of bypassing
> > > > > priviledge check, but no matter what, it shall not cause content fail
> > > > > to load.
>
> > > > > I remember I once tried @cache(...) but encounter similar problems,
> > > > > then I give up. :-(  Nice to pick it up if someone can throw some
> > > > > light. Thanks!
>
> > > > > Regards,
> > > > > iceberg
>
> > > > > On May5, 11:39am, Mariano Reingart  w

[web2py] Re: Doctests keep getting stuck

[mdipierro]

The test controller generates " and that is a piece of
html received via ajax, not xml. It should be valid.

On 30 Giu, 15:25, Kerem Eryılmaz  wrote:
> I ran the admin application's test page for my controller 
> (i.e.http://127.0.0.1:8000/admin/default/test/std/etc.py) through firebug,
> and it looks like it is an issue with the xml produced by web2py. The
> parser fails and the page is never updated (i.e. keeps flashing
> "please wait") but the response is received.
>
> Error reads:
>
> XML Parsing Error: junk after document element Location: moz-
> nullprincipal:{2bf026d5-ea46-4b0a-9bdd-21128033bf26} Line Number 1,
> Column 47:
>
> Testing controller "etc.py" ... done.
> --^
>
> Here is the problem, ./gluon/compileapp.py, lines 55-56:
>
> html = 'Testing controller "%s.py" ... done.\n' \
>     % request.controller
>
> I think starting with  as the root element is the cause.
>
> So really, no one else?
>
> On Jun 30, 9:26 pm, Kerem Eryılmaz  wrote:
>
> > Hi all,
> > I wonder if anyone encountered similar problems with doctests. I have
> > a couple of controllers (default.py and etc.py), and a single function
> > (__addTLI__) in etc.py that has a doctest. When I try to run the tests
> > through the admin app, default.py passes fine (since it has no tests),
> > but etc.py just hangs. I have confirmed that there is a line in my
> > code that determines whether etc.py will hang or return successfully,
> > however I do not see how it is possible that the specific piece of
> > code determines anything (basically it produces an xml file through
> > some db interaction). I tried the same testing code in a function,
> > opened it up on a browser and it ran fine, error-free. I also 
> > checkedhttp://127.0.0.1:8000/std/etc/_TESTforraw test data, but it also
> > surprisingly revealed that __addTLI__ had actually passed.
>
> > Is it possible for a test to hang even though all subtests pass?
>
> > BTW, I use version 1.79.2
>
> > Cheers,
> > Kerem.

[web2py] Re: Anvanced applications in gae

[mdipierro]

You are right... fixing it in trunk..1..2..3..done. Please check it.

Massimo

On 30 Giu, 15:25, Carles Gonzalez  wrote:
> Hi, i was trying this technique but i'm getting this traceback when
> using gae_google_account:
>
> Traceback (most recent call last):
>   File "/Users/lauer/web2py/gluon/restricted.py", line 178, in restricted
>     exec ccode in environment
>   File 
> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
> line 56, in 
>   File "/Users/lauer/web2py/gluon/globals.py", line 96, in 
>     self._caller = lambda f: f()
>   File 
> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
> line 35, in user
>   File "/Users/lauer/web2py/gluon/tools.py", line 966, in __call__
>     return self.login()
>   File "/Users/lauer/web2py/gluon/tools.py", line 1419, in login
>     self.log_event(log % self.user)
>   File "/Users/lauer/web2py/gluon/tools.py", line 1180, in log_event
>     origin=origin, user_id=user_id)
>   File "/Users/lauer/web2py/gluon/contrib/gql.py", line 281, in insert
>     self._last_reference = tmp
>   File "/Users/lauer/web2py/gluon/sql.py", line 1611, in __setattr__
>     raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
> SyntaxError: Object exists and cannot be redefined: _last_reference
>
>
>
> On Mon, Jun 28, 2010 at 7:04 AM, dlypka  wrote:
> > OK I downloaded the trunk and tested this mod.
>
> >  myParent = db.ParentTable.insert(name='Bill')
> >  myParentNativeRef = myParent._table._last_reference
>
> >     works
>
> > Thanks again.
>
> > On Jun 27, 3:28 pm, mdipierro  wrote:
> >> > Maybe just add a new property dynamically to the row
> >> > We could call it 'nativeRef'
>
> >> > Would it be something like:
> >> >     self.nativeRef = tmp     # Python can add new properties 
> >> > 'on-the-fly', right?
>
> >> > as the new 2nd last statement of insert()?
>
> >> If that is useful we can do it. I just did it in trunk so you can test
> >> it but I called self._last_reference to avoid possible naming
> >> conflicts.
>
> >> Massimo
>
> Any thoughts?

[web2py] Re: Caching downloads

[Chris S]

I'll take a look and see what I can do.

Can you point me to where this is happening?  I see a streamer.py but
no where does it set Cache-Control = no-cache.
Where is that decision being made?
I'm assuming in the same gluon module I'll find the logic behind the
auto-stream of /static/filename?

On Jun 30, 3:35 pm, mdipierro  wrote:
> I may have sent the wrong link. There are two issues:
>
> 1) we tried to set a cache for static files in the past and we run
> into problems with ssl and ie. This was discussed at lenght in an old
> thread but I cannot find it now.
> 2) It is unclear whether serving static content should cache. In a
> production environment with apache yes.  I am in favor of caching as
> long as the expire time is small since we do not have a mechanism for
> setting it.
>
> If you send me a patch and we try on different browsers with and
> without ssl, than we can include it.
>
> On 30 Giu, 15:25, Chris S  wrote:
>
> > I'm not sure I understand the comment.  Following the link it says
> > that Microsoft file formats can not be opened if the cache-control is
> > set to no-cache.
>
> > What I'm seeing is cache-control is *always* set to no-cache when I
> > expected it to allow caching of files in /static.
> > It seems that with the above support issue IE would be unable to open
> > any Microsoft document served by Web2py because the cache-control is
> > always being set to no-cache.
>
> > Shouldn't files in static always be served with cache enabeled?
>
> > On Jun 30, 3:01 pm, mdipierro  wrote:
>
> > > Unfortunately settings cache-control breaks IE with SSL
>
> > >http://support.microsoft.com/kb/316431
>
> > > On 30 Giu, 13:57, Chris S  wrote:
>
> > > > I've had this bookmarked and have been looking over it recently.  I
> > > > added a c_download (cached download) function as described above to
> > > > allow local caching of files.  The above code did not get me there
> > > > though I ended up using:
>
> > > > def c_download():
> > > >     controller=request.vars.c
> > > >     file=request.vars.f
> > > >     response.headers['Cache-Control']='private'
> > > >     del response.headers['Content-Type']
> > > >     del response.headers['Pragma']
> > > >     del response.headers['Expires']
> > > >     filename = os.path.join(request.folder,'static',controller,file)
> > > >     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y %H:
> > > > %M:%S +", time.localtime(os.path.getmtime(filename)))
> > > >     return response.stream(open(filename,'rb'))
>
> > > > The key difference being I found I had to set the 'Cache-Control'
> > > > header, just deleting it didn't do the trick.
> > > > What I'm not clear on is why this is necessary.  From the book:
>
> > > > When static files are downloaded, web2py  does not create a session,
> > > > nor does it issue a cookie or execute the models. web2py always
> > > > streams static files in chunks of 1MB, and sends PARTIAL CONTENT when
> > > > the client sends a RANGE request for a subset of the file. web2py
> > > > also supports the IF_MODIFIED_SINCE protocol, and does not send the
> > > > file if it is already stored in the browser's cache and if the file
> > > > has not changed since that version.
>
> > > > Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD
>
> > > > So then, if I serve a style.css file from static, or build a link from
> > > > URL() to a file in static.  Why do these files get downloaded every
> > > > time the page is loaded?
>
> > > > Here's an example.  Usinghttp://127.0.0.1:8080/welcome/static/menu.gif
> > > > running on the GAE development server I get:
> > > > Header:
> > > > HTTP/1.0 200
> > > > Server: Development/1.0
> > > > Date: Wed, 30 Jun 2010 18:37:05 GMT
> > > > Content-Type: image/gif
> > > > Cache-Control: no-cache
> > > > Expires: Fri, 01 Jan 1990 00:00:00 GMT
> > > > Content-Length: 264
>
> > > > Cache:
> > > > Last Modified   Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
> > > > Time)
> > > > Last Fetched    Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight 
> > > > Time)
> > > > Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time)
> > > > Data Size       264
> > > > Fetch Count     7
> > > > Device  disk
>
> > > > Is this working as intended?  I *can* wrap every single download in a
> > > > function call to c_download, but should that be necessary?  Am I just
> > > > missing a configuration option somewhere?  I feel like I'm re-
> > > > inventing the wheel since 'static' files were in my understanding not
> > > > meant to change often anyway.
>
> > > > On May 6, 8:15 am, mdipierro  wrote:
>
> > > > > Can you provide an example of code that causes cache failure?
> > > > > Remember that you cannot @cache def download because of range
> > > > > requests.
>
> > > > > On May 6, 2:49 am, Iceberg  wrote:
>
> > > > > > It seems Mariano's story has a happy ending. Congratulations. But 
> > > > > > on a
> > > > > > second thought, can anyone explain why "if you quickly re

[web2py] How may I do that

[Jean-Guy]

Hello,

How may I pass the id of my entered record to an other function??

def atable_create():
   if auth.has_membership(auth.id_group('group1')):
   
form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form 
accepted'))

   elif form.errors:
   response.flash = T('form has errors')
   else:
   response.flash = T('please fill out the form')
   return dict(form=form)

def atable_read(...):
form=crud.read(db.atable,4)
return dict(form=form)

Thanks

Jonhy

[web2py] Re: Caching downloads

[mdipierro]

If I understand you talk about normal static files.  That is done in
gluon/main.py

static_file = parse_url(request, environ)
if static_file:
if request.env.get('query_string', '')[:10] ==
'attachment':
response.headers['Content-Disposition'] =
'attachment'
response.stream(static_file, request=request)




On 30 Giu, 15:42, Chris S  wrote:
> I'll take a look and see what I can do.
>
> Can you point me to where this is happening?  I see a streamer.py but
> no where does it set Cache-Control = no-cache.
> Where is that decision being made?
> I'm assuming in the same gluon module I'll find the logic behind the
> auto-stream of /static/filename?
>
> On Jun 30, 3:35 pm, mdipierro  wrote:
>
> > I may have sent the wrong link. There are two issues:
>
> > 1) we tried to set a cache for static files in the past and we run
> > into problems with ssl and ie. This was discussed at lenght in an old
> > thread but I cannot find it now.
> > 2) It is unclear whether serving static content should cache. In a
> > production environment with apache yes.  I am in favor of caching as
> > long as the expire time is small since we do not have a mechanism for
> > setting it.
>
> > If you send me a patch and we try on different browsers with and
> > without ssl, than we can include it.
>
> > On 30 Giu, 15:25, Chris S  wrote:
>
> > > I'm not sure I understand the comment.  Following the link it says
> > > that Microsoft file formats can not be opened if the cache-control is
> > > set to no-cache.
>
> > > What I'm seeing is cache-control is *always* set to no-cache when I
> > > expected it to allow caching of files in /static.
> > > It seems that with the above support issue IE would be unable to open
> > > any Microsoft document served by Web2py because the cache-control is
> > > always being set to no-cache.
>
> > > Shouldn't files in static always be served with cache enabeled?
>
> > > On Jun 30, 3:01 pm, mdipierro  wrote:
>
> > > > Unfortunately settings cache-control breaks IE with SSL
>
> > > >http://support.microsoft.com/kb/316431
>
> > > > On 30 Giu, 13:57, Chris S  wrote:
>
> > > > > I've had this bookmarked and have been looking over it recently.  I
> > > > > added a c_download (cached download) function as described above to
> > > > > allow local caching of files.  The above code did not get me there
> > > > > though I ended up using:
>
> > > > > def c_download():
> > > > >     controller=request.vars.c
> > > > >     file=request.vars.f
> > > > >     response.headers['Cache-Control']='private'
> > > > >     del response.headers['Content-Type']
> > > > >     del response.headers['Pragma']
> > > > >     del response.headers['Expires']
> > > > >     filename = os.path.join(request.folder,'static',controller,file)
> > > > >     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y 
> > > > > %H:
> > > > > %M:%S +", time.localtime(os.path.getmtime(filename)))
> > > > >     return response.stream(open(filename,'rb'))
>
> > > > > The key difference being I found I had to set the 'Cache-Control'
> > > > > header, just deleting it didn't do the trick.
> > > > > What I'm not clear on is why this is necessary.  From the book:
>
> > > > > When static files are downloaded, web2py  does not create a session,
> > > > > nor does it issue a cookie or execute the models. web2py always
> > > > > streams static files in chunks of 1MB, and sends PARTIAL CONTENT when
> > > > > the client sends a RANGE request for a subset of the file. web2py
> > > > > also supports the IF_MODIFIED_SINCE protocol, and does not send the
> > > > > file if it is already stored in the browser's cache and if the file
> > > > > has not changed since that version.
>
> > > > > Link:http://web2py.com/book/default/section/4/2?search=supports+the+IF_MOD
>
> > > > > So then, if I serve a style.css file from static, or build a link from
> > > > > URL() to a file in static.  Why do these files get downloaded every
> > > > > time the page is loaded?
>
> > > > > Here's an example.  Usinghttp://127.0.0.1:8080/welcome/static/menu.gif
> > > > > running on the GAE development server I get:
> > > > > Header:
> > > > > HTTP/1.0 200
> > > > > Server: Development/1.0
> > > > > Date: Wed, 30 Jun 2010 18:37:05 GMT
> > > > > Content-Type: image/gif
> > > > > Cache-Control: no-cache
> > > > > Expires: Fri, 01 Jan 1990 00:00:00 GMT
> > > > > Content-Length: 264
>
> > > > > Cache:
> > > > > Last Modified   Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight
> > > > > Time)
> > > > > Last Fetched    Wed Jun 30 2010 13:37:06 GMT-0500 (Central Daylight 
> > > > > Time)
> > > > > Expires Wed Dec 31 1969 18:00:00 GMT-0600 (Central Standard Time)
> > > > > Data Size       264
> > > > > Fetch Count     7
> > > > > Device  disk
>
> > > > > Is this working as intended?  I *can* wrap every single download in a
> > > > > function call to c_download, but should that be necessary?  Am I just
> > > > > missing a

Re: [web2py] Re: Anvanced applications in gae

[Carles Gonzalez]

Now is working. Thanks, let's continue testing...

On Wed, Jun 30, 2010 at 10:39 PM, mdipierro  wrote:
> You are right... fixing it in trunk..1..2..3..done. Please check it.
>
> Massimo
>
> On 30 Giu, 15:25, Carles Gonzalez  wrote:
>> Hi, i was trying this technique but i'm getting this traceback when
>> using gae_google_account:
>>
>> Traceback (most recent call last):
>>   File "/Users/lauer/web2py/gluon/restricted.py", line 178, in restricted
>>     exec ccode in environment
>>   File 
>> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
>> line 56, in 
>>   File "/Users/lauer/web2py/gluon/globals.py", line 96, in 
>>     self._caller = lambda f: f()
>>   File 
>> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
>> line 35, in user
>>   File "/Users/lauer/web2py/gluon/tools.py", line 966, in __call__
>>     return self.login()
>>   File "/Users/lauer/web2py/gluon/tools.py", line 1419, in login
>>     self.log_event(log % self.user)
>>   File "/Users/lauer/web2py/gluon/tools.py", line 1180, in log_event
>>     origin=origin, user_id=user_id)
>>   File "/Users/lauer/web2py/gluon/contrib/gql.py", line 281, in insert
>>     self._last_reference = tmp
>>   File "/Users/lauer/web2py/gluon/sql.py", line 1611, in __setattr__
>>     raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
>> SyntaxError: Object exists and cannot be redefined: _last_reference
>>
>>
>>
>> On Mon, Jun 28, 2010 at 7:04 AM, dlypka  wrote:
>> > OK I downloaded the trunk and tested this mod.
>>
>> >  myParent = db.ParentTable.insert(name='Bill')
>> >  myParentNativeRef = myParent._table._last_reference
>>
>> >     works
>>
>> > Thanks again.
>>
>> > On Jun 27, 3:28 pm, mdipierro  wrote:
>> >> > Maybe just add a new property dynamically to the row
>> >> > We could call it 'nativeRef'
>>
>> >> > Would it be something like:
>> >> >     self.nativeRef = tmp     # Python can add new properties 
>> >> > 'on-the-fly', right?
>>
>> >> > as the new 2nd last statement of insert()?
>>
>> >> If that is useful we can do it. I just did it in trunk so you can test
>> >> it but I called self._last_reference to avoid possible naming
>> >> conflicts.
>>
>> >> Massimo
>>
>> Any thoughts?

[web2py] Re: How may I do that

[mdipierro]

it is in form.vars.id. You can also use a shotcut:

form=crud.create(db.atable,next='atable_read/[id]')

On 30 Giu, 15:52, Jean-Guy  wrote:
> Hello,
>
> How may I pass the id of my entered record to an other function??
>
> def atable_create():
>     if auth.has_membership(auth.id_group('group1')):
>
> form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form
> accepted'))
>     elif form.errors:
>         response.flash = T('form has errors')
>     else:
>         response.flash = T('please fill out the form')
>     return dict(form=form)
>
> def atable_read(...):
>      form=crud.read(db.atable,4)
>      return dict(form=form)
>
> Thanks
>
> Jonhy

[web2py] Re: Accessing auth_user table

[elfuego1]

I have firebug installed. What do you want me to look for?
You want to see some firebug output?



On 30 Cze, 22:25, mdipierro  wrote:
> I do not see anything wrong in this. Do you use firebug?
>
> On 30 Giu, 15:18, elfuego1  wrote:
>
> > I hope I don't make your eyes bleed by puting all the code here but
> > there is no other way to show it to you.
> > I made change only in one place of the code to gather "login" value:
> > {login:value}
> > Oryginaly it was: {name:value}.
>
> >  $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
> > {login:value},function(result){
>
> > Below is the whole content of index.html
>
> > {{extend 'layout.html'}}
>
> >  >     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> > 
> > 
> >     
> >     Ajax User Validation with web2py by Martin Sagastume > title>
> >     
> >     
> >     
> >      > src="{{=URL(r=request,c='static',f='jquery.js')}}">
> >     
>
> >     var submit = false;
> >     $(document).ready(function(){
> >         $("form").submit(function() {
> >             return submit;
> >         });
> >     });
>
> >     function getData(value){
> >         if(value != ""){
> >             $
> > ("#resultbox").removeClass().addClass('msg').text('Validating...').fadeIn(10);
> >             $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
> > {login:value},function(result){
> >                 if(result=='yes'){
> >                     $
> > ("#resultbox").removeClass().addClass('error').text('Login already
> > taken').fadeTo(900,1);
> >                     submit = false;
> >                 }else{
> >                     $
> > ("#resultbox").removeClass().addClass('success').text('Login is
> > available for registration!').fadeTo(900,1);
> >                     submit = true;
> >                 }
> >             });
> >         }else{
> >             $("#resultbox").removeClass().addClass('msg').text('This
> > field is required');
> >         }
> >     }
>
> >     
> > 
> > 
> >     
> >         Login:
> >          > onblur="getData(this.value)" />
> >         
> >          > value="Submit" />
> >     
> > 
> > 
>
> > On 30 Cze, 22:12, mdipierro  wrote:
>
> > > This should give you an error because the print(username) is outside
> > > the funciton the function that defines username, after the function
> > > returns. How are you passing the username to the ajax call? Did you
> > > check with firebug that is calls the correct url?
>
> > > On 30 Giu, 15:01, elfuego1  wrote:
>
> > > > There was NO error messages. The code just didn't work.
> > > > After inserting:
> > > > print repr(username) to default.py I got:
>
> > > > # -*- coding: utf-8 -*-
>
> > > > #
> > > > ## This is a samples controller
> > > > ## - index is the default action of any application
> > > > ## - user is required for authentication and authorization
> > > > ## - download is for downloading files uploaded in the db (does
> > > > streaming)
> > > > ## - call exposes all registered services (none by default)
> > > > #
>
> > > > def index():
> > > >     """
> > > >     example action using the internationalization operator T and flash
> > > >     rendered by views/default/index.html or views/generic.html
> > > >     """
> > > >     response.flash = T('Welcome to web2py')
> > > >     return dict(message=T('Hello World'))
>
> > > > def user():
> > > >     """
> > > >     exposes:
> > > >    http:///[app]/default/user/login
> > > >    http:///[app]/default/user/logout
> > > >    http:///[app]/default/user/register
> > > >    http:///[app]/default/user/profile
> > > >    http:///[app]/default/user/retrieve_password
> > > >    http:///[app]/default/user/change_password
> > > >     use @auth.requires_login()
> > > >         @auth.requires_membership('group name')
> > > >         @auth.requires_permission('read','table name',record_id)
> > > >     to decorate functions that need access control
> > > >     """
> > > >     return dict(form=auth())
>
> > > > def download():
> > > >     """
> > > >     allows downloading of uploaded files
> > > >    http:///[app]/default/download/[filename]
> > > >     """
> > > >     return response.download(request,db)
>
> > > > def call():
> > > >     """
> > > >     exposes services. for example:
> > > >    http:///[app]/default/call/jsonrpc
> > > >     decorate with @services.jsonrpc the functions to expose
> > > >     supports

[web2py] Re: Accessing auth_user table

[mdipierro]

I'd like to know if the console reports any error when the ajax
request is executed.

On 30 Giu, 15:31, elfuego1  wrote:
> I have firebug installed. What do you want me to look for?
> You want to see some firebug output?
>
> On 30 Cze, 22:25, mdipierro  wrote:
>
> > I do not see anything wrong in this. Do you use firebug?
>
> > On 30 Giu, 15:18, elfuego1  wrote:
>
> > > I hope I don't make your eyes bleed by puting all the code here but
> > > there is no other way to show it to you.
> > > I made change only in one place of the code to gather "login" value:
> > > {login:value}
> > > Oryginaly it was: {name:value}.
>
> > >  $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
> > > {login:value},function(result){
>
> > > Below is the whole content of index.html
>
> > > {{extend 'layout.html'}}
>
> > >  > >     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> > > 
> > > 
> > >     
> > >     Ajax User Validation with web2py by Martin Sagastume > > title>
> > >     
> > >     
> > >     
> > >      > > src="{{=URL(r=request,c='static',f='jquery.js')}}">
> > >     
>
> > >     var submit = false;
> > >     $(document).ready(function(){
> > >         $("form").submit(function() {
> > >             return submit;
> > >         });
> > >     });
>
> > >     function getData(value){
> > >         if(value != ""){
> > >             $
> > > ("#resultbox").removeClass().addClass('msg').text('Validating...').fadeIn(10);
> > >             $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
> > > {login:value},function(result){
> > >                 if(result=='yes'){
> > >                     $
> > > ("#resultbox").removeClass().addClass('error').text('Login already
> > > taken').fadeTo(900,1);
> > >                     submit = false;
> > >                 }else{
> > >                     $
> > > ("#resultbox").removeClass().addClass('success').text('Login is
> > > available for registration!').fadeTo(900,1);
> > >                     submit = true;
> > >                 }
> > >             });
> > >         }else{
> > >             $("#resultbox").removeClass().addClass('msg').text('This
> > > field is required');
> > >         }
> > >     }
>
> > >     
> > > 
> > > 
> > >     
> > >         Login:
> > >          > > onblur="getData(this.value)" />
> > >         
> > >          > > value="Submit" />
> > >     
> > > 
> > > 
>
> > > On 30 Cze, 22:12, mdipierro  wrote:
>
> > > > This should give you an error because the print(username) is outside
> > > > the funciton the function that defines username, after the function
> > > > returns. How are you passing the username to the ajax call? Did you
> > > > check with firebug that is calls the correct url?
>
> > > > On 30 Giu, 15:01, elfuego1  wrote:
>
> > > > > There was NO error messages. The code just didn't work.
> > > > > After inserting:
> > > > > print repr(username) to default.py I got:
>
> > > > > # -*- coding: utf-8 -*-
>
> > > > > #
> > > > > ## This is a samples controller
> > > > > ## - index is the default action of any application
> > > > > ## - user is required for authentication and authorization
> > > > > ## - download is for downloading files uploaded in the db (does
> > > > > streaming)
> > > > > ## - call exposes all registered services (none by default)
> > > > > #
>
> > > > > def index():
> > > > >     """
> > > > >     example action using the internationalization operator T and flash
> > > > >     rendered by views/default/index.html or views/generic.html
> > > > >     """
> > > > >     response.flash = T('Welcome to web2py')
> > > > >     return dict(message=T('Hello World'))
>
> > > > > def user():
> > > > >     """
> > > > >     exposes:
> > > > >    http:///[app]/default/user/login
> > > > >    http:///[app]/default/user/logout
> > > > >    http:///[app]/default/user/register
> > > > >    http:///[app]/default/user/profile
> > > > >    http:///[app]/default/user/retrieve_password
> > > > >    http:///[app]/default/user/change_password
> > > > >     use @auth.requires_login()
> > > > >         @auth.requires_membership('group name')
> > > > >         @auth.requires_permission('read','table name',record_id)
> > > > >     to decorate functions that need access control
> > > > >     """
> > > > >     return dict(form=auth())
>
> > > > > def download():
> > > > >     """
> > > > >     al

[web2py] Re: How may I do that

[Chris S]

>From the book: "next is the URL to redirect to after success. If the
URL contains the substring "[id]" this will be replaced by the id of
the record currently created/updated."

While I haven't used that specifically I would say:

form=crud.create(db.atable,next=URL(r=request,f='atable_read',args=['[id]']),message=T('form
accepted'))

It's my understanding that it will generate the URL:
Since [id] is replaced with the ID you should be able to access it
with: request.args[0]
Depending on what you're doing you might also look at the onaccept
parameter of CRUD.  I use that to run a function and fill out some
custom auth_user fields after a new user is created.


On Jun 30, 3:52 pm, Jean-Guy  wrote:
> Hello,
>
> How may I pass the id of my entered record to an other function??
>
> def atable_create():
>     if auth.has_membership(auth.id_group('group1')):
>
> form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form
> accepted'))
>     elif form.errors:
>         response.flash = T('form has errors')
>     else:
>         response.flash = T('please fill out the form')
>     return dict(form=form)
>
> def atable_read(...):
>      form=crud.read(db.atable,4)
>      return dict(form=form)
>
> Thanks
>
> Jonhy

[web2py] web2py freezing

[Candid]

I am using web2py in my organization for internal applications. One of
the applications uses dedicated instance of web2py (v1.78.1) running
on dedicated ubuntu server. It connects to our SQL Server 2005
database via freetds. It runs with the following parameters:

python web2py.py -i ... -p ... -a ... -n 100 -q 100

The application uses connection pool with 50 connections.

Recently it has started freezing occasionally. The weird thing is that
the whole web2py server freezes and basically stops responding, so not
only you cannot access the app, you cannot even open the admin
console. Sometimes it starts working again after a few minutes,
sometimes I have to restart web2py.
I suspect it has something to with either web server threads not
getting released or databases connections not getting returned to the
pool (the latter would not explain why I cannot access admin console
though).

Has anyone had similar issues? Any suggestions on how to troubleshoot
the problem? Any input would be highly appreciated.

[web2py] Re: web2py with AppStats

[PanosJee]

I just edited the blog post cos i had forgot the appengine_config.py
(thanx mdmcginn)

On 30 Ιούν, 13:06, mdmcginn  wrote:
> I've added a appengine_config.py file in a comment to that blog post,
> since AppStats didn't work for me without it.
>
> Guido van Rossum (who wrote AppStats) says, "it adds some overhead to
> your application."
>
> On Jun 29, 8:27 pm, Richard  wrote:
>
>
>
> > neat!
> > Does AppStats add much overhead? If not it would be good to commit
> > that gaehandler.py change to trunk.
>
> > On Jun 30, 3:30 am, PanosJee  wrote:
>
> > > if you are on GAE it s to have AppStats on
> > > it s quite easyhttp://blog.socialcaddy.com/appstats-for-web2py-0

Re: [web2py] Re: Anvanced applications in gae

[Carles Gonzalez]

Sorry, but I've encontured another error.

The relevant part of my code is following:

if request.env.web2py_runtime_gae:# if running on Google App Engine
from gluon.contrib.login_methods.gae_google_account import GaeGoogleAccount
auth.settings.login_form = GaeGoogleAccount()
from gluon.contrib.gql import gae

auth.define_tables()   # creates all needed tables

db.define_table('todos', Field('name','string'),
 Field(gae.ReferenceProperty(auth_user, required=True,
  collection_name='todos'))
)

And the traceback is this:

Traceback (most recent call last):
  File "/Users/lauer/web2py/gluon/restricted.py", line 178, in restricted
exec ccode in environment
  File "/Users/lauer/web2py/applications/web2pytodo/models/db.py",
line 76, in 
Field(gae.ReferenceProperty(auth_user, required=True,
NameError: name 'auth_user' is not defined


Maybe the entity class is not defined at the time of the reference? I
created an user, but still isn't working.

When this mini-project is finished I plan to release the source. I
think that a working example of this technique woukd be interesting
for reference.


On Wed, Jun 30, 2010 at 10:56 PM, Carles Gonzalez  wrote:
> Now is working. Thanks, let's continue testing...
>
> On Wed, Jun 30, 2010 at 10:39 PM, mdipierro  wrote:
>> You are right... fixing it in trunk..1..2..3..done. Please check it.
>>
>> Massimo
>>
>> On 30 Giu, 15:25, Carles Gonzalez  wrote:
>>> Hi, i was trying this technique but i'm getting this traceback when
>>> using gae_google_account:
>>>
>>> Traceback (most recent call last):
>>>   File "/Users/lauer/web2py/gluon/restricted.py", line 178, in restricted
>>>     exec ccode in environment
>>>   File 
>>> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
>>> line 56, in 
>>>   File "/Users/lauer/web2py/gluon/globals.py", line 96, in 
>>>     self._caller = lambda f: f()
>>>   File 
>>> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
>>> line 35, in user
>>>   File "/Users/lauer/web2py/gluon/tools.py", line 966, in __call__
>>>     return self.login()
>>>   File "/Users/lauer/web2py/gluon/tools.py", line 1419, in login
>>>     self.log_event(log % self.user)
>>>   File "/Users/lauer/web2py/gluon/tools.py", line 1180, in log_event
>>>     origin=origin, user_id=user_id)
>>>   File "/Users/lauer/web2py/gluon/contrib/gql.py", line 281, in insert
>>>     self._last_reference = tmp
>>>   File "/Users/lauer/web2py/gluon/sql.py", line 1611, in __setattr__
>>>     raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
>>> SyntaxError: Object exists and cannot be redefined: _last_reference
>>>
>>>
>>>
>>> On Mon, Jun 28, 2010 at 7:04 AM, dlypka  wrote:
>>> > OK I downloaded the trunk and tested this mod.
>>>
>>> >  myParent = db.ParentTable.insert(name='Bill')
>>> >  myParentNativeRef = myParent._table._last_reference
>>>
>>> >     works
>>>
>>> > Thanks again.
>>>
>>> > On Jun 27, 3:28 pm, mdipierro  wrote:
>>> >> > Maybe just add a new property dynamically to the row
>>> >> > We could call it 'nativeRef'
>>>
>>> >> > Would it be something like:
>>> >> >     self.nativeRef = tmp     # Python can add new properties 
>>> >> > 'on-the-fly', right?
>>>
>>> >> > as the new 2nd last statement of insert()?
>>>
>>> >> If that is useful we can do it. I just did it in trunk so you can test
>>> >> it but I called self._last_reference to avoid possible naming
>>> >> conflicts.
>>>
>>> >> Massimo
>>>
>>> Any thoughts?
>

Re: [web2py] facebook oauth support

[Michele Comitini]

Hi Kuba!

The code does only authentication.  The graph API is used at the moment to
get
the "me" node and only that, so that user info from facebook becomes
available under
auth.user.

About the model I think that the usage of the graph API is straightforward
and similar to any other graph API or library.
RDFlib (www.rdflib.net) is an example.  The model is just a node.
Since vertices are a properties of the node, reaching any information
in the graph is just a matter of node recursion.  This kind of model works
well with
REST, where resources are nodes, urls are the sequence of vertices to reach
a node.
This approach is generic gives you the most of flexibility and implementing
the model in web2py is
as simple as instantiating the start node.

As soon as the example app will be usable I will post it.

tnx
michele

2010/6/29 Kuba Kucharski 

> hi, MCM
>
> the web2py community is very much interested in facebook graphApi
> intergration with web2py, can you make it plugin/model?
> I use some graph api calls in my applications but it is simple token
> exchange, no integration with app. but I know the subject, maybe I can
> help.
>
> thx for all your efforts
>
>
> --
> Kuba
>

Re: [web2py] Re: How may I do that

[Jean-Guy]

I had to figure (remember my read) out how to call the id in my other 
function, but I got it to work.


Here is my working functions :
def atable_create():
   if auth.has_membership(auth.id_group('group1')):
   
form=crud.create(db.atable,next='atable_read/[id]',message=T('form 
accepted'))

   elif form.errors:
   response.flash = T('form has errors')
   else:
   response.flash = T('please fill out the form')
   return dict(form=form)

def atable_read():
form=crud.read(db.atable,request.args[0])
return dict(form=form)

Thank you...

Jonhy

On 2010-06-30 16:58, mdipierro wrote:

it is in form.vars.id. You can also use a shotcut:

form=crud.create(db.atable,next='atable_read/[id]')

On 30 Giu, 15:52, Jean-Guy  wrote:
   

Hello,

How may I pass the id of my entered record to an other function??

def atable_create():
 if auth.has_membership(auth.id_group('group1')):

form=crud.create(db.atable,next=URL(r=request,f='atable_read'),message=T('form
accepted'))
 elif form.errors:
 response.flash = T('form has errors')
 else:
 response.flash = T('please fill out the form')
 return dict(form=form)

def atable_read(...):
  form=crud.read(db.atable,4)
  return dict(form=form)

Thanks

Jonhy
 

[web2py] Re: simplejson -- wasn't this resolved?

[zahariash]

Hello.

Problem with simplejson is that it's originally trying to load c
module (_speedups.so), but web2py version of simplejson is python
only.
So when decoder.py, encoder.py and scanner.py trying to load c modules
find it in global namespace...:
try:
from simplejson._speedups import encode_basestring_ascii as
c_encode_basestring_ascii
except ImportError:
c_encode_basestring_ascii = None

Workaround is switching to relative imports (tested on python 2.5):
try:
from .. simplejson._speedups import encode_basestring_ascii as
c_encode_basestring_ascii
except ImportError:
c_encode_basestring_ascii = None

-- Zahariash

[web2py] Re: elFinder-web2py , Filemanager for Web2py!

[Troex Nevelin]

I've looked though your code and I like idea to put POST/GET and json
outside the connector itself. I'll start contributing your code right
now because my main goal for next release is to make python connector
usable in frameworks without (if this is possible) modifications.

About speed of directory search - we know this issue. md5 hash will be
replaced by some encryption, so hash can be decrypted and there will
be no need to search for directory.

If you want to keep track of elfinder source update use feed
http://elrte.ru/redmine/projects/elfinder/repository/revisions.atom

On Jun 30, 10:18 pm, Phyo Arkar  wrote:
> Hello Torex
>
> Welcome to Web2py Group!
> Thats very good to have you here!
> I am trying to make elfinder work for web2py , please feel free to reuse my
> work in your release.
>
> Here is the Connector initiation:
>
> http://code.google.com/p/elfinder-web2py/source/browse/filemanager/co...
>
> Check inside function elcon .
>
> and here is elFinder Backend Class
>
> http://code.google.com/p/elfinder-web2py/source/browse/filemanager/mo...
>
> Currently it is working partially  (atleast for me)
>
> Please review and test , we can work together on this.
>
> On Wed, Jun 30, 2010 at 11:59 AM, Troex Nevelin wrote:
>
>
>
> > Hello, I'm author of elFinder.py
>
> > In about a month we plan to release new version of elFinder, mostly
> > bugfixes but I also plan to rewrite python version to be more library
> > like.
>
> > I know there are problems integrating elfinder with different
> > frameworks on python, current version was written for use under pure
> > CGI. This is my first major experience with python and so I have many
> > questions about the "right way" how to write connector so it can be
> > easy to integrate and write plugins.
>
> > The biggest question to me is how to implement handling POST and GET
> > data, I've seen many different ways how it is done in different
> > frameworks. Currently this is done using:
> > import cgi
> > self._form = cgi.FieldStorage()
> > Maybe I should put this outside elFinder.py and only pass parameters
> > to connector?
>
> > Feedback is welcome.
>
> > On Jun 24, 5:47 am, Phyo Arkar  wrote:
> > > Finally after 2 days of hacking elfinder backend for Django fromhttp://
> >www.elrte.ru/redmine/issues/128<
> >http://www.google.com/url?sa=D&q=http://www.elrte.ru/redmine/issues/1...>
> > > , i have managed to get elFinder working (about 90% of features)
>
> > > Attached is elFinder-web2py , still alot of improvement needed.
>
> > > -Downloading files is not working yet but should be easy to fix.
> > > -Help me make it more integrated into web2py
> > > -Their method of DIrectory scanning is so slow , going to replace with
> > > os.walk.
>
> > > Please note that this is not for Production use.
>
> > > I started a project , download and test there.
>
> > > Note URL (Both in View and web2py_elcon) need to be change to your
> > host:port
> > > (i did with port 8080)
>
> > >http://code.google.com/p/elfinder-web2py/downloads/list

[web2py] Re: web2py security - keep it up!

[GoldenTiger]

> I disagree but probably I did not explain this very well. web2py has
> two things it calls session. One is the general session managed via
> cookie session_id. One is the authentication session stored into the
> general session file. When a user logs out the authentication session
> information into the general session is deleted. If an attacker where
> to intercept the cookie session_id and try to use it to gain access to
> the system, it would not work. The session_id is used for the general
> session and it does not expire because when the user logs in again, if
> the user had a state stored in the session file, you want that state
> to be retrieved.

Well, this is my point of view:
I don't know if i'm wrong. If i understanded it well, this concept
could be classified as a design concept, do you agree?
design flaws are the most complex aspect of security
personally I am doubtful about the explanation above, maybe I don't
understand very well
anyway it's the game of "I can't find any flaw at this moment, but you
can't demonstrate it hasn't"
Vulns like SQL injection could be enumerated and tested by a computer
in a lot of possibilities, but design flaws couldn't, since lies on
human logic
History is full of stories about design flaws. The following is a
representative case.
http://www.seattlepi.com/local/373426_insecure04.html

Sorry, I am very paranoid ^^


On 30 jun, 22:06, mdipierro  wrote:
> this is how I make my hmac_kay
>
> >>> import uuid
> >>> print 'sha512:'+str(uuid.uuid4())
>
> web2py has a function in gluon/admin.py, app_create('name',request)
> that clones welcome and replaces hmac_key='<>' with a random key
> generated as above.
>
> From a web2py shell you can also do
>
> >>> from gluon.admin import app_create
> >>> app_create('mynewapp',request)
>
> I would not know how to make this transparent. If you have any idea
> please let me know. I agree that this is undocumented.
>
> On 30 Giu, 15:01, Yarko Tymciurak  wrote:
>
> > On Jun 30, 2:44 pm, Craig Younkins  wrote:
>
> > > If you'd like this moved to the developers list, just approve my 
> > > application
> > > and reply there.
>
> > > > When I say that MD5 is the default that applies only to the case that
> > > > a hmac_key is not specified. This is 1) for backward compatibility; 2)
> > > > because without a key/salt sha512 and md5 are vulnerable to the same
> > > > dictionary attacks.
>
> > > Hmm Well, I'm looking at the CRYPT class and it appears that in order 
> > > to
> > > use HMAC the *caller* needs to pass in the key parameter. Grepping the
> > > source tree I've found a few places where the caller does not supply the
> > > key:
>
> > > applications/admin/models/access.py:55
> > > applications/admin/controllers/default.py:78
> > > gluon/main.py:480
> > > gluon/main.py:495
> > > gluon/validators.py:2344
>
> > > I am of course unfamiliar with the internals of the project, but it would
> > > appear to me that admin passwords are never HMAC'd. Can you confirm?
>
> > ... interesting discussion   Let me FIRST point out some things
> > Craig mentions which should not fall by the wayside:
>
> > 1. -- There is no documented way to generate {an appropriate}
> > hmac_key:
> >   ==>  This is true;   One major way to alleviate this would be to
> > have an admin function that could be called manually (take your pick:
> > to do the replacement, as gluon/admin.py:app_create()  does, which
> > would need a search/replace --- or better, just give a popup with a
> > newly formed key an admin could readily copy/paste.
>
> >   ==>  This is also inconsistently applied --- for example, if you
> > pack "welcome"  app, and then (as you might with apps from other
> > sites, such as web2py.com, or other users)  install it as a newly
> > (re)named application,      persists.    At the
> > surface, the same thing app_create() is doing could be done in
> > app_install(), but this too would be prone to inconsistencies (i.e.
> > the user you get an app from to test for them will have already
> > installed their own hmac_key, so the kind of replacement that
> > app_create() does - which depends on a "magic string" in the template
> > app,   will fail.
>
> > A better solution would be to make this completely transparent --- a
> > little thinking about this should come to a solution (hmac_key is
> > currently persisted in a source file...)
>
> > ... Good discussion, guys - lovely to see this!
>
> > - Yarko
>
> > > I suggest that the key be pulled in from the configuration inside CRYPT so
> > > that the caller isn't required to pass it in. I would also suggest that 
> > > the
> > > hash method be placed in configuration. Consolidating the configuration of
> > > security mechanisms greatly aids in a security review. If it were
> > > consolidated, a reviewer would only have to look at the default
> > > configuration. In it's current state, a reviewer needs to look at all the
> > > callers of CRYPT to determine the security of CRYPT.
>
> > > I realize some 

[web2py] facebook oauth test on GAE

[mcm]

Hi,

You can test the facebook OAuth code on GAE:


http://grafbook.appspot.com/helloFacebook


Code of application will be available soon after some cleanup!


tnx
michele

[web2py] GAE precompilation

[Richard]

http://googleappengine.blogspot.com/2010/06/app-engine-sdk-135-released-with-new.html

"""
in this release we’ve also added support for precompilation of Python
source files to match the same feature we launched for Java last year.
For Python, you can now use precompilation to speed up application
loading time and to reduce CPU usage for new app instances. You can
enable precompilation by including the following lines in your
app.yaml file:
derived_file_type:
- python_precompiled

This will start offline precompilation of Python modules used by your
app when you deploy your application. Currently precompliation is off
by default for Python applications, but it will be enabled by default
in some future release. (Java precompilation has been enabled by
default since the release of 1.3.1.)

To give you a taste of what this feature is like, we tested this on a
modified version of Rietveld (which included a copy of Django 1.0.4 in
the app directory, and which did not use the datastore in its base
url). The latency and CPU usage results for the initial load of the
application, after uploading a new version of the app and requesting
the homepage, were:
Before precompilation enabled:
Test 1: 1450ms 1757cpu_ms
Test 2: 1298ms 1523cpu_ms
Test 3: 1539ms 1841cpu_ms
After precompilation enabled:
Test 1: 805ms 669cpu_ms
Test 2: 861ms 702cpu_ms
Test 3: 921ms 803cpu_ms
"""


anyone tested this with web2py?

[web2py] Re: How to enable "request_reset_password" function?

[Richard]

http://code.google.com/p/web2py/source/browse/gluon/tools.py
At line 1866 of gluon/tools.py you will find:

if not self.settings.mailer:
response.flash = self.messages.function_disabled
return ''

which means you will need to enable mail to get this working.

Richard



On Jun 26, 6:59 am, elfuego1  wrote:
> Hello,
>
> I try to enable "request_reset_password" function but every time I
> enter this 
> page:http://127.0.0.1:8000/project/default/user/request_reset_passwordI
> receive message that the function is disabled.
>
> Can you please tell me what should I do and  where to get it working?
>
> Thank you in advance,
> Andrew.

[web2py] Re: sql.py error?

[dlypka]

For the moment, I suggest you simply remove the stmt:
self._last_reference = tmp

I can assure you that it is not needed for any existing applications.
It is intended as a future feature to support native Google App Engine
code
within web2py.

_last_reference is a dynamically added attribute to the instance,
but somehow the error suggests the code is passing through that
statement
twice on the same self instance.

Perhaps a del self._last_reference in front would help, but I need
to really find the the root cause of the bug.

- Dave Lypka.

On Jun 30, 2:33 pm, dlypka  wrote:
> I will have a look at this tonight, using the WING IDE debugger,
> because _last_reference was a new property added at my suggestion,
> so I am somewhat familiar with it
>
> Looks like somehow the same SQL Row instance is being 'reused' for
> creating a new row
> which I would not expect to happen.
>
> - Dave Lypka.
>
> On Jun 30, 1:03 am, Yarko Tymciurak 
> wrote:
>
>
>
> > On Jun 29, 3:27 pm, Chris S  wrote:
>
> > > I'm actually not sure how to set break points.  I'm using Eclipse so
> > > I'm sure there's a way but while I'm educating myself.
>
> > A bit of an aside, but for completeness:
>
> > Not sure about Eclipse...  maybe this will 
> > help:http://pydev.org/manual_adv_debugger.html
>
> > It sort of looks familiar - like winpdb  (which is a free windowed ---
> > NOT windows --- debugger for python;  you could get that separate).
>
> > I would (of course) do this with local gae environment.
>
> > An alternative is to get a 30-day eval of WingIDE, and debug with
> > that either should be fine.
>
> > - Yarko
>
> > >  Here's all you
> > > should need to know if the above isn't descriptive enough.
>
> > > In db.py:
> > > auth = Auth(globals(),db)           # authentication/authorization
> > > auth.define_tables()                # creates all needed tables
>
> > > Using Appadmin
> > > -Add a user to auth_users
> > > -Create group 'admin' in auth_groups
> > > -Make the user a member of admin in auth_memberships
>
> > > In the application:
> > > def add():
> > >     """
> > >     Debug Function
> > >     """
> > >     group=db(db.auth_group.role=='admin').select()[0]
> > >     auth.add_permission(group.id,'access','mystuff')
> > >     auth.add_permission(group.id,'access','myotherstuff')
> > >     redirect(URL(request.application,request.controller,'index'))
>
> > > Call /application/controller/add
> > > In appadmin view the auth_permissions table.
> > > You should see two entries
> > > one with the group.id for Admin, access, and table of 'mystuff'.
> > > one with the group.id for Admin, access, and table of 'myotherstuff'.
>
> > > Instead you'll get the above error and only "mystuff" is added to the
> > > auth_permissions.
> > > You can comment out either line and add them one at a time with no
> > > errors.  In fact you can add the same permission several times and
> > > you'll see duplicate enteries.  You can not however, have both of the
> > > above added in a single function call.  This use to work but no longer
> > > does.  When I get some time maybe I can test which revision broke this
> > > but my guess is it's 650:7c531beb7820 with comment
> > > "self._last_reference, thanks Dave".
>
> > > Sorry I'm not more help. Wish I could just patch this but I'm still
> > > learning python/web2py and this one's a bit above me.
>
> > > On Jun 29, 3:01 pm, Yarko Tymciurak 
> > > wrote:
>
> > > > can you give a complete example necessary to reproduce?
>
> > > > Alternatively, you can debug yourself:  set a breakpoint at gluon/
> > > > tools.py::Auth:add_permission()
>
> > > > and analyze what's going on...
>
> > > > - Yarko
>
> > > > On Jun 29, 2:13 pm, Chris S  wrote:
>
> > > > > Crap that should read:
>
> > > > > To reproduce:
> > > > > def test():
> > > > >     auth.add_permission(id,'name','table1')
> > > > >     auth.add_permission(id,'name','table2')
> > > > > return
>
> > > > > I'm trying to assign two different permissions to the same group in a
> > > > > single function to get the error.
>
> > > > > On Jun 29, 2:11 pm, Chris S  wrote:
>
> > > > > > Actually, that's not exactly what's happening.
>
> > > > > > The error is produced when trying to make two calls back to back to
> > > > > > auth.add_permission().
> > > > > > Single calls still create duplicate enteries but back to back calls
> > > > > > error on the 2nd call never creating an entry.
>
> > > > > > To reproduce:
> > > > > > def test():
> > > > > >     auth.add_permission(id,'name','table1')
> > > > > >     auth.add_permission(id,'name','table1')
> > > > > > return
>
> > > > > > Either one of the above can be run by itself, but both in the same
> > > > > > controller will fail with the above error on the 2nd permission.
>
> > > > > > On Jun 29, 1:35 pm, Chris S  wrote:
>
> > > > > > > I think the most recent update to trunk I've found a spot in 
> > > > > > > sql.py
> > > > > > > where functionality is different though it might be intended.
>
> > > > > > > In th

[web2py] Re: elFinder-web2py , Filemanager for Web2py!

[GoldenTiger]

Hello Troex

Welcome to web2py group!  Your arrival could not be more timely
I am working on elfinder and web2py integration.

You are in the right place to be helped with python and websites. This
google group is very helpful.
I'd like to contribute too.
My spoken English is limited to express complex ideas. I wonder if you
speak Spanish, as I see it sounds ElDorado elfinder and Spanish, and
the finder website is in Spanish. I'm from Spain.

The best way to start a project in python is google groups.
Why not create a group so that we can discuss elfinder?


About elfinder compatible with other Python frameworks, what are the
frameworks that interest you most?

Web2py is especially easy to manage files, since all transfers are
streaming automatically.
In matters of compatibility and data management will be happy to help.
To be compatible with various frameworks is not necessarily limited by
CGI.
The only justification for using CGI are the restrictions of the web
server.

It is possible to make it compatible without having to change
anything. But maybe then squandered advantage of some frameworks, as
in the case of streaming files web2py automatic.

About elRTE, do you plan to integrate it with elfinder and python as
well?

On 1 jul, 02:11, Troex Nevelin  wrote:
> I've looked though your code and I like idea to put POST/GET and json
> outside the connector itself. I'll start contributing your code right
> now because my main goal for next release is to make python connector
> usable in frameworks without (if this is possible) modifications.
>
> About speed of directory search - we know this issue. md5 hash will be
> replaced by some encryption, so hash can be decrypted and there will
> be no need to search for directory.
>
> If you want to keep track of elfinder source update use 
> feedhttp://elrte.ru/redmine/projects/elfinder/repository/revisions.atom
>
> On Jun 30, 10:18 pm, Phyo Arkar  wrote:
>
> > Hello Torex
>
> > Welcome to Web2py Group!
> > Thats very good to have you here!
> > I am trying to make elfinder work for web2py , please feel free to reuse my
> > work in your release.
>
> > Here is the Connector initiation:
>
> >http://code.google.com/p/elfinder-web2py/source/browse/filemanager/co...
>
> > Check inside function elcon .
>
> > and here is elFinder Backend Class
>
> >http://code.google.com/p/elfinder-web2py/source/browse/filemanager/mo...
>
> > Currently it is working partially  (atleast for me)
>
> > Please review and test , we can work together on this.
>
> > On Wed, Jun 30, 2010 at 11:59 AM, Troex Nevelin 
> > wrote:
>
> > > Hello, I'm author of elFinder.py
>
> > > In about a month we plan to release new version of elFinder, mostly
> > > bugfixes but I also plan to rewrite python version to be more library
> > > like.
>
> > > I know there are problems integrating elfinder with different
> > > frameworks on python, current version was written for use under pure
> > > CGI. This is my first major experience with python and so I have many
> > > questions about the "right way" how to write connector so it can be
> > > easy to integrate and write plugins.
>
> > > The biggest question to me is how to implement handling POST and GET
> > > data, I've seen many different ways how it is done in different
> > > frameworks. Currently this is done using:
> > > import cgi
> > > self._form = cgi.FieldStorage()
> > > Maybe I should put this outside elFinder.py and only pass parameters
> > > to connector?
>
> > > Feedback is welcome.
>
> > > On Jun 24, 5:47 am, Phyo Arkar  wrote:
> > > > Finally after 2 days of hacking elfinder backend for Django fromhttp://
> > >www.elrte.ru/redmine/issues/128<
> > >http://www.google.com/url?sa=D&q=http://www.elrte.ru/redmine/issues/1...>
> > > > , i have managed to get elFinder working (about 90% of features)
>
> > > > Attached is elFinder-web2py , still alot of improvement needed.
>
> > > > -Downloading files is not working yet but should be easy to fix.
> > > > -Help me make it more integrated into web2py
> > > > -Their method of DIrectory scanning is so slow , going to replace with
> > > > os.walk.
>
> > > > Please note that this is not for Production use.
>
> > > > I started a project , download and test there.
>
> > > > Note URL (Both in View and web2py_elcon) need to be change to your
> > > host:port
> > > > (i did with port 8080)
>
> > > >http://code.google.com/p/elfinder-web2py/downloads/list

[web2py] Re: Caching downloads

[Chris S]

Got it.  That was driving me nuts.

By default the static folder is handled by App.yaml on GAE.  But no
expiration date was set in the default file provided with web2py.
Adding an expiration date causes static files to start properly
caching again.  I also tested removing the "static" section of
app.yaml and that allows web2py to handle the files if you prefer.

I've e-mailed this to Mdipierro, but here's what it looks like for
anyone that wants to enable the caching on their current GAE
applications.

This is from the thread on the message group "Caching downloads"

Apparently on GAE if an expiration date is not set, it defaults Cache-
Control: no-cache.
I wasn't sure how you prefer an update like this be submitted so
here's a patch file from Mercural text form below.  All I did was set
a default expiration (90days) for the static folder.

Now on the 2nd load of a page all static files are recognized and load
times are significantly faster.
You really just need to add an expiration time, here I've chosen 90
days.
--Patch---
diff -r a7af8604b5e4 app.yaml
--- a/app.yamlTue Jun 29 17:13:00 2010 -0500
+++ b/app.yamlWed Jun 30 23:22:58 2010 -0500
@@ -9,6 +9,7 @@
   static_files: applications/\1/static/\2
   upload: applications/(.+?)/static/(.+)
   secure: optional
+  expiration: "90d"

 - url: /admin-gae/.*
   script: $PYTHON_LIB/google/appengine/ext/admin
-/Patch---

On Jun 30, 3:56 pm, mdipierro  wrote:
> If I understand you talk about normal static files.  That is done in
> gluon/main.py
>
>             static_file = parse_url(request, environ)
>             if static_file:
>                 if request.env.get('query_string', '')[:10] ==
> 'attachment':
>                     response.headers['Content-Disposition'] =
> 'attachment'
>                 response.stream(static_file, request=request)
>
> On 30 Giu, 15:42, Chris S  wrote:
>
> > I'll take a look and see what I can do.
>
> > Can you point me to where this is happening?  I see a streamer.py but
> > no where does it set Cache-Control = no-cache.
> > Where is that decision being made?
> > I'm assuming in the same gluon module I'll find the logic behind the
> > auto-stream of /static/filename?
>
> > On Jun 30, 3:35 pm, mdipierro  wrote:
>
> > > I may have sent the wrong link. There are two issues:
>
> > > 1) we tried to set a cache for static files in the past and we run
> > > into problems with ssl and ie. This was discussed at lenght in an old
> > > thread but I cannot find it now.
> > > 2) It is unclear whether serving static content should cache. In a
> > > production environment with apache yes.  I am in favor of caching as
> > > long as the expire time is small since we do not have a mechanism for
> > > setting it.
>
> > > If you send me a patch and we try on different browsers with and
> > > without ssl, than we can include it.
>
> > > On 30 Giu, 15:25, Chris S  wrote:
>
> > > > I'm not sure I understand the comment.  Following the link it says
> > > > that Microsoft file formats can not be opened if the cache-control is
> > > > set to no-cache.
>
> > > > What I'm seeing is cache-control is *always* set to no-cache when I
> > > > expected it to allow caching of files in /static.
> > > > It seems that with the above support issue IE would be unable to open
> > > > any Microsoft document served by Web2py because the cache-control is
> > > > always being set to no-cache.
>
> > > > Shouldn't files in static always be served with cache enabeled?
>
> > > > On Jun 30, 3:01 pm, mdipierro  wrote:
>
> > > > > Unfortunately settings cache-control breaks IE with SSL
>
> > > > >http://support.microsoft.com/kb/316431
>
> > > > > On 30 Giu, 13:57, Chris S  wrote:
>
> > > > > > I've had this bookmarked and have been looking over it recently.  I
> > > > > > added a c_download (cached download) function as described above to
> > > > > > allow local caching of files.  The above code did not get me there
> > > > > > though I ended up using:
>
> > > > > > def c_download():
> > > > > >     controller=request.vars.c
> > > > > >     file=request.vars.f
> > > > > >     response.headers['Cache-Control']='private'
> > > > > >     del response.headers['Content-Type']
> > > > > >     del response.headers['Pragma']
> > > > > >     del response.headers['Expires']
> > > > > >     filename = os.path.join(request.folder,'static',controller,file)
> > > > > >     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y 
> > > > > > %H:
> > > > > > %M:%S +", time.localtime(os.path.getmtime(filename)))
> > > > > >     return response.stream(open(filename,'rb'))
>
> > > > > > The key difference being I found I had to set the 'Cache-Control'
> > > > > > header, just deleting it didn't do the trick.
> > > > > > What I'm not clear on is why this is necessary.  From the book:
>
> > > > > > When static files are downloaded, web2py  does not create a session,
> > > > > > nor does it issue a cookie or execute the models. web2py alway

[web2py] Re: Caching downloads

[Chris S]

Got it.  That was driving me nuts.

By default the static folder is handled by App.yaml on GAE.  But no
expiration date was set in the default file provided with web2py.
Adding an expiration date causes static files to start properly
caching again.  I also tested removing the "static" section of
app.yaml and that allows web2py to handle the files if you prefer.

I've e-mailed this to Mdipierro, but here's what it looks like for
anyone that wants to enable the caching on their current GAE
applications.

You really just need to add an expiration time, here I've chosen 90
days.
--Patch---
diff -r a7af8604b5e4 app.yaml
--- a/app.yamlTue Jun 29 17:13:00 2010 -0500
+++ b/app.yamlWed Jun 30 23:22:58 2010 -0500
@@ -9,6 +9,7 @@
   static_files: applications/\1/static/\2
   upload: applications/(.+?)/static/(.+)
   secure: optional
+  expiration: "90d"

 - url: /admin-gae/.*
   script: $PYTHON_LIB/google/appengine/ext/admin
-/Patch---

On Jun 30, 3:56 pm, mdipierro  wrote:
> If I understand you talk about normal static files.  That is done in
> gluon/main.py
>
>             static_file = parse_url(request, environ)
>             if static_file:
>                 if request.env.get('query_string', '')[:10] ==
> 'attachment':
>                     response.headers['Content-Disposition'] =
> 'attachment'
>                 response.stream(static_file, request=request)
>
> On 30 Giu, 15:42, Chris S  wrote:
>
> > I'll take a look and see what I can do.
>
> > Can you point me to where this is happening?  I see a streamer.py but
> > no where does it set Cache-Control = no-cache.
> > Where is that decision being made?
> > I'm assuming in the same gluon module I'll find the logic behind the
> > auto-stream of /static/filename?
>
> > On Jun 30, 3:35 pm, mdipierro  wrote:
>
> > > I may have sent the wrong link. There are two issues:
>
> > > 1) we tried to set a cache for static files in the past and we run
> > > into problems with ssl and ie. This was discussed at lenght in an old
> > > thread but I cannot find it now.
> > > 2) It is unclear whether serving static content should cache. In a
> > > production environment with apache yes.  I am in favor of caching as
> > > long as the expire time is small since we do not have a mechanism for
> > > setting it.
>
> > > If you send me a patch and we try on different browsers with and
> > > without ssl, than we can include it.
>
> > > On 30 Giu, 15:25, Chris S  wrote:
>
> > > > I'm not sure I understand the comment.  Following the link it says
> > > > that Microsoft file formats can not be opened if the cache-control is
> > > > set to no-cache.
>
> > > > What I'm seeing is cache-control is *always* set to no-cache when I
> > > > expected it to allow caching of files in /static.
> > > > It seems that with the above support issue IE would be unable to open
> > > > any Microsoft document served by Web2py because the cache-control is
> > > > always being set to no-cache.
>
> > > > Shouldn't files in static always be served with cache enabeled?
>
> > > > On Jun 30, 3:01 pm, mdipierro  wrote:
>
> > > > > Unfortunately settings cache-control breaks IE with SSL
>
> > > > >http://support.microsoft.com/kb/316431
>
> > > > > On 30 Giu, 13:57, Chris S  wrote:
>
> > > > > > I've had this bookmarked and have been looking over it recently.  I
> > > > > > added a c_download (cached download) function as described above to
> > > > > > allow local caching of files.  The above code did not get me there
> > > > > > though I ended up using:
>
> > > > > > def c_download():
> > > > > >     controller=request.vars.c
> > > > > >     file=request.vars.f
> > > > > >     response.headers['Cache-Control']='private'
> > > > > >     del response.headers['Content-Type']
> > > > > >     del response.headers['Pragma']
> > > > > >     del response.headers['Expires']
> > > > > >     filename = os.path.join(request.folder,'static',controller,file)
> > > > > >     response.headers['Last-Modified'] = time.strftime("%a, %d %b %Y 
> > > > > > %H:
> > > > > > %M:%S +", time.localtime(os.path.getmtime(filename)))
> > > > > >     return response.stream(open(filename,'rb'))
>
> > > > > > The key difference being I found I had to set the 'Cache-Control'
> > > > > > header, just deleting it didn't do the trick.
> > > > > > What I'm not clear on is why this is necessary.  From the book:
>
> > > > > > When static files are downloaded, web2py  does not create a session,
> > > > > > nor does it issue a cookie or execute the models. web2py always
> > > > > > streams static files in chunks of 1MB, and sends PARTIAL CONTENT 
> > > > > > when
> > > > > > the client sends a RANGE request for a subset of the file. web2py
> > > > > > also supports the IF_MODIFIED_SINCE protocol, and does not send the
> > > > > > file if it is already stored in the browser's cache and if the file
> > > > > > has not changed since that version.
>
> > > > > > Link:http://web2py.com/book/default/section/4/2?sea

[web2py] Re: web2py security - keep it up!

[GoldenTiger]

I'm still thinking about it. I was raised a small question regarding
the cooperation of applications (page 126 of book).
The applications can share tables, sessions, files, import modules
from other applications, call other's applications actions with
exec_environment ...

Is there a way to prevent my application to share this information?
If an application poorly designed is vulnerable ¿can others
applications protect against this?

I have not very clear whether a web2py installation is designed to be
programmed by a single development team, or if possible more than one
webmaster at the same time.
Let's say we have a system with multiple applications such as wikis T3-
like, where each wiki has its own administrator.
Is web2py not intended for that?


On 1 jul, 02:15, GoldenTiger  wrote:
> > I disagree but probably I did not explain this very well. web2py has
> > two things it calls session. One is the general session managed via
> > cookie session_id. One is the authentication session stored into the
> > general session file. When a user logs out the authentication session
> > information into the general session is deleted. If an attacker where
> > to intercept the cookie session_id and try to use it to gain access to
> > the system, it would not work. The session_id is used for the general
> > session and it does not expire because when the user logs in again, if
> > the user had a state stored in the session file, you want that state
> > to be retrieved.
>
> Well, this is my point of view:
> I don't know if i'm wrong. If i understanded it well, this concept
> could be classified as a design concept, do you agree?
> design flaws are the most complex aspect of security
> personally I am doubtful about the explanation above, maybe I don't
> understand very well
> anyway it's the game of "I can't find any flaw at this moment, but you
> can't demonstrate it hasn't"
> Vulns like SQL injection could be enumerated and tested by a computer
> in a lot of possibilities, but design flaws couldn't, since lies on
> human logic
> History is full of stories about design flaws. The following is a
> representative case.http://www.seattlepi.com/local/373426_insecure04.html
>
> Sorry, I am very paranoid ^^
>
> On 30 jun, 22:06, mdipierro  wrote:
>
> > this is how I make my hmac_kay
>
> > >>> import uuid
> > >>> print 'sha512:'+str(uuid.uuid4())
>
> > web2py has a function in gluon/admin.py, app_create('name',request)
> > that clones welcome and replaces hmac_key='<>' with a random key
> > generated as above.
>
> > From a web2py shell you can also do
>
> > >>> from gluon.admin import app_create
> > >>> app_create('mynewapp',request)
>
> > I would not know how to make this transparent. If you have any idea
> > please let me know. I agree that this is undocumented.
>
> > On 30 Giu, 15:01, Yarko Tymciurak  wrote:
>
> > > On Jun 30, 2:44 pm, Craig Younkins  wrote:
>
> > > > If you'd like this moved to the developers list, just approve my 
> > > > application
> > > > and reply there.
>
> > > > > When I say that MD5 is the default that applies only to the case that
> > > > > a hmac_key is not specified. This is 1) for backward compatibility; 2)
> > > > > because without a key/salt sha512 and md5 are vulnerable to the same
> > > > > dictionary attacks.
>
> > > > Hmm Well, I'm looking at the CRYPT class and it appears that in 
> > > > order to
> > > > use HMAC the *caller* needs to pass in the key parameter. Grepping the
> > > > source tree I've found a few places where the caller does not supply the
> > > > key:
>
> > > > applications/admin/models/access.py:55
> > > > applications/admin/controllers/default.py:78
> > > > gluon/main.py:480
> > > > gluon/main.py:495
> > > > gluon/validators.py:2344
>
> > > > I am of course unfamiliar with the internals of the project, but it 
> > > > would
> > > > appear to me that admin passwords are never HMAC'd. Can you confirm?
>
> > > ... interesting discussion   Let me FIRST point out some things
> > > Craig mentions which should not fall by the wayside:
>
> > > 1. -- There is no documented way to generate {an appropriate}
> > > hmac_key:
> > >   ==>  This is true;   One major way to alleviate this would be to
> > > have an admin function that could be called manually (take your pick:
> > > to do the replacement, as gluon/admin.py:app_create()  does, which
> > > would need a search/replace --- or better, just give a popup with a
> > > newly formed key an admin could readily copy/paste.
>
> > >   ==>  This is also inconsistently applied --- for example, if you
> > > pack "welcome"  app, and then (as you might with apps from other
> > > sites, such as web2py.com, or other users)  install it as a newly
> > > (re)named application,      persists.    At the
> > > surface, the same thing app_create() is doing could be done in
> > > app_install(), but this too would be prone to inconsistencies (i.e.
> > > the user you get an app from to test for them will have already
> > > installed thei

[web2py] Re: Accessing auth_user table

[elfuego1]

OK. Now I can see an error:
POST http://127.0.0.1:8000/myapplication/default/ajaxuserexist  500
INTERNAL SERVER ERROR

There is also information about issued ticet but I can't open it in
web browser, so I paste it below:


(dp1
S'output'
p2
S''
sS'layer'
p3
S'F:\\Programy\\web2py\\applications\\myapplication/controllers/
default.py'
p4
sS'code'
p5
S'# -*- coding: utf-8 -*-\n
\n#
\n## This is a samples controller\n## - index is the default action of
any application\n## - user is required for authentication and
authorization\n## - download is for downloading files uploaded in the
db (does streaming)\n## - call exposes all registered services (none
by default)
\n#
\n\ndef index():\n"""\nexample action using the
internationalization operator T and flash\nrendered by views/
default/index.html or views/generic.html\n"""\nresponse.flash
= T(\'Welcome to web2py\')\nreturn dict(message=T(\'Hello World\'))
\n\n\ndef user():\n"""\nexposes:\n
http:///[app]/default/user/login\n
http:///[app]/default/user/logout\n
http:///[app]/default/user/register\n
http:///[app]/default/user/profile\n
http:///[app]/default/user/retrieve_password\n
http:///[app]/default/user/change_password\nuse
@auth.requires_login()\n@auth.requires_membership(\'group name
\')\n@auth.requires_permission(\'read\',\'table name
\',record_id)\nto decorate functions that need access control\n
"""\nreturn dict(form=auth())\n\n\ndef download():\n"""\n
allows downloading of uploaded files\n
http:///[app]/default/download/[filename]\n
"""\nreturn response.download(request,db)\n\n\ndef call():\n
"""\nexposes services. for example:\n
http:///[app]/default/call/jsonrpc\n
decorate with @services.jsonrpc the functions to expose\nsupports
xml, json, xmlrpc, jsonrpc, amfrpc, rss, csv\n"""\n
session.forget()\nreturn service()\n\n\n\ndef page2():\nname =
request.vars.login\n#db.auth_user.insert(name=name)\nreturn
dict(name=name)\n\ndef ajaxuserexist():\n  username =
request.vars.values()[0]\n  return
db(db.auth_user.login==username).count() and \'yes\' or \'no\'\n\n
\nresponse._vars=response._caller(ajaxuserexist)\n'
p6
sS'traceback'
p7
S'Traceback (most recent call last):\n  File "gluon/restricted.py",
line 178, in restricted\n  File "F:\\Programy\\web2py\\applications\
\myapplication/controllers/default.py", line 67, in \n  File
"gluon/globals.py", line 96, in \n  File "F:\\Programy\\web2py\
\applications\\myapplication/controllers/default.py", line 64, in
ajaxuserexist\n  File "gluon/sql.py", line 1329, in __getattr__
\nKeyError: \'auth_user\'\n'
p8
s.


On 30 Cze, 22:59, mdipierro  wrote:
> I'd like to know if the console reports any error when the ajax
> request is executed.
>
> On 30 Giu, 15:31, elfuego1  wrote:
>
> > I have firebug installed. What do you want me to look for?
> > You want to see some firebug output?
>
> > On 30 Cze, 22:25, mdipierro  wrote:
>
> > > I do not see anything wrong in this. Do you use firebug?
>
> > > On 30 Giu, 15:18, elfuego1  wrote:
>
> > > > I hope I don't make your eyes bleed by puting all the code here but
> > > > there is no other way to show it to you.
> > > > I made change only in one place of the code to gather "login" value:
> > > > {login:value}
> > > > Oryginaly it was: {name:value}.
>
> > > >  $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",
> > > > {login:value},function(result){
>
> > > > Below is the whole content of index.html
>
> > > > {{extend 'layout.html'}}
>
> > > >  > > >     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> > > > 
> > > > 
> > > >     
> > > >     Ajax User Validation with web2py by Martin Sagastume > > > title>
> > > >     
> > > >     
> > > >     
> > > >      > > > src="{{=URL(r=request,c='static',f='jquery.js')}}">
> > > >     
>
> > > >     var submit = false;
> > > >     $(document).ready(function(){
> > > >         $("form").submit(function() {
> > > >             return submit;
> > > >         });
> > > >     });
>
> > > >     function getData(value){
> > > >         if(value != ""){
> > > >             $
> > > > ("#resultbox").removeClass().addClass('msg').text('Validating...').fadeIn(10);
> > > >             $.post("{{=URL(r=request,c='default',f='ajaxuserexist')}}",

[web2py] Re: web2py freezing

[mdipierro]

Can you check memory usage when it freezes? Is there anything in the
db log about too many connections?

On 30 Giu, 16:06, Candid  wrote:
> I am using web2py in my organization for internal applications. One of
> the applications uses dedicated instance of web2py (v1.78.1) running
> on dedicated ubuntu server. It connects to our SQL Server 2005
> database via freetds. It runs with the following parameters:
>
> python web2py.py -i ... -p ... -a ... -n 100 -q 100
>
> The application uses connection pool with 50 connections.
>
> Recently it has started freezing occasionally. The weird thing is that
> the whole web2py server freezes and basically stops responding, so not
> only you cannot access the app, you cannot even open the admin
> console. Sometimes it starts working again after a few minutes,
> sometimes I have to restart web2py.
> I suspect it has something to with either web server threads not
> getting released or databases connections not getting returned to the
> pool (the latter would not explain why I cannot access admin console
> though).
>
> Has anyone had similar issues? Any suggestions on how to troubleshoot
> the problem? Any input would be highly appreciated.

[web2py] Re: Anvanced applications in gae

[mdipierro]

I think,

 Field(gae.ReferenceProperty(auth_user,...)

should be

 
Field(gae.ReferenceProperty(db.auth_user._tableobj,)



On 30 Giu, 16:15, Carles Gonzalez  wrote:
> Sorry, but I've encontured another error.
>
> The relevant part of my code is following:
>
> if request.env.web2py_runtime_gae:            # if running on Google App 
> Engine
>     from gluon.contrib.login_methods.gae_google_account import 
> GaeGoogleAccount
>     auth.settings.login_form = GaeGoogleAccount()
>     from gluon.contrib.gql import gae
>
> auth.define_tables()                           # creates all needed tables
>
> db.define_table('todos', Field('name','string'),
>                          Field(gae.ReferenceProperty(auth_user, required=True,
>                               collection_name='todos'))
>                 )
>
> And the traceback is this:
>
> Traceback (most recent call last):
>   File "/Users/lauer/web2py/gluon/restricted.py", line 178, in restricted
>     exec ccode in environment
>   File "/Users/lauer/web2py/applications/web2pytodo/models/db.py",
> line 76, in 
>     Field(gae.ReferenceProperty(auth_user, required=True,
> NameError: name 'auth_user' is not defined
>
> Maybe the entity class is not defined at the time of the reference? I
> created an user, but still isn't working.
>
> When this mini-project is finished I plan to release the source. I
> think that a working example of this technique woukd be interesting
> for reference.
>
> On Wed, Jun 30, 2010 at 10:56 PM, Carles Gonzalez  wrote:
> > Now is working. Thanks, let's continue testing...
>
> > On Wed, Jun 30, 2010 at 10:39 PM, mdipierro  wrote:
> >> You are right... fixing it in trunk..1..2..3..done. Please check it.
>
> >> Massimo
>
> >> On 30 Giu, 15:25, Carles Gonzalez  wrote:
> >>> Hi, i was trying this technique but i'm getting this traceback when
> >>> using gae_google_account:
>
> >>> Traceback (most recent call last):
> >>>   File "/Users/lauer/web2py/gluon/restricted.py", line 178, in restricted
> >>>     exec ccode in environment
> >>>   File 
> >>> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
> >>> line 56, in 
> >>>   File "/Users/lauer/web2py/gluon/globals.py", line 96, in 
> >>>     self._caller = lambda f: f()
> >>>   File 
> >>> "/Users/lauer/web2py/applications/web2pytodo/controllers/default.py:user",
> >>> line 35, in user
> >>>   File "/Users/lauer/web2py/gluon/tools.py", line 966, in __call__
> >>>     return self.login()
> >>>   File "/Users/lauer/web2py/gluon/tools.py", line 1419, in login
> >>>     self.log_event(log % self.user)
> >>>   File "/Users/lauer/web2py/gluon/tools.py", line 1180, in log_event
> >>>     origin=origin, user_id=user_id)
> >>>   File "/Users/lauer/web2py/gluon/contrib/gql.py", line 281, in insert
> >>>     self._last_reference = tmp
> >>>   File "/Users/lauer/web2py/gluon/sql.py", line 1611, in __setattr__
> >>>     raise SyntaxError, 'Object exists and cannot be redefined: %s' % key
> >>> SyntaxError: Object exists and cannot be redefined: _last_reference
>
> >>> On Mon, Jun 28, 2010 at 7:04 AM, dlypka  wrote:
> >>> > OK I downloaded the trunk and tested this mod.
>
> >>> >  myParent = db.ParentTable.insert(name='Bill')
> >>> >  myParentNativeRef = myParent._table._last_reference
>
> >>> >     works
>
> >>> > Thanks again.
>
> >>> > On Jun 27, 3:28 pm, mdipierro  wrote:
> >>> >> > Maybe just add a new property dynamically to the row
> >>> >> > We could call it 'nativeRef'
>
> >>> >> > Would it be something like:
> >>> >> >     self.nativeRef = tmp     # Python can add new properties 
> >>> >> > 'on-the-fly', right?
>
> >>> >> > as the new 2nd last statement of insert()?
>
> >>> >> If that is useful we can do it. I just did it in trunk so you can test
> >>> >> it but I called self._last_reference to avoid possible naming
> >>> >> conflicts.
>
> >>> >> Massimo
>
> >>> Any thoughts?

[web2py] Re: simplejson -- wasn't this resolved?

[mdipierro]

Is this supported in 2.4?

On 30 Giu, 18:12, zahariash  wrote:
> Hello.
>
> Problem with simplejson is that it's originally trying to load c
> module (_speedups.so), but web2py version of simplejson is python
> only.
> So when decoder.py, encoder.py and scanner.py trying to load c modules
> find it in global namespace...:
> try:
>     from simplejson._speedups import encode_basestring_ascii as
> c_encode_basestring_ascii
> except ImportError:
>     c_encode_basestring_ascii = None
>
> Workaround is switching to relative imports (tested on python 2.5):
> try:
>     from .. simplejson._speedups import encode_basestring_ascii as
> c_encode_basestring_ascii
> except ImportError:
>     c_encode_basestring_ascii = None
>
> -- Zahariash