Re: [web2py] Re: web2py SSL + Apache + mod_wsgi issues on Ubuntu 8.08 VM machine

[Kenneth Lundström]

I´d say that warning messing in your log is not your problem. It should 
work even if you get those warnings. At least for me it does.


Your are receiving that warning because your certifcate is for domain 
pypy.domain.com but in your configuration your are talking about an 
ip-address.


What kind of a problems do you have?


Kenneth


I ran into a problem with setting up SSL too which turned out to be
caused by an ssl.conf file that was overriding the web2py.conf
settings. I had similar messages in error.log, but as the [warn]
indicates, they do not seem to be fatal errors. The errors I found
were more like File does not exist.

On Nov 22, 4:38 pm, Hybride  wrote:

Hi everyone,

I have my head wrapped up with trying to set up SSL for web2py. I
used, at first, the initial one-step deployment available for Ubuntu/
debian servers. The SSL was the issue then, so I went through the
entire step-by-step available on the official book. I still can't seem
to get SSL to work. I use an ubuntu 8.08 virtual machine, apache +
mod_wsgi.

This is the results of uname: pypy.domain.com 2.6.24-21-xen #1 SMP
x86_64 GNU/Linux
I have "Listen 80" and "Listen 443" in my ports.conf

And this is my web2py:

   ServerNamehttp://147.126.65.92/
   #WSGIDaemonProcess web2py user=www-data group=www-data \
 #   display-name=%{GROUP}
   WSGIProcessGroup web2py
   WSGIScriptAlias / /home/www-data/web2py/wsgihandler.py

   
 AllowOverride None
 Order Allow,Deny
 Deny from all
 
   Allow from all
 
   

   AliasMatch ^/([^/]+)/static/(.*) \
/home/www-data/web2py/applications/$1/static/$2
   
 Order Allow,Deny
 Allow from all
   

   
   Deny from all
   

   
   Deny from all
   

   CustomLog /private/var/log/apache2/access.log common
   ErrorLog /private/var/log/apache2/error.log



   ServerNamehttp://147.126.65.92/
   SSLEngine on

   SSLCertificateFile /etc/apache2/ssl/server.crt
   SSLCertificateKeyFile /etc/apache2/ssl/server.key

   SSLProtocol -all +TLSv1 +SSLv3
   SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

   WSGIProcessGroup web2py

   WSGIScriptAlias / /home/www-data/web2py/wsgihandler.py

   
 AllowOverride None
 Order Allow,Deny
 Deny from all
 
   Allow from all
 
   

   AliasMatch ^/([^/]+)/static/(.*) \
 /home/www-data/web2py/applications/$1/static/$2

   
 Order Allow,Deny
 Allow from all
   

   CustomLog /private/var/log/apache2/access.log common
   ErrorLog /private/var/log/apache2/error.log

   SSLVerifyClient none
   SSLProxyEngine off

   
   AddType application/x-x509-ca-cert  .crt
   AddType application/x-pkcs7-crl .crl
   



The result of my error.log is:

[Mon Nov 22 18:23:25 2010] [warn] RSA server certificate CommonName
(CN) `pypy.domain.com' does NOT match server name!?

Whether this is the common name or the IP name. Any and all help
appreciated.

Re: [web2py] Re: web2py 1.89.5 is OUT

[Kenneth Lundström]

Not for me, I just tested to create a new application with the wizard, I 
selected the layout and submitted. I can see on the left that the layout 
has been selected. Then I just to be sure clicked submit on the next two 
steps. After that I selected go! in Generate but no layout is applied.


I found the problem, I had no deposit folder in my web2py root folder. I 
don´t know when it should have been created but I created it now by hand 
and not it works.



Kenneth


2010/11/22 Kenneth Lundström :

Can you clarify what does this mean?

When I select a layout when using the wizard to create a new application the
layout is not applied. It shows the application without the layout I have
selected.

This only happened to me if I skipped the very first step. If I
properly submit the first step, the layout is applied.

Re: [web2py] Re: web2py 1.89.5 is OUT

[Branko Vukelic]

2010/11/23 Kenneth Lundström :
> I found the problem, I had no deposit folder in my web2py root folder. I
> don´t know when it should have been created but I created it now by hand and
> not it works.

Could be, I already had the deposit dir.

-- 
Branko Vukelić

bg.bra...@gmail.com
stu...@brankovukelic.com

Check out my blog: http://www.brankovukelic.com/
Check out my portfolio: http://www.flickr.com/photos/foxbunny/
Registered Linux user #438078 (http://counter.li.org/)
I hang out on identi.ca: http://identi.ca/foxbunny

Gimp Brushmakers Guild
http://bit.ly/gbg-group

Re: [web2py] Re: web2py 1.89.5 is OUT

[Branko Vukelic]

On Tue, Nov 23, 2010 at 10:04 AM, Branko Vukelic  wrote:
> Could be, I already had the deposit dir.

Ok, checked now. Removing the deposit dir just before the submit in
the first step successfully replicated the bug.


-- 
Branko Vukelić

bg.bra...@gmail.com
stu...@brankovukelic.com

Check out my blog: http://www.brankovukelic.com/
Check out my portfolio: http://www.flickr.com/photos/foxbunny/
Registered Linux user #438078 (http://counter.li.org/)
I hang out on identi.ca: http://identi.ca/foxbunny

Gimp Brushmakers Guild
http://bit.ly/gbg-group

Re: [web2py] To map view to function's name

[Phyo Arkar]

I think i need to rephrase.

I want default function and view to be same name as controller without need
to define @ response.view everytime , automatically , can that be done at
routes.py?

On Tue, Nov 23, 2010 at 7:40 AM, Phyo Arkar wrote:

> is there a way to  map the route of default_controller to same name of
> default_function, programmatically?
>
> have to define in route.py ?
>
> i cant find approute.py where is it? (yes i removed welcome app lol) .
>
> what i want to do is , i want default contoller/function/view all the same
> name:
>
> resulting: controller/controller/controller.html
>
> it makes easy when coding inside aptana/pydev , you dont have to look back
> which function index.html comes from.
>

[web2py] auth_permission in multiple db configuration

[kralin]

Hi,
I've got a sistem with multiple db, some are SQLlite, some are
postgresql and one in MSSQL.
is there a way to use auth authorization within tables that do not
belongs to the db where auth data is specified?

in the auth_permission table, I'm only required to add a table name,
but what if the table is in an other db?
do I have to handle this by myself, or is there a way to do it with
web2py auth?

Re: [web2py] bug in the book or in the code? linkedin instruction

[Kuba Kucharski]

> does the following work for you?
>
> 
>
> def onlogin_add_permission():
>  if not auth.has_permission(auth.user_group(form.vars.id), 'create',
> 'my_table'):
>      auth.add_permission(auth.user_group(form.vars.id),'create','my_table')
>
>
> auth.settings.login_onaccept = onlogin_add_permission

very weird thing. looks like onlogin_add_permission() is never
executed. does this work for YOU?

[web2py] Re: To map view to function's name

[villas]

Just in case you didn't already see this...

http://groups.google.com/group/web2py/browse_thread/thread/f0ac5c1d34480565/96224e6cf78d615a?lnk=gst&q=routes#96224e6cf78d615a


On Nov 23, 11:46 am, Phyo Arkar  wrote:
> I think i need to rephrase.
>
> I want default function and view to be same name as controller without need
> to define @ response.view everytime , automatically , can that be done at
> routes.py?
>
> On Tue, Nov 23, 2010 at 7:40 AM, Phyo Arkar wrote:
>
> > is there a way to  map the route of default_controller to same name of
> > default_function, programmatically?
>
> > have to define in route.py ?
>
> > i cant find approute.py where is it? (yes i removed welcome app lol) .
>
> > what i want to do is , i want default contoller/function/view all the same
> > name:
>
> > resulting: controller/controller/controller.html
>
> > it makes easy when coding inside aptana/pydev , you dont have to look back
> > which function index.html comes from.
>
>

[web2py] Re: Delay to load images on webfaction

[villas]

> I will use PIL to create
> small thumbs (just have to figure out how to process every image on
> /uploads, create the thumb and insert this path do db)

Hi Bruno,

With regards the above, some code here may help you forward a
little...

http://www.web2pyslices.com/main/slices/take_slice/62

Regards,
-D

[web2py] Beginner Auth problem

[appydev]

Greetings.

I have a problem, I hope you can help me.

I have two models: Teacher, Student. Each with different attributes.

It occurred to me to implement them, linking tables:

db.define_table('teacher',
Field('person', length=64), requires=IS_IN_DB(db,
'auth_user.uuid')),
 ...

db.define_table('student',
Field('person', length=64), requires=IS_IN_DB(db,
'auth_user.uuid')),
 ...


Maybe not the best way to do it if they think of a better, please I'd like
to hear.


The problem is that I want to make a registration form to "Teacher." But
generating Auth, just fields "auth_user.

How do I include in a form fields auth_user + fields teacher?

[web2py] Re: auth_permission in multiple db configuration

[mdipierro]

You just need to remove the validator:

db.auth_permission.table_name.requires = None


On Nov 23, 6:19 am, kralin  wrote:
> Hi,
> I've got a sistem with multiple db, some are SQLlite, some are
> postgresql and one in MSSQL.
> is there a way to use auth authorization within tables that do not
> belongs to the db where auth data is specified?
>
> in the auth_permission table, I'm only required to add a table name,
> but what if the table is in an other db?
> do I have to handle this by myself, or is there a way to do it with
> web2py auth?

Re: [web2py] Re: Delay to load images on webfaction

[Bruno Rocha]

Thank you Villas

2010/11/23 villas 

> > I will use PIL to create
> > small thumbs (just have to figure out how to process every image on
> > /uploads, create the thumb and insert this path do db)
>
> Hi Bruno,
>
> With regards the above, some code here may help you forward a
> little...
>
> http://www.web2pyslices.com/main/slices/take_slice/62
>
> Regards,
> -D




-- 

Bruno Rocha
http://about.me/rochacbruno/bio

[web2py] where to place sizes (and other properties) ?

[Stef Mientki]

hello,

I just downloaded one of the layouts,
and I stumbled about the huge amounts of size / color definitions.
I realize that this is not a typical web2py question,
but with web2py and it's layout inheritance the problem becomes even bigger.
I wonder what's the best place to organize size (and other properties) of 
objects.

You can define size directly in pure html, where to place them in generic.html 
/ layout.html /
other.html ?
You can place them in a style tag in html, is that a good choice ?
You can place them in css, which can be heavily nested. What value of nesting 
is acceptable ?

Opening the page in Mozilla with firebug,
reveals that some components have 10 or more nested definitions of sizes / 
colors etc.
(of which a lot are invalid)
 I wonder how anyone can maintain such a complex hierarchy.

Is there a way (other than firebug) to show this hierarchy ?

thanks,
Stef Mientki

[web2py] plugin_wiki.widget:dealing with variables

[shubham]

how to use variables inside
plugin_wiki.widget('pie_chart',data='1,2,3',names='a,b,c',width=300,height=150,align='center')
syntax??

i want to replace 1,2,3 inside data attribute with variables..can
anyone suggest a way??

[web2py] [BUG] Inserting custom field types broken

[Ishbir]

Hey there,

There seems to be a bug in the latest version of web2py.

Steps:
1. Create a table with a custom field
2. Try inserting the record
3. You'll notice that the custom field evaluates to None
4. Try updating the record, the custom field will show this time.

Workaround:
1. Insert the record first.
2. Update it again with the value of the custom field.

Would love to see this fixed ASAP.

[web2py] Re: where to place sizes (and other properties) ?

[mdipierro]

Talking about the default layout.html or one of those from http://.../layouts?
Nobody is maintaining the latter. They were generated automatically
from free templates found online.

On Nov 23, 7:48 am, Stef Mientki  wrote:
> hello,
>
> I just downloaded one of the layouts,
> and I stumbled about the huge amounts of size / color definitions.
> I realize that this is not a typical web2py question,
> but with web2py and it's layout inheritance the problem becomes even bigger.
> I wonder what's the best place to organize size (and other properties) of 
> objects.
>
> You can define size directly in pure html, where to place them in 
> generic.html / layout.html /
> other.html ?
> You can place them in a style tag in html, is that a good choice ?
> You can place them in css, which can be heavily nested. What value of nesting 
> is acceptable ?
>
> Opening the page in Mozilla with firebug,
> reveals that some components have 10 or more nested definitions of sizes / 
> colors etc.
> (of which a lot are invalid)
>  I wonder how anyone can maintain such a complex hierarchy.
>
> Is there a way (other than firebug) to show this hierarchy ?
>
> thanks,
> Stef Mientki

[web2py] Re: plugin_wiki.widget:dealing with variables

[mdipierro]

You should be able to pass a list.

On Nov 23, 2:29 am, shubham  wrote:
> how to use variables inside
> plugin_wiki.widget('pie_chart',data='1,2,3',names='a,b,c',width=300,height=150,align='center')
> syntax??
>
> i want to replace 1,2,3 inside data attribute with variables..can
> anyone suggest a way??

Re: [web2py] plugin_wiki.widget:dealing with variables

[Bruno Rocha]

mydata = '1,2,3' or mydata = [1,2,3]

plugin_wiki.widget('pie_chart',data=mydata,names='a,b,c',width=300,height=150,align='center')


2010/11/23 shubham 

> how to use variables inside
>
> plugin_wiki.widget('pie_chart',data='1,2,3',names='a,b,c',width=300,height=150,align='center')
> syntax??
>
> i want to replace 1,2,3 inside data attribute with variables..can
> anyone suggest a way??




-- 

Bruno Rocha
http://about.me/rochacbruno/bio

[web2py] Re: ERP projects

[newnomad]

It's really great that there are 3 ERP's in the works, I'd love to
switch from tryton to a web2py based system;

http://code.google.com/p/gestionlibre/
https://bitbucket.org/yamandu/yamachine-erp/
and a number 3 which I cannot find...

However will any of those ever work without a relational database, or
doesn't it make any sense at all for an ERP to work without one?
If postgre is an absolute must, what are the recommended PAAS/cloud
options?
- amazon ec2
- Google App Engine for business
http://code.google.com/appengine/business/

An alternate solution may be to use mysql, so that it's still easy to
deploy web2py on a shared lamp host with phyton enabled, but without
shell access.

[web2py] Re: ERP projects

[mdipierro]

I think a relational database for an ERP is a must and those ERPs all
support them.
At the university we have peoplesoft+oracle and ~30,000 users. Turns
out the ERP is not a high traffic app and it runs on one VPS (with
replication for high availability). I am sure any web2py ERP will be
just fine on a VPS with postgresql.

Massimo


On Nov 23, 8:14 am, newnomad  wrote:
> It's really great that there are 3 ERP's in the works, I'd love to
> switch from tryton to a web2py based system;
>
> http://code.google.com/p/gestionlibre/https://bitbucket.org/yamandu/yamachine-erp/
> and a number 3 which I cannot find...
>
> However will any of those ever work without a relational database, or
> doesn't it make any sense at all for an ERP to work without one?
> If postgre is an absolute must, what are the recommended PAAS/cloud
> options?
> - amazon ec2
> - Google App Engine for businesshttp://code.google.com/appengine/business/
>
> An alternate solution may be to use mysql, so that it's still easy to
> deploy web2py on a shared lamp host with phyton enabled, but without
> shell access.

[web2py] [BUG] Inserting custom field types broken

[Ishbir]

Hey there,

There seems to be a bug in web2py which pops up while inserting a
record to a table with a custom field type.

How to reproduce:
- Make a table with a custom field
- Try inserting a record
- The record would come out as None
- Try updating the record with the custom value. It shows this time

Workaround: First insert the record, then update it with the custom
value.

Hope to see this fixed ASAP.

[web2py] Re: Inserting custom field types broken

[mdipierro]

Can you post code to reproduce this. It will save some time and we can
fix it sooner.

On Nov 23, 7:53 am, Ishbir  wrote:
> Hey there,
>
> There seems to be a bug in web2py which pops up while inserting a
> record to a table with a custom field type.
>
> How to reproduce:
> - Make a table with a custom field
> - Try inserting a record
> - The record would come out as None
> - Try updating the record with the custom value. It shows this time
>
> Workaround: First insert the record, then update it with the custom
> value.
>
> Hope to see this fixed ASAP.

[web2py] 'this or that' request with a url

[Lorin Rivers]

How can I perform an 'OR' request with a url? Or pass a list using a url?

I have 'AND' figured out…
-- 
Lorin Rivers
Mosasaur: Killer Technical Marketing 

512/203.3198 (m)

[web2py] Re: auth_permission in multiple db configuration

[kralin]

Thanks Massimo,
this works, but will behave erratic if multiple dbs have two table
with the same name.
better than nothing...
I think I can resolve this by giving "db1.table1" and "db2.table1"
instead of just the table name.
It looks like a simple string match is performed in the has_permittion
method of auth.
let me check...


On 23 Nov, 14:41, mdipierro  wrote:
> You just need to remove the validator:
>
> db.auth_permission.table_name.requires = None
>
> On Nov 23, 6:19 am, kralin  wrote:
>
>
>
>
>
>
>
> > Hi,
> > I've got a sistem with multiple db, some are SQLlite, some are
> > postgresql and one in MSSQL.
> > is there a way to use auth authorization within tables that do not
> > belongs to the db where auth data is specified?
>
> > in the auth_permission table, I'm only required to add a table name,
> > but what if the table is in an other db?
> > do I have to handle this by myself, or is there a way to do it with
> > web2py auth?

Re: [web2py] where to place sizes (and other properties) ?

[Branko Vukelic]

This looks like a CSS question, rather than web2py. Any level of
cascade is acceptable, and the best place can be anywhere depending on
what you want. Personally, I'd move everything into an external CSS
and link from the layout.html (the way you'd usually link it).

I think web2py layouts are not considered supported web2py components,
though (except the one from the default app, that is).

On Tue, Nov 23, 2010 at 2:48 PM, Stef Mientki  wrote:
> hello,
>
> I just downloaded one of the layouts,
> and I stumbled about the huge amounts of size / color definitions.
> I realize that this is not a typical web2py question,
> but with web2py and it's layout inheritance the problem becomes even bigger.
> I wonder what's the best place to organize size (and other properties) of 
> objects.
>
> You can define size directly in pure html, where to place them in 
> generic.html / layout.html /
> other.html ?
> You can place them in a style tag in html, is that a good choice ?
> You can place them in css, which can be heavily nested. What value of nesting 
> is acceptable ?
>
> Opening the page in Mozilla with firebug,
> reveals that some components have 10 or more nested definitions of sizes / 
> colors etc.
> (of which a lot are invalid)
>  I wonder how anyone can maintain such a complex hierarchy.
>
> Is there a way (other than firebug) to show this hierarchy ?
>
> thanks,
> Stef Mientki
>
>
>
>



-- 
Branko Vukelić

bg.bra...@gmail.com
stu...@brankovukelic.com

Check out my blog: http://www.brankovukelic.com/
Check out my portfolio: http://www.flickr.com/photos/foxbunny/
Registered Linux user #438078 (http://counter.li.org/)
I hang out on identi.ca: http://identi.ca/foxbunny

Gimp Brushmakers Guild
http://bit.ly/gbg-group

[web2py] Re: auth_permission in multiple db configuration

[mdipierro]

On Nov 23, 8:31 am, kralin  wrote:
> Thanks Massimo,
> this works, but will behave erratic if multiple dbs have two table
> with the same name.
> better than nothing...
> I think I can resolve this by giving "db1.table1" and "db2.table1"
> instead of just the table name.

Yes you can do that:
Unless you use crud.settings.auth=auth (and you probably should not in
your case) there is no real convention on permission names. You set
them, You check them. You call them what you like to avoid conflicts.

> It looks like a simple string match is performed in the has_permittion
> method of auth.
> let me check...
>
> On 23 Nov, 14:41, mdipierro  wrote:
>
> > You just need to remove the validator:
>
> > db.auth_permission.table_name.requires = None
>
> > On Nov 23, 6:19 am, kralin  wrote:
>
> > > Hi,
> > > I've got a sistem with multiple db, some are SQLlite, some are
> > > postgresql and one in MSSQL.
> > > is there a way to use auth authorization within tables that do not
> > > belongs to the db where auth data is specified?
>
> > > in the auth_permission table, I'm only required to add a table name,
> > > but what if the table is in an other db?
> > > do I have to handle this by myself, or is there a way to do it with
> > > web2py auth?
>
>

[web2py] Re: auth_permission in multiple db configuration

[kralin]

yes, my db objects are unfortunately too complex to be used with CRUD.
so no prob.
it worked well!
thanks a lot, again ;)
hope this helps someone else...

On 23 Nov, 15:37, mdipierro  wrote:
> On Nov 23, 8:31 am, kralin  wrote:
>
> > Thanks Massimo,
> > this works, but will behave erratic if multiple dbs have two table
> > with the same name.
> > better than nothing...
> > I think I can resolve this by giving "db1.table1" and "db2.table1"
> > instead of just the table name.
>
> Yes you can do that:
> Unless you use crud.settings.auth=auth (and you probably should not in
> your case) there is no real convention on permission names. You set
> them, You check them. You call them what you like to avoid conflicts.
>
>
>
>
>
>
>
> > It looks like a simple string match is performed in the has_permittion
> > method of auth.
> > let me check...
>
> > On 23 Nov, 14:41, mdipierro  wrote:
>
> > > You just need to remove the validator:
>
> > > db.auth_permission.table_name.requires = None
>
> > > On Nov 23, 6:19 am, kralin  wrote:
>
> > > > Hi,
> > > > I've got a sistem with multiple db, some are SQLlite, some are
> > > > postgresql and one in MSSQL.
> > > > is there a way to use auth authorization within tables that do not
> > > > belongs to the db where auth data is specified?
>
> > > > in the auth_permission table, I'm only required to add a table name,
> > > > but what if the table is in an other db?
> > > > do I have to handle this by myself, or is there a way to do it with
> > > > web2py auth?

Re: [web2py] Re: ERP projects

[Michele Comitini]

IMHO the question is not about having a database, the question is that
the ERP must
use only DAL for data management and must run on any supported
database not only relational ones.

mic

2010/11/23 mdipierro :
> I think a relational database for an ERP is a must and those ERPs all
> support them.
> At the university we have peoplesoft+oracle and ~30,000 users. Turns
> out the ERP is not a high traffic app and it runs on one VPS (with
> replication for high availability). I am sure any web2py ERP will be
> just fine on a VPS with postgresql.
>
> Massimo
>
>
> On Nov 23, 8:14 am, newnomad  wrote:
>> It's really great that there are 3 ERP's in the works, I'd love to
>> switch from tryton to a web2py based system;
>>
>> http://code.google.com/p/gestionlibre/https://bitbucket.org/yamandu/yamachine-erp/
>> and a number 3 which I cannot find...
>>
>> However will any of those ever work without a relational database, or
>> doesn't it make any sense at all for an ERP to work without one?
>> If postgre is an absolute must, what are the recommended PAAS/cloud
>> options?
>> - amazon ec2
>> - Google App Engine for businesshttp://code.google.com/appengine/business/
>>
>> An alternate solution may be to use mysql, so that it's still easy to
>> deploy web2py on a shared lamp host with phyton enabled, but without
>> shell access.

Re: [web2py] Re: ERP projects

[Richard Vézina]

My preference go to postgresql... I think it is not a matter anyway since
web2py can work with many differents dbms. But if we have to speed up as
point in a thread last week we will have to work at the db layer to improve
the schema and then a particular dbms will emerge...

Richard

On Tue, Nov 23, 2010 at 9:14 AM, newnomad  wrote:

> It's really great that there are 3 ERP's in the works, I'd love to
> switch from tryton to a web2py based system;
>
> http://code.google.com/p/gestionlibre/
> https://bitbucket.org/yamandu/yamachine-erp/
> and a number 3 which I cannot find...
>
> However will any of those ever work without a relational database, or
> doesn't it make any sense at all for an ERP to work without one?
> If postgre is an absolute must, what are the recommended PAAS/cloud
> options?
> - amazon ec2
> - Google App Engine for business
> http://code.google.com/appengine/business/
>
> An alternate solution may be to use mysql, so that it's still easy to
> deploy web2py on a shared lamp host with phyton enabled, but without
> shell access.

[web2py] Re: ERP projects

[mdipierro]

yes it should use dal and work with all supported databases, yet I
would not run an ERP on a system without transactions.

On Nov 23, 9:07 am, Michele Comitini 
wrote:
> IMHO the question is not about having a database, the question is that
> the ERP must
> use only DAL for data management and must run on any supported
> database not only relational ones.
>
> mic
>
> 2010/11/23 mdipierro :
>
> > I think a relational database for an ERP is a must and those ERPs all
> > support them.
> > At the university we have peoplesoft+oracle and ~30,000 users. Turns
> > out the ERP is not a high traffic app and it runs on one VPS (with
> > replication for high availability). I am sure any web2py ERP will be
> > just fine on a VPS with postgresql.
>
> > Massimo
>
> > On Nov 23, 8:14 am, newnomad  wrote:
> >> It's really great that there are 3 ERP's in the works, I'd love to
> >> switch from tryton to a web2py based system;
>
> >>http://code.google.com/p/gestionlibre/https://bitbucket.org/yamandu/y...
> >> and a number 3 which I cannot find...
>
> >> However will any of those ever work without a relational database, or
> >> doesn't it make any sense at all for an ERP to work without one?
> >> If postgre is an absolute must, what are the recommended PAAS/cloud
> >> options?
> >> - amazon ec2
> >> - Google App Engine for businesshttp://code.google.com/appengine/business/
>
> >> An alternate solution may be to use mysql, so that it's still easy to
> >> deploy web2py on a shared lamp host with phyton enabled, but without
> >> shell access.
>
>

Re: [web2py] Re: ERP projects

[Michele Comitini]

I agree, it is true that in many little environments, there is only
one person writing and a few reading so sqlite would be
more than enough.


2010/11/23 mdipierro :
> yes it should use dal and work with all supported databases, yet I
> would not run an ERP on a system without transactions.
>
> On Nov 23, 9:07 am, Michele Comitini 
> wrote:
>> IMHO the question is not about having a database, the question is that
>> the ERP must
>> use only DAL for data management and must run on any supported
>> database not only relational ones.
>>
>> mic
>>
>> 2010/11/23 mdipierro :
>>
>> > I think a relational database for an ERP is a must and those ERPs all
>> > support them.
>> > At the university we have peoplesoft+oracle and ~30,000 users. Turns
>> > out the ERP is not a high traffic app and it runs on one VPS (with
>> > replication for high availability). I am sure any web2py ERP will be
>> > just fine on a VPS with postgresql.
>>
>> > Massimo
>>
>> > On Nov 23, 8:14 am, newnomad  wrote:
>> >> It's really great that there are 3 ERP's in the works, I'd love to
>> >> switch from tryton to a web2py based system;
>>
>> >>http://code.google.com/p/gestionlibre/https://bitbucket.org/yamandu/y...
>> >> and a number 3 which I cannot find...
>>
>> >> However will any of those ever work without a relational database, or
>> >> doesn't it make any sense at all for an ERP to work without one?
>> >> If postgre is an absolute must, what are the recommended PAAS/cloud
>> >> options?
>> >> - amazon ec2
>> >> - Google App Engine for businesshttp://code.google.com/appengine/business/
>>
>> >> An alternate solution may be to use mysql, so that it's still easy to
>> >> deploy web2py on a shared lamp host with phyton enabled, but without
>> >> shell access.
>>
>>

Re: [web2py] Re: ERP projects

[Vinicius Assef]

+1

If we just use DAL, we can count on web2py's transaction management to
make the app portable among supported databases.

So, Sqlite may be used in development and testing environments.
If you want to run in a really small business, Sqlite could be acceptable, too.

I know some systems developed in Delphi using Paradox as database
working for years, now.
And they don't imagine what a transaction is. :-(

--
Vinicius Assef.



On Tue, Nov 23, 2010 at 1:20 PM, Michele Comitini
 wrote:
> I agree, it is true that in many little environments, there is only
> one person writing and a few reading so sqlite would be
> more than enough.
>
>
> 2010/11/23 mdipierro :
>> yes it should use dal and work with all supported databases, yet I
>> would not run an ERP on a system without transactions.
>>
>> On Nov 23, 9:07 am, Michele Comitini 
>> wrote:
>>> IMHO the question is not about having a database, the question is that
>>> the ERP must
>>> use only DAL for data management and must run on any supported
>>> database not only relational ones.
>>>
>>> mic
>>>
>>> 2010/11/23 mdipierro :
>>>
>>> > I think a relational database for an ERP is a must and those ERPs all
>>> > support them.
>>> > At the university we have peoplesoft+oracle and ~30,000 users. Turns
>>> > out the ERP is not a high traffic app and it runs on one VPS (with
>>> > replication for high availability). I am sure any web2py ERP will be
>>> > just fine on a VPS with postgresql.
>>>
>>> > Massimo
>>>
>>> > On Nov 23, 8:14 am, newnomad  wrote:
>>> >> It's really great that there are 3 ERP's in the works, I'd love to
>>> >> switch from tryton to a web2py based system;
>>>
>>> >>http://code.google.com/p/gestionlibre/https://bitbucket.org/yamandu/y...
>>> >> and a number 3 which I cannot find...
>>>
>>> >> However will any of those ever work without a relational database, or
>>> >> doesn't it make any sense at all for an ERP to work without one?
>>> >> If postgre is an absolute must, what are the recommended PAAS/cloud
>>> >> options?
>>> >> - amazon ec2
>>> >> - Google App Engine for 
>>> >> businesshttp://code.google.com/appengine/business/
>>>
>>> >> An alternate solution may be to use mysql, so that it's still easy to
>>> >> deploy web2py on a shared lamp host with phyton enabled, but without
>>> >> shell access.
>>>
>>>
>

Re: [web2py] 'this or that' request with a url

[Jonathan Lundell]

On Nov 23, 2010, at 6:28 AM, Lorin Rivers wrote:
> 
> How can I perform an 'OR' request with a url? Or pass a list using a url?
> 
> I have 'AND' figured out…

I'm not quite sure what you're asking here, but I'm guessing that you're 
interpreting the '&' in a query string as 'and'. But it's not; it's just a 
separator, punctuation. What you want the handler to do with the arguments is a 
matter of convention and agreement.

A somewhat limited way to do it would be to put your operator in args:

http://domain.com/app/ctlr/fcn/or?item1&item2&item3
http://domain.com/app/ctlr/fcn/and?item1&item2&item3
http://domain.com/app/ctlr/fcn/list?item1&item2&item3

Re: [web2py] Re: ERP projects

[Bruno Rocha]

Our system is called SATLite (Simple Agile Tool - Lite), this is a work in
progress and is being developed by 4 people, we did't decide yet if we are
going to serve the app (free for use) or opening the source.

This is a really tiny and simple tool for keeping track of agile projects
and its commom tasks, our release plan is for 2011/Jan, because interface
design/usability is being our most important matter.

I Guess we'll open the source and also offer it as a free service, and even
a non-Lite payed version as a service.

we love to use Rally (
http://www.rallydev.com/agile_products/editions/community/), but our goal is
to abstract more the complexity and offer tools/API for integration.

2010/11/22 Rahul 

> Hi Bruno,
>  Nice to know that you've written a scrum mgt system in web2py.
> In my organization we use a inhouse tool to manage AGILE development
> using scrum menthods. That is a client server app in .NET. However its
> painfully slow. Is the scrum mgt system you've written open source?
>
> Cheers, Rahul (www.flockbird.com)
>
>
> On Nov 21, 1:00 am, Michele Comitini 
> wrote:
> > Mariano,
> >
> > +1
> >
> > This project can be very important to make web2py look even more
> > appealing to the business world.
> > I would like to help.
> >
> > mic
> >
> > 2010/11/19 Mariano Reingart :
> >
> > > Yes, I agree, development will be done in english, look at this
> > > "facturalibre" branch:
> >
> > >http://code.google.com/p/gestionlibre/source/browse/?r=2ecd5bfdd8378b.
> ..
> >
> > > The "default" branch is a early version migrated from a current
> > > database without translation, just to get something to start with and
> > > to see the whole model, it even doesn't compile.
> >
> > > Anyway, there are terms that doesn't have an exact translation to
> > > english, I'm using whose  have the closest meaning, and help from
> > > anglosaxon accountants (and from other countries too) will be very
> > > useful.
> >
> > > Best regards,
> >
> > > Mariano Reingart
> > >http://www.sistemasagiles.com.ar
> > >http://reingart.blogspot.com
> >
> > > On Fri, Nov 19, 2010 at 12:41 PM, Bruno Rocha 
> wrote:
> > >> Nice! I think I can contribute.
> > >> But, One problem I found in your models, is the tables and fields
> being
> > >> named in Spanish.  As English is an IT Universal Language, I guess
> some
> > >> people will find difficult to mantain, contribute and extend the
> system
> > >> because of Spanish models.
> > >> I started a Scrum Management System, and when the project was almost
> done, I
> > >> figured out that my table names and even function names was in
> Portuguese,
> > >> so I started the translation to English.
> > >> Think about it.
> > >> 2010/11/19 Mariano Reingart 
> >
> > >>> We are making anERP-like system too:
> > >>>http://code.google.com/p/gestionlibre/source/browse/ABOUT
> >
> > >>> Initial model is almost done, now I'm focused on basic controllers to
> > >>> register invoices, receipts and so on (sales)
> >
> > >>> ThisERPis based on a previous system done in VisualBasic (following
> > >>> double-entry bookkeeping accounting standards), with a past
> experience
> > >>> of more than 10 years and around a hundred of clients.
> >
> > >>> We are looking for interested people, and mainly, we need some
> funding
> > >>> to develop this app, altought we have the design and prototypes
> > >>> working, the development is a big effort.
> >
> > >>> If anyone else is working in similarprojects, maybe we can join or
> > >>> share experiences,
> >
> > >>> Best regards
> >
> > >>> Mariano Reingart
> > >>>http://www.sistemasagiles.com.ar
> > >>>http://reingart.blogspot.com
> >
> > >>> On Fri, Nov 19, 2010 at 2:27 AM, mdipierro 
> > >>> wrote:
> > >>> > am I?
> >
> > >>> > I want to know more about theERP? Looks like we are going to have 3
> > >>> > ERPs!
> >
> > >>> > On Nov 18, 9:53 pm, yamandu  wrote:
> > >>> >> Massimo, you are funny (Yes, you!).
> >
> > >>> >> Should I list theERPI have started as project?
> >
> > >> --
> >
> > >> Bruno Rocha
> > >>http://about.me/rochacbruno/bio
> >
> >
>



-- 

Bruno Rocha
http://about.me/rochacbruno/bio

Re: [web2py] Re: list:string thoughts

[Bruno Rocha]

HI, I am taking advantage of this thread to solve a doubt about
list:string,
How can I get the values from list:string field rendered as a Python 'list'
?

Is there a ready way in DAL, or I need to use .split() and .join() ?

look:

>>> row = db(db.doacao.user_id==23).select()[0]
>>> row
 at 0x930ae64>, 'projeto': None, 'animais': '|12|20|',
'valores': '|21.5|45.3|', 'obs': None, 'sorteio': '5796', 'total': 20.0,
'data': datetime.datetime(2010, 11, 23, 10, 7, 48), 'id': 58,
'delete_record':  at 0x930ae2c>}>
>>> row.animais
'|12|20|'
>>> row.valores
'|21.5|45.3|'

At this point the 'list:string' fields returns 'str' , I can split this by
'|' and create a new list, but may be DAL has a function for doing that?






2010/10/25 mdipierro 

> h. that is possible. Will look into it.
>
> On Oct 25, 3:59 pm, yamandu  wrote:
> > It seems that this widget does not work when there is more than one
> > list:string field in a page.
> >
> > On Oct 25, 2:01 am, mdipierro  wrote:
> >
> > > The list:string is not an alternative to using a tag table and
> > > tag_link many-to-many (an example of which is provided by
> > > plugin_tagging).
> >
> > > Yet you should not have the problem you experience. With recent
> > > versions of web2py, Field('keywords', 'list:string') should be
> > > rendered by a new widget that takes one keyword per line and adds new
> > > lines when yo press enter. You should not be using '|' to separate
> > > keywords. If you do all keywords will be interpreted as one long
> > > keyword containing the '|'s.
> >
> > > Massimo
> >
> > > On Oct 24, 10:35 pm, rick  wrote:
> >
> > > > I'm getting frustrated with the list:string field type.
> >
> > > > I store products, each product has "keywords" that describe the
> > > > product.
> > > > db.define_table('products',
> > > >Field('keywords', 'list:string'))
> > > > I don't know what the keywords will be, so I can't use IS_IN_SET()
> >
> > > > It seems to stores the keywords fine, as long as (I'm using Crud)
> > > > I separate the keywords like this: green|blue|red
> >
> > > > But when I make this call
> > > > rows = db(db.products.keywords.contains(keyword)).select()
> > > > I don't get all the products back that I should! In fact, it seems
> > > > that I need to do an update on the product (again using Crud,
> > > > and any sort of update) before the product's keywords will be
> > > > picked up.
> >
> > > > Is this a problem with using Crud?
> > > > In all honesty, I'd be more comfortable not using list:string, and
> > > > having a separate table "keywords" that linked (many-to-one)
> > > > to the products table, but I really don't know how I would even
> > > > begin to do that in web2py..
> >
> > > > Thanks for reading!
> > > > - rick
> >
> >
>



-- 

Bruno Rocha
http://about.me/rochacbruno/bio

[web2py] Jqgrid via plugin_wiki and reference

[JmiXIII]

Hello,

I'm happy with the plugin_wiki jqgrid widget.
Yet consider(genrated from wizard):

db.define_table('t_piece',
Field('id','id',
  represent=lambda id:SPAN(id,'
',A('view',_href=URL('piece_read',args=id,
Field('f_code', type='string', unique=True,
  label=T('Code')),
Field('f_reception', 'date',
  label=T('Reception')),
Field('f_type', type='reference t_modele',
  label=T('Type')),
Field('f_rque', type='string',
  label=T('Rque')),
Field('f_etat', type='string',
  label=T('Etat')),
Field('active','boolean',default=True,
  label=T('Active'),writable=False,readable=False),
Field('created_on','datetime',default=request.now,
  label=T('Created On'),writable=False,readable=False),
Field('modified_on','datetime',default=request.now,
  label=T('Modified On'),writable=False,readable=False,
  update=request.now),
Field('created_by',db.auth_user,default=auth.user_id,
  label=T('Created By'),writable=False,readable=False),
Field('modified_by',db.auth_user,default=auth.user_id,
  label=T('Modified By'),writable=False,readable=False,
  update=auth.user_id),
format='%(f_code)s',
migrate=settings.migrate)




db.define_table('t_modele',
Field('id','id',
  represent=lambda id:SPAN(id,'
',A('view',_href=URL('modele_read',args=id,
Field('f_nom', type='string',
  label=T('Nom')),
Field('f_qstock', type='string',
  label=T('Qstock')),
Field('f_qmin', type='string',
  label=T('Qmin')),
Field('f_descriptif', type='string',
  label=T('Descriptif')),
Field('f_materiel', type='list:reference t_materiel',
  label=T('Materiel')),
Field('f_fournisseur', type='string',
  label=T('Fournisseur')),
Field('f_px_unit', type='string',
  label=T('Px Unit')),
Field('active','boolean',default=True,
  label=T('Active'),writable=False,readable=False),
Field('created_on','datetime',default=request.now,
  label=T('Created On'),writable=False,readable=False),
Field('modified_on','datetime',default=request.now,
  label=T('Modified On'),writable=False,readable=False,
  update=request.now),
Field('created_by',db.auth_user,default=auth.user_id,
  label=T('Created By'),writable=False,readable=False),
Field('modified_by',db.auth_user,default=auth.user_id,
  label=T('Modified By'),writable=False,readable=False,
  update=auth.user_id),
format='%(f_nom)s',
migrate=settings.migrate)

When I use in a view (loop):
{{=db.t_piece.f_type.represent(row.f_type)}} everything is all right I
get f_nom for f_type representation.

now consider:
{{=plugin_wiki.widget('jqgrid',table='t_piece')}}
Values of db.t_piece_f_type are correctly represented but :
If I want to use the search function with db.t_piece.f_type, I will
have to search for db.t_model.id and not db.t_model.f_nom

Is there a way to achieve this ?

Thanks for this great framework.

[web2py] Re: list:string thoughts

[mdipierro]

No it does not. This is what I get:

>>> db.define_table('name',Field('value','list:string'))
>>> db.name.insert(value=['hello','world'])
1
>>> db.name(1).value
['hello', 'world']
>>> for row in db(db.name).select(): print row
 at 0x1698f70>, 'value':
['hello', 'world'], 'id': 1, 'delete_record':  at
0x16a0030>}>

I think you inserted '|21.5|45.3|' instead of ['21.5','45.3'] and you
get back what you insert.


On Nov 23, 10:08 am, Bruno Rocha  wrote:
> HI, I am taking advantage of this thread to solve a doubt about
> list:string,
> How can I get the values from list:string field rendered as a Python 'list'
> ?
>
> Is there a ready way in DAL, or I need to use .split() and .join() ?
>
> look:
>
> >>> row = db(db.doacao.user_id==23).select()[0]
> >>> row
>
>   at 0x930ae64>, 'projeto': None, 'animais': '|12|20|',
> 'valores': '|21.5|45.3|', 'obs': None, 'sorteio': '5796', 'total': 20.0,
> 'data': datetime.datetime(2010, 11, 23, 10, 7, 48), 'id': 58,
> 'delete_record':  at 0x930ae2c>} row.animais
> '|12|20|'
> >>> row.valores
>
> '|21.5|45.3|'
>
> At this point the 'list:string' fields returns 'str' , I can split this by
> '|' and create a new list, but may be DAL has a function for doing that?
>
> 2010/10/25 mdipierro 
>
>
>
> > h. that is possible. Will look into it.
>
> > On Oct 25, 3:59 pm, yamandu  wrote:
> > > It seems that this widget does not work when there is more than one
> > > list:string field in a page.
>
> > > On Oct 25, 2:01 am, mdipierro  wrote:
>
> > > > The list:string is not an alternative to using a tag table and
> > > > tag_link many-to-many (an example of which is provided by
> > > > plugin_tagging).
>
> > > > Yet you should not have the problem you experience. With recent
> > > > versions of web2py, Field('keywords', 'list:string') should be
> > > > rendered by a new widget that takes one keyword per line and adds new
> > > > lines when yo press enter. You should not be using '|' to separate
> > > > keywords. If you do all keywords will be interpreted as one long
> > > > keyword containing the '|'s.
>
> > > > Massimo
>
> > > > On Oct 24, 10:35 pm, rick  wrote:
>
> > > > > I'm getting frustrated with the list:string field type.
>
> > > > > I store products, each product has "keywords" that describe the
> > > > > product.
> > > > > db.define_table('products',
> > > > >    Field('keywords', 'list:string'))
> > > > > I don't know what the keywords will be, so I can't use IS_IN_SET()
>
> > > > > It seems to stores the keywords fine, as long as (I'm using Crud)
> > > > > I separate the keywords like this: green|blue|red
>
> > > > > But when I make this call
> > > > > rows = db(db.products.keywords.contains(keyword)).select()
> > > > > I don't get all the products back that I should! In fact, it seems
> > > > > that I need to do an update on the product (again using Crud,
> > > > > and any sort of update) before the product's keywords will be
> > > > > picked up.
>
> > > > > Is this a problem with using Crud?
> > > > > In all honesty, I'd be more comfortable not using list:string, and
> > > > > having a separate table "keywords" that linked (many-to-one)
> > > > > to the products table, but I really don't know how I would even
> > > > > begin to do that in web2py..
>
> > > > > Thanks for reading!
> > > > > - rick
>
> --
>
> Bruno Rochahttp://about.me/rochacbruno/bio

Re: [web2py] Re: list:string thoughts

[Bruno Rocha]

This is what I have:

order = []
for product_id, qty, val in session.cart:
order.append(( product_id, qty, val ))

store.define_table('doacao',
  Field('user_id',db.auth_user,requires=IS_IN_DB(db,
db.auth_user.id)),
  Field('animais','list:string'),
  Field('valores','list:string'),
  Field('data','datetime',default=request.now),
  )

assuming order = [(12,1,21.4),(15,1,45.3)]

doacao = dict(
 user_id=auth.user_id,
 animais=[ord[0] for ord in order],
 valores=[ord[2] for ord in order],
 data=datetime.today()+timedelta(hours=4)
 )

session.id_doacao = db.doacao.insert(**doacao)

I got animais with '|12|15|' and valores = '|21.4|45.3|'






2010/11/23 mdipierro 

> No it does not. This is what I get:
>
> >>> db.define_table('name',Field('value','list:string'))
> >>> db.name.insert(value=['hello','world'])
> 1
> >>> db.name(1).value
> ['hello', 'world']
> >>> for row in db(db.name).select(): print row
>  at 0x1698f70>, 'value':
> ['hello', 'world'], 'id': 1, 'delete_record':  at
> 0x16a0030>}>
>
> I think you inserted '|21.5|45.3|' instead of ['21.5','45.3'] and you
> get back what you insert.
>
>
> On Nov 23, 10:08 am, Bruno Rocha  wrote:
> > HI, I am taking advantage of this thread to solve a doubt about
> > list:string,
> > How can I get the values from list:string field rendered as a Python
> 'list'
> > ?
> >
> > Is there a ready way in DAL, or I need to use .split() and .join() ?
> >
> > look:
> >
> > >>> row = db(db.doacao.user_id==23).select()[0]
> > >>> row
> >
> >  >  at 0x930ae64>, 'projeto': None, 'animais': '|12|20|',
> > 'valores': '|21.5|45.3|', 'obs': None, 'sorteio': '5796', 'total': 20.0,
> > 'data': datetime.datetime(2010, 11, 23, 10, 7, 48), 'id': 58,
> > 'delete_record':  at 0x930ae2c>} row.animais
> > '|12|20|'
> > >>> row.valores
> >
> > '|21.5|45.3|'
> >
> > At this point the 'list:string' fields returns 'str' , I can split this
> by
> > '|' and create a new list, but may be DAL has a function for doing that?
> >
> > 2010/10/25 mdipierro 
> >
> >
> >
> > > h. that is possible. Will look into it.
> >
> > > On Oct 25, 3:59 pm, yamandu  wrote:
> > > > It seems that this widget does not work when there is more than one
> > > > list:string field in a page.
> >
> > > > On Oct 25, 2:01 am, mdipierro  wrote:
> >
> > > > > The list:string is not an alternative to using a tag table and
> > > > > tag_link many-to-many (an example of which is provided by
> > > > > plugin_tagging).
> >
> > > > > Yet you should not have the problem you experience. With recent
> > > > > versions of web2py, Field('keywords', 'list:string') should be
> > > > > rendered by a new widget that takes one keyword per line and adds
> new
> > > > > lines when yo press enter. You should not be using '|' to separate
> > > > > keywords. If you do all keywords will be interpreted as one long
> > > > > keyword containing the '|'s.
> >
> > > > > Massimo
> >
> > > > > On Oct 24, 10:35 pm, rick  wrote:
> >
> > > > > > I'm getting frustrated with the list:string field type.
> >
> > > > > > I store products, each product has "keywords" that describe the
> > > > > > product.
> > > > > > db.define_table('products',
> > > > > >Field('keywords', 'list:string'))
> > > > > > I don't know what the keywords will be, so I can't use
> IS_IN_SET()
> >
> > > > > > It seems to stores the keywords fine, as long as (I'm using Crud)
> > > > > > I separate the keywords like this: green|blue|red
> >
> > > > > > But when I make this call
> > > > > > rows = db(db.products.keywords.contains(keyword)).select()
> > > > > > I don't get all the products back that I should! In fact, it
> seems
> > > > > > that I need to do an update on the product (again using Crud,
> > > > > > and any sort of update) before the product's keywords will be
> > > > > > picked up.
> >
> > > > > > Is this a problem with using Crud?
> > > > > > In all honesty, I'd be more comfortable not using list:string,
> and
> > > > > > having a separate table "keywords" that linked (many-to-one)
> > > > > > to the products table, but I really don't know how I would even
> > > > > > begin to do that in web2py..
> >
> > > > > > Thanks for reading!
> > > > > > - rick
> >
> > --
> >
> > Bruno Rochahttp://about.me/rochacbruno/bio
>



-- 

Bruno Rocha
http://about.me/rochacbruno/bio

[web2py] Possible BUG: Hidden fields in SQLFORM with custom render template

[Josh Jaques]

Rendering SQLFORMs with a custom template,  any hidden fields I create, as well 
as the hidden ID field are not displayed in the form until a call to accepts.

I think this might be a bug because the same form rendered without a custom 
template will have the ID and hidden fields without calling accepts.

I tested against latest release.

Thoughts?

Sample controller action:
def index():
form = SQLFORM(db.images, db.images(1), 
hidden=dict(test_field="test_value"))
accepted_form = SQLFORM(db.images, db.images(1), 
hidden=dict(test_field="test_value"))
accepted_form.accepts(request.vars, formname=None)
return dict(form=form, accepted_form=accepted_form)

Sample view:

{{=form}}


{{=form.custom.begin}}
Image name: {{=form.custom.widget.name}}
Image file: {{=form.custom.widget.file}}
Click here to upload: {{=form.custom.submit}}
{{=form.custom.end}}


{{form=accepted_form}}
{{=form.custom.begin}}
Image name: {{=form.custom.widget.name}}
Image file: {{=form.custom.widget.file}}
Click here to upload: {{=form.custom.submit}}

{{=form.custom.end}}





Sample output:



Id: 1Name: File: 







Image name: 

Image file: 

Click here to upload: 









Image name: enter from 10 to 255 
characters

Image file: 

Click here to upload: 





This communication, including any attachments, does not necessarily represent 
official policy of Seccuris Inc.
Please see http://www.seccuris.com/Contact-PrivacyPolicy.htm  for further 
details about Seccuris Inc.'s Privacy Policy.
If you have received this communication in error, please notify Seccuris Inc. 
at i...@seccuris.com or at 1-866-644-8442.

[web2py] Re: list:string thoughts

[mdipierro]

This is what I get from shell:

>>> db.define_table('doacao',
...Field('animais','list:string'),
...Field('valores','list:string'))
>>> order = [(12,1,21.4),(15,1,45.3)]
>>> doacao = dict(
...  animais=[ord[0] for ord in order],
...  valores=[ord[2] for ord in order], )
>>> i=db.doacao.insert(**doacao)
>>> for row in db(db.doacao).select(): print row
...
 at 0x1698e70>, 'animais':
['12', '15'], 'id': 1, 'delete_record':  at
0x1698eb0>, 'valores': ['21.4', '45.3']}>

what do you do to get '|12|15|' and '|21.4|45.3|'? I cannot reproduce
them.

On Nov 23, 10:30 am, Bruno Rocha  wrote:
> This is what I have:
>
> order = []
> for product_id, qty, val in session.cart:
>     order.append(( product_id, qty, val ))
>
> store.define_table('doacao',
>                   Field('user_id',db.auth_user,requires=IS_IN_DB(db,
> db.auth_user.id)),
>                   Field('animais','list:string'),
>                   Field('valores','list:string'),
>                   Field('data','datetime',default=request.now),
>                   )
>
> assuming order = [(12,1,21.4),(15,1,45.3)]
>
> doacao = dict(
>              user_id=auth.user_id,
>              animais=[ord[0] for ord in order],
>              valores=[ord[2] for ord in order],
>              data=datetime.today()+timedelta(hours=4)
>              )
>
> session.id_doacao = db.doacao.insert(**doacao)
>
> I got animais with '|12|15|' and valores = '|21.4|45.3|'
>
> 2010/11/23 mdipierro 
>
>
>
> > No it does not. This is what I get:
>
> > >>> db.define_table('name',Field('value','list:string'))
> > >>> db.name.insert(value=['hello','world'])
> > 1
> > >>> db.name(1).value
> > ['hello', 'world']
> > >>> for row in db(db.name).select(): print row
> >  at 0x1698f70>, 'value':
> > ['hello', 'world'], 'id': 1, 'delete_record':  at
> > 0x16a0030>}>
>
> > I think you inserted '|21.5|45.3|' instead of ['21.5','45.3'] and you
> > get back what you insert.
>
> > On Nov 23, 10:08 am, Bruno Rocha  wrote:
> > > HI, I am taking advantage of this thread to solve a doubt about
> > > list:string,
> > > How can I get the values from list:string field rendered as a Python
> > 'list'
> > > ?
>
> > > Is there a ready way in DAL, or I need to use .split() and .join() ?
>
> > > look:
>
> > > >>> row = db(db.doacao.user_id==23).select()[0]
> > > >>> row
>
> > >  > >  at 0x930ae64>, 'projeto': None, 'animais': '|12|20|',
> > > 'valores': '|21.5|45.3|', 'obs': None, 'sorteio': '5796', 'total': 20.0,
> > > 'data': datetime.datetime(2010, 11, 23, 10, 7, 48), 'id': 58,
> > > 'delete_record':  at 0x930ae2c>} row.animais
> > > '|12|20|'
> > > >>> row.valores
>
> > > '|21.5|45.3|'
>
> > > At this point the 'list:string' fields returns 'str' , I can split this
> > by
> > > '|' and create a new list, but may be DAL has a function for doing that?
>
> > > 2010/10/25 mdipierro 
>
> > > > h. that is possible. Will look into it.
>
> > > > On Oct 25, 3:59 pm, yamandu  wrote:
> > > > > It seems that this widget does not work when there is more than one
> > > > > list:string field in a page.
>
> > > > > On Oct 25, 2:01 am, mdipierro  wrote:
>
> > > > > > The list:string is not an alternative to using a tag table and
> > > > > > tag_link many-to-many (an example of which is provided by
> > > > > > plugin_tagging).
>
> > > > > > Yet you should not have the problem you experience. With recent
> > > > > > versions of web2py, Field('keywords', 'list:string') should be
> > > > > > rendered by a new widget that takes one keyword per line and adds
> > new
> > > > > > lines when yo press enter. You should not be using '|' to separate
> > > > > > keywords. If you do all keywords will be interpreted as one long
> > > > > > keyword containing the '|'s.
>
> > > > > > Massimo
>
> > > > > > On Oct 24, 10:35 pm, rick  wrote:
>
> > > > > > > I'm getting frustrated with the list:string field type.
>
> > > > > > > I store products, each product has "keywords" that describe the
> > > > > > > product.
> > > > > > > db.define_table('products',
> > > > > > >    Field('keywords', 'list:string'))
> > > > > > > I don't know what the keywords will be, so I can't use
> > IS_IN_SET()
>
> > > > > > > It seems to stores the keywords fine, as long as (I'm using Crud)
> > > > > > > I separate the keywords like this: green|blue|red
>
> > > > > > > But when I make this call
> > > > > > > rows = db(db.products.keywords.contains(keyword)).select()
> > > > > > > I don't get all the products back that I should! In fact, it
> > seems
> > > > > > > that I need to do an update on the product (again using Crud,
> > > > > > > and any sort of update) before the product's keywords will be
> > > > > > > picked up.
>
> > > > > > > Is this a problem with using Crud?
> > > > > > > In all honesty, I'd be more comfortable not using list:string,
> > and
> > > > > > > having a separate table "keywords" that linked (many-to-one)
> > > > > > > to the products table, but I really don't know how I would even
> > > > > > > begin t

[web2py] Potential site trust abuse with default web2py setting?

[Richard G]

Howdy all,

In web2py I've noticed a number of methods in gluon/tools.py that
utilize client input to determine site flow:
if next == DEFAULT:
next = request.get_vars._next \
or request.post_vars._next \
or self.settings.login_next

and subsequent
if next and not next[0] == '/' and next[:4] != 'http':
next = self.url(next.replace('[id]', str(form.vars.id)))
redirect(next)

Methods:
  AUTH: login ,  register,  retieve_username,
reset_password_deprecated, reset_password,
request_reset_password(retrieve_password), change_password, profile,

  CRUD: update, delete

Too me this seems that a malicious individual can abuse the trust of
our site to:
a) trick users into instantiating a CSRF from our site
b) providing information (credentials?) to a phishing site.

I'm sure we can all come up with some simple examples to provide users
links that will redirect to a malicious site upon authentication.
Simple ex: (http://web2py-site/login?_next=http://web2py_site/login)
where the secondary site mimics original and identifies that the
authentication failed, and to reenter id/pw (even though we only get
here after original site auth was success).

Unless I am missing something, the _next flow seems a strange
'default' behaviour for a secure framework.

I'm wondering if the community has input / thoughts on my (perceived?)
_next issue.

Thanks all!!

[web2py] Re: Potential site trust abuse with default web2py setting?

[mdipierro]

What you suggest is indeed possible but...

This is not an example of CRSF. CRSF is when a malicous site redirects
the user to a site where the user is already authenticated (a web2py
site) and forces the user to perform action (for example submit a
form). web2py prevents this by hiding a formkey in forms.

When you suggest is an example of phishing. For the scam to work the
victim would have to:
1) start from the malicious web site
2) login with a url provided by the malicious web site
3) provide credentials to a clone of the original web site.

If a user falls for 1,2,3 there are much easier ways to implement this
scam even if web2py did not provide the next functionality and without
redirecting at all to the web2py site.
I do not do believe this kind of phishing can be avoided.

We can have a flag that checks whether _next is on a different domain
but it would not prevent this type of scam, just this particular
implementation.

Massimo


On Nov 23, 10:42 am, Richard G  wrote:
> Howdy all,
>
> In web2py I've noticed a number of methods in gluon/tools.py that
> utilize client input to determine site flow:
>         if next == DEFAULT:
>         next = request.get_vars._next \
>             or request.post_vars._next \
>             or self.settings.login_next
>
> and subsequent
>     if next and not next[0] == '/' and next[:4] != 'http':
>         next = self.url(next.replace('[id]', str(form.vars.id)))
>     redirect(next)
>
> Methods:
>   AUTH: login ,  register,  retieve_username,
> reset_password_deprecated, reset_password,
> request_reset_password(retrieve_password), change_password, profile,
>
>   CRUD: update, delete
>
> Too me this seems that a malicious individual can abuse the trust of
> our site to:
> a) trick users into instantiating a CSRF from our site
> b) providing information (credentials?) to a phishing site.
>
> I'm sure we can all come up with some simple examples to provide users
> links that will redirect to a malicious site upon authentication.
> Simple ex: (http://web2py-site/login?_next=http://web2py_site/login)
> where the secondary site mimics original and identifies that the
> authentication failed, and to reenter id/pw (even though we only get
> here after original site auth was success).
>
> Unless I am missing something, the _next flow seems a strange
> 'default' behaviour for a secure framework.
>
> I'm wondering if the community has input / thoughts on my (perceived?)
> _next issue.
>
> Thanks all!!

[web2py] output

[pftpft]

I'm new to the MVC structure and am trying to figure out where things
go.

Let's say I've got a group of items.  The index page lists them with a
link to each.  On the item page, it runs a detailed calculation and
prints various output.  For example,

Item 1
Built in 2007.
Initial value $1,000
2008 interest: 30
2009 interest: 31
2010 interest: 32
Current value: 1,093
---
Item 2
Purchased in 2000 for $100,000
Depreciation over 10 years: 40,000
Current value: $60,000
---

Currently using PHP, I just use if statements and loops and echo out
to the browser information when its needed.  In web2py, where do I put
the calculation function?  I'm guessing it shouldn't be in either the
controller or in the view.  If I put it in the model, how do I get the
output to the view?  Do I have to create a list and append output
lines to it?  Which calls the calculation function?  The controller or
the view?

Thanks.  Hopefully this makes sense.

Re: [web2py] Re: list:string thoughts

[Bruno Rocha]

I deleted my database, redefined the tables and now it works.

I found the problem.

First defined

Field('valores')

After some values inserted, and some deletions, I changed to

Field('valores','list:string')

But this still renders pure strings '|x|x|'

changing fields from 'string' to 'list:string' does not works.

2010/11/23 mdipierro 

> This is what I get from shell:
>
> >>> db.define_table('doacao',
> ...Field('animais','list:string'),
> ...Field('valores','list:string'))
> >>> order = [(12,1,21.4),(15,1,45.3)]
> >>> doacao = dict(
> ...  animais=[ord[0] for ord in order],
> ...  valores=[ord[2] for ord in order], )
> >>> i=db.doacao.insert(**doacao)
> >>> for row in db(db.doacao).select(): print row
> ...
>  at 0x1698e70>, 'animais':
> ['12', '15'], 'id': 1, 'delete_record':  at
> 0x1698eb0>, 'valores': ['21.4', '45.3']}>
>
> what do you do to get '|12|15|' and '|21.4|45.3|'? I cannot reproduce
> them.
>
> On Nov 23, 10:30 am, Bruno Rocha  wrote:
> > This is what I have:
> >
> > order = []
> > for product_id, qty, val in session.cart:
> > order.append(( product_id, qty, val ))
> >
> > store.define_table('doacao',
> >   Field('user_id',db.auth_user,requires=IS_IN_DB(db,
> > db.auth_user.id)),
> >   Field('animais','list:string'),
> >   Field('valores','list:string'),
> >   Field('data','datetime',default=request.now),
> >   )
> >
> > assuming order = [(12,1,21.4),(15,1,45.3)]
> >
> > doacao = dict(
> >  user_id=auth.user_id,
> >  animais=[ord[0] for ord in order],
> >  valores=[ord[2] for ord in order],
> >  data=datetime.today()+timedelta(hours=4)
> >  )
> >
> > session.id_doacao = db.doacao.insert(**doacao)
> >
> > I got animais with '|12|15|' and valores = '|21.4|45.3|'
> >
> > 2010/11/23 mdipierro 
> >
> >
> >
> > > No it does not. This is what I get:
> >
> > > >>> db.define_table('name',Field('value','list:string'))
> > > >>> db.name.insert(value=['hello','world'])
> > > 1
> > > >>> db.name(1).value
> > > ['hello', 'world']
> > > >>> for row in db(db.name).select(): print row
> > >  at 0x1698f70>, 'value':
> > > ['hello', 'world'], 'id': 1, 'delete_record':  at
> > > 0x16a0030>}>
> >
> > > I think you inserted '|21.5|45.3|' instead of ['21.5','45.3'] and you
> > > get back what you insert.
> >
> > > On Nov 23, 10:08 am, Bruno Rocha  wrote:
> > > > HI, I am taking advantage of this thread to solve a doubt about
> > > > list:string,
> > > > How can I get the values from list:string field rendered as a Python
> > > 'list'
> > > > ?
> >
> > > > Is there a ready way in DAL, or I need to use .split() and .join() ?
> >
> > > > look:
> >
> > > > >>> row = db(db.doacao.user_id==23).select()[0]
> > > > >>> row
> >
> > > >  'update_record':
> > > >  at 0x930ae64>, 'projeto': None, 'animais':
> '|12|20|',
> > > > 'valores': '|21.5|45.3|', 'obs': None, 'sorteio': '5796', 'total':
> 20.0,
> > > > 'data': datetime.datetime(2010, 11, 23, 10, 7, 48), 'id': 58,
> > > > 'delete_record':  at 0x930ae2c>} row.animais
> > > > '|12|20|'
> > > > >>> row.valores
> >
> > > > '|21.5|45.3|'
> >
> > > > At this point the 'list:string' fields returns 'str' , I can split
> this
> > > by
> > > > '|' and create a new list, but may be DAL has a function for doing
> that?
> >
> > > > 2010/10/25 mdipierro 
> >
> > > > > h. that is possible. Will look into it.
> >
> > > > > On Oct 25, 3:59 pm, yamandu  wrote:
> > > > > > It seems that this widget does not work when there is more than
> one
> > > > > > list:string field in a page.
> >
> > > > > > On Oct 25, 2:01 am, mdipierro  wrote:
> >
> > > > > > > The list:string is not an alternative to using a tag table and
> > > > > > > tag_link many-to-many (an example of which is provided by
> > > > > > > plugin_tagging).
> >
> > > > > > > Yet you should not have the problem you experience. With recent
> > > > > > > versions of web2py, Field('keywords', 'list:string') should be
> > > > > > > rendered by a new widget that takes one keyword per line and
> adds
> > > new
> > > > > > > lines when yo press enter. You should not be using '|' to
> separate
> > > > > > > keywords. If you do all keywords will be interpreted as one
> long
> > > > > > > keyword containing the '|'s.
> >
> > > > > > > Massimo
> >
> > > > > > > On Oct 24, 10:35 pm, rick  wrote:
> >
> > > > > > > > I'm getting frustrated with the list:string field type.
> >
> > > > > > > > I store products, each product has "keywords" that describe
> the
> > > > > > > > product.
> > > > > > > > db.define_table('products',
> > > > > > > >Field('keywords', 'list:string'))
> > > > > > > > I don't know what the keywords will be, so I can't use
> > > IS_IN_SET()
> >
> > > > > > > > It seems to stores the keywords fine, as long as (I'm using
> Crud)
> > > > > > > > I separate the keywords like this: green|blue|red
> >
> > > > > > > > But when I make this call

[web2py] Re: Potential site trust abuse with default web2py setting?

[Richard G]

Sorry, I am not saying that a web2py site is susceptible to CSRF. I
meant that a web2py site could be used 'in the process' to perform a
request that match these criteria on another site.

I find it weird to click on a link that is going to a legitimate
web2py site, and loads this legitimate web2py site, but then redirects
to an external site, only after I authenticate. (Based on using
authentication).

Again, a simple example scenario:
ie: I receive a fraudulent email, asking me to update password.. click
on it (yes.. first mistake), it redirects me to a legitimate web2py
site (I think, maybe the email was not fraudulent?), which on this
web2py site after I perform an action, redirects me to another site.

I agree that a few items have to fall in place for this abuse to
occur. But it still seems that at one point in the process, the user
has placed trust in our site, and then our site redirects them
elsewhere.

If the community believes form submission redirection based on the
forms variables is not a threat to our environment (It doesn't present
a tangible risk to our site, but I see it as posing a risk to our
site's trust, and thus our user's trust) then I'll stop arguing :)

Again, thanks!


On Nov 23, 10:57 am, mdipierro  wrote:
> What you suggest is indeed possible but...
>
> This is not an example of CRSF. CRSF is when a malicous site redirects
> the user to a site where the user is already authenticated (a web2py
> site) and forces the user to perform action (for example submit a
> form). web2py prevents this by hiding a formkey in forms.
>
> When you suggest is an example of phishing. For the scam to work the
> victim would have to:
> 1) start from the malicious web site
> 2) login with a url provided by the malicious web site
> 3) provide credentials to a clone of the original web site.
>
> If a user falls for 1,2,3 there are much easier ways to implement this
> scam even if web2py did not provide the next functionality and without
> redirecting at all to the web2py site.
> I do not do believe this kind of phishing can be avoided.
>
> We can have a flag that checks whether _next is on a different domain
> but it would not prevent this type of scam, just this particular
> implementation.
>
> Massimo
>
> On Nov 23, 10:42 am, Richard G  wrote:
>
> > Howdy all,
>
> > In web2py I've noticed a number of methods in gluon/tools.py that
> > utilize client input to determine site flow:
> >         if next == DEFAULT:
> >         next = request.get_vars._next \
> >             or request.post_vars._next \
> >             or self.settings.login_next
>
> > and subsequent
> >     if next and not next[0] == '/' and next[:4] != 'http':
> >         next = self.url(next.replace('[id]', str(form.vars.id)))
> >     redirect(next)
>
> > Methods:
> >   AUTH: login ,  register,  retieve_username,
> > reset_password_deprecated, reset_password,
> > request_reset_password(retrieve_password), change_password, profile,
>
> >   CRUD: update, delete
>
> > Too me this seems that a malicious individual can abuse the trust of
> > our site to:
> > a) trick users into instantiating a CSRF from our site
> > b) providing information (credentials?) to a phishing site.
>
> > I'm sure we can all come up with some simple examples to provide users
> > links that will redirect to a malicious site upon authentication.
> > Simple ex: (http://web2py-site/login?_next=http://web2py_site/login)
> > where the secondary site mimics original and identifies that the
> > authentication failed, and to reenter id/pw (even though we only get
> > here after original site auth was success).
>
> > Unless I am missing something, the _next flow seems a strange
> > 'default' behaviour for a secure framework.
>
> > I'm wondering if the community has input / thoughts on my (perceived?)
> > _next issue.
>
> > Thanks all!!
>
>

[web2py] Re: Suggested patch to DAL

[brad]

My mistake, Massimo. Sorry.

On Nov 22, 10:40 pm, mdipierro  wrote:
> Talking about sql.py or dal.py. dal.py is an experimental rewrite of
> sql.py. dal.py is not used in web2py. dal.py has not been updated in
> long time.
>
> Massimo
>
> On Nov 22, 8:48 pm, Mariano Reingart  wrote:
>
>
>
>
>
>
>
> > On Mon, Nov 22, 2010 at 10:27 PM, brad  wrote:
> > > I tested further and am not sure now about my proposed fix.
>
> > > In dal.py, there seem to be two approaches to user-defined primary
> > > keys:
>
> > > One is to assume that only special tables have an
> > > attribute ._primarykey, and run special case code if hasattr(self,
> > > "_primarykey"), e.g.:
>
> > >                if hasattr(self,'_primarykey'):
> > >                    rtablename,rfieldname = ref.split('.')
> > >                    rtable = self._db[rtablename]
> > >                    rfield = rtable[rfieldname]
> > >                    # must be PK reference or unique
> > >                    if rfieldname in rtable._primarykey or
> > > rfield.unique:
>
> > > The other is to assume all tables have the ._primarykey attribute and
> > > use it without testing for existence, e.g.:
>
> > >            if not orderby and tablenames:
> > >                sql_o += ' ORDER BY %s' % ', '.join(['%s.%s'%(t,x) for
> > > t in tablenames for x in (self.db[t]._primarykey or ['id'])])
>
> > > ...which simply won't run if t._primarykey doesn't exist.
>
> > > Possible fixes:
>
> > > 1. Use defaulted access: self.db[t].get("_primarykey")
>
> > > 2. Always set ._primarykey:
>
> > >       elif primarykey:
> > >            self._primarykey = primarykey
> > >            new_fields = []
> > >        else:
> > >            new_fields = [ Field('id', 'id') ]
> > > +           self._primarykey = ["id"]
>
> > > I haven't spent near enough time in the DAL to know which is best.
> > > Thoughts?
>
> > I think current dal.py approach is wrong, having a distinction on
> > normal vs keyed tables raises this types of issues, adds unnecessary
> > complexity to the code and model design, etc.
>
> > IIRC Massimo said that assuming autonumeric id as primary keys was a
> > mistake taken from other frameworks, and it is preventing using NOSQL
> > and full power of some relational databases.
>
> > Also, it makes more difficult to do lazy table definitions, migrations
> > and fixtures.
>
> > There is a thread about this in web2py-developers, maybe you can look
> > there for further information.
>
> > Best regards,
>
> > Mariano Reingarthttp://www.sistemasagiles.com.arhttp://reingart.blogspot.com

[web2py] Re: Potential site trust abuse with default web2py setting?

[mdipierro]

Actually I appreciate you raising this issue and this is a healthy
discussion.
Security issues are very important for everybody here so thank you for
bringing this up.

Although I do not think this is a major issue I agree that it should
be avoided.
One way to void is by adding this in one of your models:

if request.controller=='default' and request.function=='user':
   if request.vars._next and request.vars._next.startswith('http'):
del request.vars._next

This will guarantee that only internal URLs can be passed via _next.
Such mechanism could be made default behavior but I need to check that
does not break anything.

What do you think? What do other people think?

Massimo

On Nov 23, 11:45 am, Richard G  wrote:
> Sorry, I am not saying that a web2py site is susceptible to CSRF. I
> meant that a web2py site could be used 'in the process' to perform a
> request that match these criteria on another site.
>
> I find it weird to click on a link that is going to a legitimate
> web2py site, and loads this legitimate web2py site, but then redirects
> to an external site, only after I authenticate. (Based on using
> authentication).
>
> Again, a simple example scenario:
> ie: I receive a fraudulent email, asking me to update password.. click
> on it (yes.. first mistake), it redirects me to a legitimate web2py
> site (I think, maybe the email was not fraudulent?), which on this
> web2py site after I perform an action, redirects me to another site.
>
> I agree that a few items have to fall in place for this abuse to
> occur. But it still seems that at one point in the process, the user
> has placed trust in our site, and then our site redirects them
> elsewhere.
>
> If the community believes form submission redirection based on the
> forms variables is not a threat to our environment (It doesn't present
> a tangible risk to our site, but I see it as posing a risk to our
> site's trust, and thus our user's trust) then I'll stop arguing :)
>
> Again, thanks!
>
> On Nov 23, 10:57 am, mdipierro  wrote:
>
> > What you suggest is indeed possible but...
>
> > This is not an example of CRSF. CRSF is when a malicous site redirects
> > the user to a site where the user is already authenticated (a web2py
> > site) and forces the user to perform action (for example submit a
> > form). web2py prevents this by hiding a formkey in forms.
>
> > When you suggest is an example of phishing. For the scam to work the
> > victim would have to:
> > 1) start from the malicious web site
> > 2) login with a url provided by the malicious web site
> > 3) provide credentials to a clone of the original web site.
>
> > If a user falls for 1,2,3 there are much easier ways to implement this
> > scam even if web2py did not provide the next functionality and without
> > redirecting at all to the web2py site.
> > I do not do believe this kind of phishing can be avoided.
>
> > We can have a flag that checks whether _next is on a different domain
> > but it would not prevent this type of scam, just this particular
> > implementation.
>
> > Massimo
>
> > On Nov 23, 10:42 am, Richard G  wrote:
>
> > > Howdy all,
>
> > > In web2py I've noticed a number of methods in gluon/tools.py that
> > > utilize client input to determine site flow:
> > >         if next == DEFAULT:
> > >         next = request.get_vars._next \
> > >             or request.post_vars._next \
> > >             or self.settings.login_next
>
> > > and subsequent
> > >     if next and not next[0] == '/' and next[:4] != 'http':
> > >         next = self.url(next.replace('[id]', str(form.vars.id)))
> > >     redirect(next)
>
> > > Methods:
> > >   AUTH: login ,  register,  retieve_username,
> > > reset_password_deprecated, reset_password,
> > > request_reset_password(retrieve_password), change_password, profile,
>
> > >   CRUD: update, delete
>
> > > Too me this seems that a malicious individual can abuse the trust of
> > > our site to:
> > > a) trick users into instantiating a CSRF from our site
> > > b) providing information (credentials?) to a phishing site.
>
> > > I'm sure we can all come up with some simple examples to provide users
> > > links that will redirect to a malicious site upon authentication.
> > > Simple ex: (http://web2py-site/login?_next=http://web2py_site/login)
> > > where the secondary site mimics original and identifies that the
> > > authentication failed, and to reenter id/pw (even though we only get
> > > here after original site auth was success).
>
> > > Unless I am missing something, the _next flow seems a strange
> > > 'default' behaviour for a secure framework.
>
> > > I'm wondering if the community has input / thoughts on my (perceived?)
> > > _next issue.
>
> > > Thanks all!!
>
>

[web2py] Re: output

[mdipierro]

My guess is that you have a python data structure that contains the
items and the interest. I would extend this data structure to contain
the result of the computation, pass it to the view, render it as you
did in PHP. If you choose to compute the "current value" in the view,
I would not see anything wrong with it, although it is more likely the
current value is needed in other places in the program and therefore
it should belong to the data structure.

Massimo


On Nov 23, 11:26 am, pftpft  wrote:
> I'm new to the MVC structure and am trying to figure out where things
> go.
>
> Let's say I've got a group of items.  The index page lists them with a
> link to each.  On the item page, it runs a detailed calculation and
> prints various output.  For example,
>
> Item 1
> Built in 2007.
> Initial value $1,000
> 2008 interest: 30
> 2009 interest: 31
> 2010 interest: 32
> Current value: 1,093
> ---
> Item 2
> Purchased in 2000 for $100,000
> Depreciation over 10 years: 40,000
> Current value: $60,000
> ---
>
> Currently using PHP, I just use if statements and loops and echo out
> to the browser information when its needed.  In web2py, where do I put
> the calculation function?  I'm guessing it shouldn't be in either the
> controller or in the view.  If I put it in the model, how do I get the
> output to the view?  Do I have to create a list and append output
> lines to it?  Which calls the calculation function?  The controller or
> the view?
>
> Thanks.  Hopefully this makes sense.

Re: [web2py] Re: Potential site trust abuse with default web2py setting?

[Bruno Rocha]

I think this can to be default (security matters), but needs to be
configurable.

def avoid_external_next():
if request.controller=='default' and request.function=='user':
if request.vars._next and request.vars._next.startswith('http'):
del request.vars._next

at the models level:

if some_setup_storage.avoid_external_next: avoid_external_next()

than, this will always be default, and executed until the user sets
some_setup_storage.avoid_external_next = False

Or something like this.


2010/11/23 mdipierro 

> Actually I appreciate you raising this issue and this is a healthy
> discussion.
> Security issues are very important for everybody here so thank you for
> bringing this up.
>
> Although I do not think this is a major issue I agree that it should
> be avoided.
> One way to void is by adding this in one of your models:
>
> if request.controller=='default' and request.function=='user':
>   if request.vars._next and request.vars._next.startswith('http'):
> del request.vars._next
>
> This will guarantee that only internal URLs can be passed via _next.
> Such mechanism could be made default behavior but I need to check that
> does not break anything.
>
> What do you think? What do other people think?
>
> Massimo
>
> On Nov 23, 11:45 am, Richard G  wrote:
> > Sorry, I am not saying that a web2py site is susceptible to CSRF. I
> > meant that a web2py site could be used 'in the process' to perform a
> > request that match these criteria on another site.
> >
> > I find it weird to click on a link that is going to a legitimate
> > web2py site, and loads this legitimate web2py site, but then redirects
> > to an external site, only after I authenticate. (Based on using
> > authentication).
> >
> > Again, a simple example scenario:
> > ie: I receive a fraudulent email, asking me to update password.. click
> > on it (yes.. first mistake), it redirects me to a legitimate web2py
> > site (I think, maybe the email was not fraudulent?), which on this
> > web2py site after I perform an action, redirects me to another site.
> >
> > I agree that a few items have to fall in place for this abuse to
> > occur. But it still seems that at one point in the process, the user
> > has placed trust in our site, and then our site redirects them
> > elsewhere.
> >
> > If the community believes form submission redirection based on the
> > forms variables is not a threat to our environment (It doesn't present
> > a tangible risk to our site, but I see it as posing a risk to our
> > site's trust, and thus our user's trust) then I'll stop arguing :)
> >
> > Again, thanks!
> >
> > On Nov 23, 10:57 am, mdipierro  wrote:
> >
> > > What you suggest is indeed possible but...
> >
> > > This is not an example of CRSF. CRSF is when a malicous site redirects
> > > the user to a site where the user is already authenticated (a web2py
> > > site) and forces the user to perform action (for example submit a
> > > form). web2py prevents this by hiding a formkey in forms.
> >
> > > When you suggest is an example of phishing. For the scam to work the
> > > victim would have to:
> > > 1) start from the malicious web site
> > > 2) login with a url provided by the malicious web site
> > > 3) provide credentials to a clone of the original web site.
> >
> > > If a user falls for 1,2,3 there are much easier ways to implement this
> > > scam even if web2py did not provide the next functionality and without
> > > redirecting at all to the web2py site.
> > > I do not do believe this kind of phishing can be avoided.
> >
> > > We can have a flag that checks whether _next is on a different domain
> > > but it would not prevent this type of scam, just this particular
> > > implementation.
> >
> > > Massimo
> >
> > > On Nov 23, 10:42 am, Richard G  wrote:
> >
> > > > Howdy all,
> >
> > > > In web2py I've noticed a number of methods in gluon/tools.py that
> > > > utilize client input to determine site flow:
> > > > if next == DEFAULT:
> > > > next = request.get_vars._next \
> > > > or request.post_vars._next \
> > > > or self.settings.login_next
> >
> > > > and subsequent
> > > > if next and not next[0] == '/' and next[:4] != 'http':
> > > > next = self.url(next.replace('[id]', str(form.vars.id)))
> > > > redirect(next)
> >
> > > > Methods:
> > > >   AUTH: login ,  register,  retieve_username,
> > > > reset_password_deprecated, reset_password,
> > > > request_reset_password(retrieve_password), change_password, profile,
> >
> > > >   CRUD: update, delete
> >
> > > > Too me this seems that a malicious individual can abuse the trust of
> > > > our site to:
> > > > a) trick users into instantiating a CSRF from our site
> > > > b) providing information (credentials?) to a phishing site.
> >
> > > > I'm sure we can all come up with some simple examples to provide
> users
> > > > links that will redirect to a malicious site upon authentication.
> > > > Simple ex: (http://web2py-site/login?_next=http:

[web2py] Re: Potential site trust abuse with default web2py setting?

[mdipierro]

checked the code and I do not see any counter-indication in adding
this check but one:

If a user were to implement something like OpenID or CAS on top of
Auth, it would not work. What an OpenID provider does (redirect to
another side after login) is exactly what you are trying to prevent.

So there is a tradeoff: is this security measure worth the
restriction?

Massimo


On Nov 23, 12:38 pm, mdipierro  wrote:
> Actually I appreciate you raising this issue and this is a healthy
> discussion.
> Security issues are very important for everybody here so thank you for
> bringing this up.
>
> Although I do not think this is a major issue I agree that it should
> be avoided.
> One way to void is by adding this in one of your models:
>
> if request.controller=='default' and request.function=='user':
>    if request.vars._next and request.vars._next.startswith('http'):
> del request.vars._next
>
> This will guarantee that only internal URLs can be passed via _next.
> Such mechanism could be made default behavior but I need to check that
> does not break anything.
>
> What do you think? What do other people think?
>
> Massimo
>
> On Nov 23, 11:45 am, Richard G  wrote:
>
> > Sorry, I am not saying that a web2py site is susceptible to CSRF. I
> > meant that a web2py site could be used 'in the process' to perform a
> > request that match these criteria on another site.
>
> > I find it weird to click on a link that is going to a legitimate
> > web2py site, and loads this legitimate web2py site, but then redirects
> > to an external site, only after I authenticate. (Based on using
> > authentication).
>
> > Again, a simple example scenario:
> > ie: I receive a fraudulent email, asking me to update password.. click
> > on it (yes.. first mistake), it redirects me to a legitimate web2py
> > site (I think, maybe the email was not fraudulent?), which on this
> > web2py site after I perform an action, redirects me to another site.
>
> > I agree that a few items have to fall in place for this abuse to
> > occur. But it still seems that at one point in the process, the user
> > has placed trust in our site, and then our site redirects them
> > elsewhere.
>
> > If the community believes form submission redirection based on the
> > forms variables is not a threat to our environment (It doesn't present
> > a tangible risk to our site, but I see it as posing a risk to our
> > site's trust, and thus our user's trust) then I'll stop arguing :)
>
> > Again, thanks!
>
> > On Nov 23, 10:57 am, mdipierro  wrote:
>
> > > What you suggest is indeed possible but...
>
> > > This is not an example of CRSF. CRSF is when a malicous site redirects
> > > the user to a site where the user is already authenticated (a web2py
> > > site) and forces the user to perform action (for example submit a
> > > form). web2py prevents this by hiding a formkey in forms.
>
> > > When you suggest is an example of phishing. For the scam to work the
> > > victim would have to:
> > > 1) start from the malicious web site
> > > 2) login with a url provided by the malicious web site
> > > 3) provide credentials to a clone of the original web site.
>
> > > If a user falls for 1,2,3 there are much easier ways to implement this
> > > scam even if web2py did not provide the next functionality and without
> > > redirecting at all to the web2py site.
> > > I do not do believe this kind of phishing can be avoided.
>
> > > We can have a flag that checks whether _next is on a different domain
> > > but it would not prevent this type of scam, just this particular
> > > implementation.
>
> > > Massimo
>
> > > On Nov 23, 10:42 am, Richard G  wrote:
>
> > > > Howdy all,
>
> > > > In web2py I've noticed a number of methods in gluon/tools.py that
> > > > utilize client input to determine site flow:
> > > >         if next == DEFAULT:
> > > >         next = request.get_vars._next \
> > > >             or request.post_vars._next \
> > > >             or self.settings.login_next
>
> > > > and subsequent
> > > >     if next and not next[0] == '/' and next[:4] != 'http':
> > > >         next = self.url(next.replace('[id]', str(form.vars.id)))
> > > >     redirect(next)
>
> > > > Methods:
> > > >   AUTH: login ,  register,  retieve_username,
> > > > reset_password_deprecated, reset_password,
> > > > request_reset_password(retrieve_password), change_password, profile,
>
> > > >   CRUD: update, delete
>
> > > > Too me this seems that a malicious individual can abuse the trust of
> > > > our site to:
> > > > a) trick users into instantiating a CSRF from our site
> > > > b) providing information (credentials?) to a phishing site.
>
> > > > I'm sure we can all come up with some simple examples to provide users
> > > > links that will redirect to a malicious site upon authentication.
> > > > Simple ex: (http://web2py-site/login?_next=http://web2py_site/login)
> > > > where the secondary site mimics original and identifies that the
> > > > authentication failed, and to reenter id/pw (even though 

[web2py] Re: how do I load a database CSV dump into GAE?

[howesc]

correct.  actually the original bulkloader was deprecated a while ago,
and unless i missed something my link above is to the latest
documentation about the bulkloader.  i use it with the automatic
configuration so i have not written the transformers.

cfh

On Nov 22, 4:08 pm, Richard  wrote:
> unfortunately the original Bulkloader was deprecated recently and they
> now use configuration files:
>
> transformers:
> - kind: person
>   connector: csv
>   connector_options:
>   property_map:
>       - property: identifier
>         external_name: Identifier
>
>       - property: name
>         external_name: Name
>
> I learn a lot from studying this:http://bulkloadersample.appspot.com/
>
> On Nov 23, 8:16 am, howesc  wrote:
>
> > Hi there,
>
> > First off, read up on the GAE bulk 
> > loader:http://code.google.com/appengine/docs/python/tools/uploadingdata.html
> > i think the newer releases support CSV, though i have not used it for
> > CSV.
>
> > below i'm pasting some old code of mine for uploading and downloading
> > CSV, including fixup of references.  it is specific to my database, so
> > you will need to tweak it.  also, it is a year old and has not been
> > used for close to a year because my dataset quickly grew to larger
> > than could be processed in the 30 second request limit.
>
> > #...@todo requires membership of admin
> > @auth.requires_login()
> > def export():
> >     """
> >     Export the database as a CSV file.  Note that this CSV file format
> > is
> >     particular to web2py and will allow upload via L{replace_db} to
> > this app
> >     running on any database type that web2py supports.
> >     """
> >     s = StringIO.StringIO()
> >     db.export_to_csv_file(s)
> >     response.headers['Content-Type'] = 'text/csv'
> >     response.headers['Content-Disposition']= \
> >         'attachment; filename=rockriver_db_'+str(now)+'.csv'
> >     return s.getvalue()
>
> > #...@todo requires membership of admin
> > @auth.requires_login()
> > def replace_db():
> >     """
> >     Truncate all tables, and replace with data from the uploaded CSV
> > file.
> >     Note that this is intended to load data from the web2py formatted
> > csv file
> >     as downloaded from L{export}
> >     """
> >     id_map = None
> >     form = FORM(INPUT(_type='file', _name='data'),
> >                 INPUT(_type='submit'))
> >     if form.accepts(request.vars):
> >         for table in db.tables:
> >             db[table].truncate()
> >         id_map = {}
>
> > db.import_from_csv_file(form.vars.data.file,id_map=id_map,unique=False)
> >         #...@todo: fix up song media references
> >         songs = db(db.song.id>0).select()
> >         for song in songs:
> >             if not song.media_ids:
> >                 continue
> >             new_media = []
> >             medias = song.media_ids
> >             for m in medias:
> >                 new_media.append(id_map['media_ids'][m])
> >             song.update_record(media_ids = new_media)
> >         #...@todo: fix up recording.media references
> >         recordings = db(db.recording.id>0).select()
> >         for r in recordings:
> >             if not r.media_ids:
> >                 continue
> >             new_media = []
> >             medias = r.media_ids
> >             for m in medias:
> >                 if id_map['media_ids'].has_key(m):
> >                     new_media.append(id_map['media_ids'][m])
> >             r.update_record(media_ids = new_media)
> >         #...@todo: fix up product.elements references
> >         products = db(db.product.id>0).select()
> >         for p in products:
> >             if not p.elements_ids:
> >                 continue
> >             new_song = []
> >             songs = p.elements_ids
> >             for s in songs:
> >                 if id_map['song'].has_key(s):
> >                     new_song.append(id_map['song'][s])
> >             p.update_record(elements_ids = new_song)
> >     return dict(form=form, id_map=id_map)
>
> > good luck!
>
> > christian
>
> > On Nov 21, 5:36 pm, olifante  wrote:
>
> > > Hi everybody,
>
> > > I'm having trouble finding out what is the appropriate way to load
> > > data into a web2py webapp running on GAE. I created a script that
> > > parses some files and inserts data into a local web2py instance using
> > > "web2py -S myapp -M -R myscript.py", but I see no way of doing the
> > > same either for a local GAE instance (running with dev_appserver) or
> > > for a deployed GAE instance.
>
> > > I know that you can export the entire database from a standard web2py
> > > instance using something like this:
>
> > > db.export_to_csv_file(open('somefile.csv', 'wb'))
>
> > > Unfortunately, since you cannot use the web2py shell with GAE, I don't
> > > see how I can import that database dump either into the local GAE
> > > instance or the deployed GAE instance.
>
> > > Can anybody help?
>
>

Re: [web2py] 'this or that' request with a url

[Lorin Rivers]

Jonathan,

Sweet! That set me on the right path!

../?foo="something"&bar="something_else"&other="this"&other="that" gives me 
what I want, which is:
request.var['foo']: "something"
request.var['bar']: "something_else"
request.var['bar']: ["this", "that"]




On Nov 23, 2010, at 9:34 , Jonathan Lundell wrote:

> On Nov 23, 2010, at 6:28 AM, Lorin Rivers wrote:
>> 
>> How can I perform an 'OR' request with a url? Or pass a list using a url?
>> 
>> I have 'AND' figured out…
> 
> I'm not quite sure what you're asking here, but I'm guessing that you're 
> interpreting the '&' in a query string as 'and'. But it's not; it's just a 
> separator, punctuation. What you want the handler to do with the arguments is 
> a matter of convention and agreement.
> 
> A somewhat limited way to do it would be to put your operator in args:
> 
> http://domain.com/app/ctlr/fcn/or?item1&item2&item3
> http://domain.com/app/ctlr/fcn/and?item1&item2&item3
> http://domain.com/app/ctlr/fcn/list?item1&item2&item3

-- 
Lorin Rivers
Mosasaur: Killer Technical Marketing 

512/203.3198 (m)

[web2py] How do I submit a patch or addition to Web2Py?

[NuclearDragon]

I have a small change I implemented in the requires_login decorator of
Auth, that I wanted to submit for folks to check out, and potentially
be added to Web2Py. How do I go about creating a patch? What format
should it be in? Do I just commit to trunk?

Thanks!

[web2py] Re: How do I submit a patch or addition to Web2Py?

[mdipierro]

email me. ;-)

On Nov 23, 2:13 pm, NuclearDragon  wrote:
> I have a small change I implemented in the requires_login decorator of
> Auth, that I wanted to submit for folks to check out, and potentially
> be added to Web2Py. How do I go about creating a patch? What format
> should it be in? Do I just commit to trunk?
>
> Thanks!

[web2py] jqgrid question

[William]

I want to display a jqgrid table on the web, I set that the table
shows 20 records as default. And right now I have 23 records in total.
Therefore, its page number should be 2. However, If I don't click the
bottom-right, its page number is always 3, how can I do to correct it?
Thank you for your help.

[web2py] Re: jqgrid question

[mdipierro]

are you using plugin_wiki?

On Nov 23, 2:16 pm, William  wrote:
> I want to display a jqgrid table on the web, I set that the table
> shows 20 records as default. And right now I have 23 records in total.
> Therefore, its page number should be 2. However, If I don't click the
> bottom-right, its page number is always 3, how can I do to correct it?
> Thank you for your help.

[web2py] Re: Beginner Auth problem

[mdipierro]

On Nov 23, 7:40 am, appydev  wrote:
> Greetings.
>
> I have a problem, I hope you can help me.
>
> I have two models: Teacher, Student. Each with different attributes.
>
> It occurred to me to implement them, linking tables:
>
> db.define_table('teacher',
>                         Field('person', length=64), requires=IS_IN_DB(db,
> 'auth_user.uuid')),
>                          ...
>
> db.define_table('student',
>                         Field('person', length=64), requires=IS_IN_DB(db,
> 'auth_user.uuid')),
>                          ...
>
> Maybe not the best way to do it if they think of a better, please I'd like
> to hear.
>
> The problem is that I want to make a registration form to "Teacher." But
> generating Auth, just fields "auth_user.
>
> How do I include in a form fields auth_user + fields teacher?

Although this can be done the problem is workflow. When a person
register, the person cannot decide to be a teacher. Somebody must
appoint the teacher.

I would:
- give the auth_user table a field 'teacher' boolean and default to
false
- have an administrator use appadmin to turn the teacher flag to on
-

appydev
View profile
 More options Nov 23, 7:40 am
From: appydev 
Date: Tue, 23 Nov 2010 09:10:50 -0430
Local: Tues, Nov 23 2010 7:40 am
Subject: [web2py] Beginner Auth problem
Reply | Reply to author | Forward | Print | Individual message | Show
original | Remove | Report this message | Find messages by this author

Greetings.

I have a problem, I hope you can help me.

I have two models: Teacher, Student. Each with different attributes.

It occurred to me to implement them, linking tables:

db.define_table('teacher',Field('person',db.auth_user,writable=False,readable=False,default=auth.user_id),...)
- add code like:

if auth.user and auth.user.teacher but not
db(db.teacher.person==auth.user_id).count():
redirect(URL('page_to_create_teacher_record'))

Re: [web2py] Re: Suggested patch to DAL

[Phyo Arkar]

if you like , you can work onto DAL.py brad.
new design of DAL.py is gonna be more powerful, and will be a lot more
modular but it will take some chunk of time so we regard it as low priority.

On Wed, Nov 24, 2010 at 12:26 AM, brad  wrote:

> My mistake, Massimo. Sorry.
>
> On Nov 22, 10:40 pm, mdipierro  wrote:
> > Talking about sql.py or dal.py. dal.py is an experimental rewrite of
> > sql.py. dal.py is not used in web2py. dal.py has not been updated in
> > long time.
> >
> > Massimo
> >
> > On Nov 22, 8:48 pm, Mariano Reingart  wrote:
> >
> >
> >
> >
> >
> >
> >
> > > On Mon, Nov 22, 2010 at 10:27 PM, brad  wrote:
> > > > I tested further and am not sure now about my proposed fix.
> >
> > > > In dal.py, there seem to be two approaches to user-defined primary
> > > > keys:
> >
> > > > One is to assume that only special tables have an
> > > > attribute ._primarykey, and run special case code if hasattr(self,
> > > > "_primarykey"), e.g.:
> >
> > > >if hasattr(self,'_primarykey'):
> > > >rtablename,rfieldname = ref.split('.')
> > > >rtable = self._db[rtablename]
> > > >rfield = rtable[rfieldname]
> > > ># must be PK reference or unique
> > > >if rfieldname in rtable._primarykey or
> > > > rfield.unique:
> >
> > > > The other is to assume all tables have the ._primarykey attribute and
> > > > use it without testing for existence, e.g.:
> >
> > > >if not orderby and tablenames:
> > > >sql_o += ' ORDER BY %s' % ', '.join(['%s.%s'%(t,x) for
> > > > t in tablenames for x in (self.db[t]._primarykey or ['id'])])
> >
> > > > ...which simply won't run if t._primarykey doesn't exist.
> >
> > > > Possible fixes:
> >
> > > > 1. Use defaulted access: self.db[t].get("_primarykey")
> >
> > > > 2. Always set ._primarykey:
> >
> > > >   elif primarykey:
> > > >self._primarykey = primarykey
> > > >new_fields = []
> > > >else:
> > > >new_fields = [ Field('id', 'id') ]
> > > > +   self._primarykey = ["id"]
> >
> > > > I haven't spent near enough time in the DAL to know which is best.
> > > > Thoughts?
> >
> > > I think current dal.py approach is wrong, having a distinction on
> > > normal vs keyed tables raises this types of issues, adds unnecessary
> > > complexity to the code and model design, etc.
> >
> > > IIRC Massimo said that assuming autonumeric id as primary keys was a
> > > mistake taken from other frameworks, and it is preventing using NOSQL
> > > and full power of some relational databases.
> >
> > > Also, it makes more difficult to do lazy table definitions, migrations
> > > and fixtures.
> >
> > > There is a thread about this in web2py-developers, maybe you can look
> > > there for further information.
> >
> > > Best regards,
> >
> > > Mariano Reingarthttp://www.sistemasagiles.com.arhttp://
> reingart.blogspot.com
>

[web2py] How could I send a email to every members?

[David Liu]

Hi everyone,

Hope this email finds you well. I have a question about how to send a
email to every members?

For example, I have a table named meeting like follows:

db.define_table('meeting',
Field('title', 'string'),
Field('time', 'datetime'),
Field('description', 'text'),
Field('created_on', 'datetime', default=request.now,
writable=False, readable=False),
Field('creaded_by', db.auth_user, default=auth.user_id,
writable=False, readable=False),
Field('modified_on', 'datetime', update=request.now,
default=request.now, writable=False, readable=False),
Field('modified_by', db.auth_user, update=auth.user_id,
default=auth.user_id, writable=False, readable=False),
format='%(title)s')

And in my home page, there is link where user can create a meeting
using the action like create_meeting(). When user click this
create_meeting() link, there is form and when the user submit the
form, I want to shoot a email to every member in my system to notify
them this meeting? How could I do that???

Any hint will be appreciated.

Thanks a lot!

David

[web2py] Re: jqgrid question

[William]

yes

On Nov 23, 3:41 pm, mdipierro  wrote:
> are you using plugin_wiki?
>
> On Nov 23, 2:16 pm, William  wrote:> I want to display 
> a jqgrid table on the web, I set that the table
> > shows 20 records as default. And right now I have 23 records in total.
> > Therefore, its page number should be 2. However, If I don't click the
> > bottom-right, its page number is always 3, how can I do to correct it?
> > Thank you for your help.
>
>

Re: [web2py] Re: Potential site trust abuse with default web2py setting?

[Phyo Arkar]

No it will break other stuff too , which already use redirection inplace.

Just Let developer know that doing so will cause minor trust issue , and
there is way to prevent it.

On Wed, Nov 24, 2010 at 1:40 AM, mdipierro  wrote:

> checked the code and I do not see any counter-indication in adding
> this check but one:
>
> If a user were to implement something like OpenID or CAS on top of
> Auth, it would not work. What an OpenID provider does (redirect to
> another side after login) is exactly what you are trying to prevent.
>
> So there is a tradeoff: is this security measure worth the
> restriction?
>
> Massimo
>
>
> On Nov 23, 12:38 pm, mdipierro  wrote:
> > Actually I appreciate you raising this issue and this is a healthy
> > discussion.
> > Security issues are very important for everybody here so thank you for
> > bringing this up.
> >
> > Although I do not think this is a major issue I agree that it should
> > be avoided.
> > One way to void is by adding this in one of your models:
> >
> > if request.controller=='default' and request.function=='user':
> >if request.vars._next and request.vars._next.startswith('http'):
> > del request.vars._next
> >
> > This will guarantee that only internal URLs can be passed via _next.
> > Such mechanism could be made default behavior but I need to check that
> > does not break anything.
> >
> > What do you think? What do other people think?
> >
> > Massimo
> >
> > On Nov 23, 11:45 am, Richard G  wrote:
> >
> > > Sorry, I am not saying that a web2py site is susceptible to CSRF. I
> > > meant that a web2py site could be used 'in the process' to perform a
> > > request that match these criteria on another site.
> >
> > > I find it weird to click on a link that is going to a legitimate
> > > web2py site, and loads this legitimate web2py site, but then redirects
> > > to an external site, only after I authenticate. (Based on using
> > > authentication).
> >
> > > Again, a simple example scenario:
> > > ie: I receive a fraudulent email, asking me to update password.. click
> > > on it (yes.. first mistake), it redirects me to a legitimate web2py
> > > site (I think, maybe the email was not fraudulent?), which on this
> > > web2py site after I perform an action, redirects me to another site.
> >
> > > I agree that a few items have to fall in place for this abuse to
> > > occur. But it still seems that at one point in the process, the user
> > > has placed trust in our site, and then our site redirects them
> > > elsewhere.
> >
> > > If the community believes form submission redirection based on the
> > > forms variables is not a threat to our environment (It doesn't present
> > > a tangible risk to our site, but I see it as posing a risk to our
> > > site's trust, and thus our user's trust) then I'll stop arguing :)
> >
> > > Again, thanks!
> >
> > > On Nov 23, 10:57 am, mdipierro  wrote:
> >
> > > > What you suggest is indeed possible but...
> >
> > > > This is not an example of CRSF. CRSF is when a malicous site
> redirects
> > > > the user to a site where the user is already authenticated (a web2py
> > > > site) and forces the user to perform action (for example submit a
> > > > form). web2py prevents this by hiding a formkey in forms.
> >
> > > > When you suggest is an example of phishing. For the scam to work the
> > > > victim would have to:
> > > > 1) start from the malicious web site
> > > > 2) login with a url provided by the malicious web site
> > > > 3) provide credentials to a clone of the original web site.
> >
> > > > If a user falls for 1,2,3 there are much easier ways to implement
> this
> > > > scam even if web2py did not provide the next functionality and
> without
> > > > redirecting at all to the web2py site.
> > > > I do not do believe this kind of phishing can be avoided.
> >
> > > > We can have a flag that checks whether _next is on a different domain
> > > > but it would not prevent this type of scam, just this particular
> > > > implementation.
> >
> > > > Massimo
> >
> > > > On Nov 23, 10:42 am, Richard G  wrote:
> >
> > > > > Howdy all,
> >
> > > > > In web2py I've noticed a number of methods in gluon/tools.py that
> > > > > utilize client input to determine site flow:
> > > > > if next == DEFAULT:
> > > > > next = request.get_vars._next \
> > > > > or request.post_vars._next \
> > > > > or self.settings.login_next
> >
> > > > > and subsequent
> > > > > if next and not next[0] == '/' and next[:4] != 'http':
> > > > > next = self.url(next.replace('[id]', str(form.vars.id)))
> > > > > redirect(next)
> >
> > > > > Methods:
> > > > >   AUTH: login ,  register,  retieve_username,
> > > > > reset_password_deprecated, reset_password,
> > > > > request_reset_password(retrieve_password), change_password,
> profile,
> >
> > > > >   CRUD: update, delete
> >
> > > > > Too me this seems that a malicious individual can abuse the trust
> of
> > > > > our site to:
> > > > > a) trick users into instant

Re: [web2py] How could I send a email to every members?

[Phyo Arkar]

select all memebers , loop throught them and send , it will be very simple.

On Wed, Nov 24, 2010 at 3:58 AM, David Liu  wrote:

> Hi everyone,
>
> Hope this email finds you well. I have a question about how to send a
> email to every members?
>
> For example, I have a table named meeting like follows:
>
> db.define_table('meeting',
>Field('title', 'string'),
>Field('time', 'datetime'),
>Field('description', 'text'),
>Field('created_on', 'datetime', default=request.now,
> writable=False, readable=False),
>Field('creaded_by', db.auth_user, default=auth.user_id,
> writable=False, readable=False),
>Field('modified_on', 'datetime', update=request.now,
> default=request.now, writable=False, readable=False),
>Field('modified_by', db.auth_user, update=auth.user_id,
> default=auth.user_id, writable=False, readable=False),
>format='%(title)s')
>
> And in my home page, there is link where user can create a meeting
> using the action like create_meeting(). When user click this
> create_meeting() link, there is form and when the user submit the
> form, I want to shoot a email to every member in my system to notify
> them this meeting? How could I do that???
>
> Any hint will be appreciated.
>
> Thanks a lot!
>
> David

[web2py] TOP10 list

[Kenneth Lundström]

Hello list,

I´m trying to make a TOP10 list but don´t know how :=(

First I select the partners:
partners = db(db.partners.id > 0).select()

for partner in partners:
sales = db(db.sales.partner == partner).select()

make some calculations and get a value for the customer. Where 
do I store this value and how do I sort the list of partners so I get a 
TOP10 list?


Somehow this doesn´t feel like a big deal to implement but can´t get 
started.



Kenneth

[web2py] is_in_db error message translation

[Richard Vézina]

Hello,

I try this :
db.table1.field1.requires=\

 IS_IN_DB(db,'othertable.field1',orderby=('field1'),error_message=T('value
not available'))

But not working...

How may I translate the IS_IN_DB error message?

Should we have an other attribute for IS_IN_DB function?

Richard

Re: [web2py] Re: Beginner Auth problem

[appydev]

Thank you very much for your response.

But I still have a doubt:

Is it possible to modify the registration form to insert data into two
tables?

where one of the tables is auth_user.


2010/11/23 mdipierro 

>
>
> On Nov 23, 7:40 am, appydev  wrote:
> > Greetings.
> >
> > I have a problem, I hope you can help me.
> >
> > I have two models: Teacher, Student. Each with different attributes.
> >
> > It occurred to me to implement them, linking tables:
> >
> > db.define_table('teacher',
> > Field('person', length=64), requires=IS_IN_DB(db,
> > 'auth_user.uuid')),
> >  ...
> >
> > db.define_table('student',
> > Field('person', length=64), requires=IS_IN_DB(db,
> > 'auth_user.uuid')),
> >  ...
> >
> > Maybe not the best way to do it if they think of a better, please I'd
> like
> > to hear.
> >
> > The problem is that I want to make a registration form to "Teacher." But
> > generating Auth, just fields "auth_user.
> >
> > How do I include in a form fields auth_user + fields teacher?
>
> Although this can be done the problem is workflow. When a person
> register, the person cannot decide to be a teacher. Somebody must
> appoint the teacher.
>
> I would:
> - give the auth_user table a field 'teacher' boolean and default to
> false
> - have an administrator use appadmin to turn the teacher flag to on
> -
>
> appydev
> View profile
> More options Nov 23, 7:40 am
> From: appydev 
> Date: Tue, 23 Nov 2010 09:10:50 -0430
> Local: Tues, Nov 23 2010 7:40 am
> Subject: [web2py] Beginner Auth problem
> Reply | Reply to author | Forward | Print | Individual message | Show
> original | Remove | Report this message | Find messages by this author
>
> Greetings.
>
> I have a problem, I hope you can help me.
>
> I have two models: Teacher, Student. Each with different attributes.
>
> It occurred to me to implement them, linking tables:
>
>
> db.define_table('teacher',Field('person',db.auth_user,writable=False,readable=False,default=auth.user_id),...)
> - add code like:
>
> if auth.user and auth.user.teacher but not
> db(db.teacher.person==auth.user_id).count():
>redirect(URL('page_to_create_teacher_record'))
>

[web2py] Re: TOP10 list

[GoldenTiger]

I need a bit more information
show me your define_table from models, and write an example of TOP10
list


On 23 nov, 22:35, Kenneth Lundström 
wrote:
> Hello list,
>
> I m trying to make a TOP10 list but don t know how :=(
>
> First I select the partners:
>      partners = db(db.partners.id > 0).select()
>
>      for partner in partners:
>          sales = db(db.sales.partner == partner).select()
>
>          make some calculations and get a value for the customer. Where
> do I store this value and how do I sort the list of partners so I get a
> TOP10 list?
>
> Somehow this doesn t feel like a big deal to implement but can t get
> started.
>
> Kenneth

[web2py] Re: Beginner Auth problem

[mdipierro]

No. You can make a SQLFORM.factory(table1,table2) but it would no DB
IO so after accepts you would have to do some manual work


On Nov 23, 3:46 pm, appydev  wrote:
> Thank you very much for your response.
>
> But I still have a doubt:
>
> Is it possible to modify the registration form to insert data into two
> tables?
>
> where one of the tables is auth_user.
>
> 2010/11/23 mdipierro 
>
>
>
> > On Nov 23, 7:40 am, appydev  wrote:
> > > Greetings.
>
> > > I have a problem, I hope you can help me.
>
> > > I have two models: Teacher, Student. Each with different attributes.
>
> > > It occurred to me to implement them, linking tables:
>
> > > db.define_table('teacher',
> > >                         Field('person', length=64), requires=IS_IN_DB(db,
> > > 'auth_user.uuid')),
> > >                          ...
>
> > > db.define_table('student',
> > >                         Field('person', length=64), requires=IS_IN_DB(db,
> > > 'auth_user.uuid')),
> > >                          ...
>
> > > Maybe not the best way to do it if they think of a better, please I'd
> > like
> > > to hear.
>
> > > The problem is that I want to make a registration form to "Teacher." But
> > > generating Auth, just fields "auth_user.
>
> > > How do I include in a form fields auth_user + fields teacher?
>
> > Although this can be done the problem is workflow. When a person
> > register, the person cannot decide to be a teacher. Somebody must
> > appoint the teacher.
>
> > I would:
> > - give the auth_user table a field 'teacher' boolean and default to
> > false
> > - have an administrator use appadmin to turn the teacher flag to on
> > -
>
> > appydev
> > View profile
> >         More options Nov 23, 7:40 am
> > From: appydev 
> > Date: Tue, 23 Nov 2010 09:10:50 -0430
> > Local: Tues, Nov 23 2010 7:40 am
> > Subject: [web2py] Beginner Auth problem
> > Reply | Reply to author | Forward | Print | Individual message | Show
> > original | Remove | Report this message | Find messages by this author
>
> > Greetings.
>
> > I have a problem, I hope you can help me.
>
> > I have two models: Teacher, Student. Each with different attributes.
>
> > It occurred to me to implement them, linking tables:
>
> > db.define_table('teacher',Field('person',db.auth_user,writable=False,readable=False,default=auth.user_id),...)
> > - add code like:
>
> > if auth.user and auth.user.teacher but not
> > db(db.teacher.person==auth.user_id).count():
> >    redirect(URL('page_to_create_teacher_record'))
>
>

Re: [web2py] TOP10 list

[Bruno Rocha]

I think you are in need of limitby=(start,end)

partners = db(db,partners.id>0)select(limitby=(0,10))



2010/11/23 Kenneth Lundström 

> Hello list,
>
> I惴 trying to make a TOP10 list but don愒 know how :=(
>
> First I select the partners:
>partners = db(db.partners.id > 0).select()
>
>for partner in partners:
>sales = db(db.sales.partner == partner).select()
>
>make some calculations and get a value for the customer. Where do I
> store this value and how do I sort the list of partners so I get a TOP10
> list?
>
> Somehow this doesn愒 feel like a big deal to implement but can愒 get started.
>
>
> Kenneth
>



-- 

Bruno Rocha
http://about.me/rochacbruno/bio

[web2py] Re: Beginner Auth problem

[mr.freeze]

This may help:
http://www.web2pyslices.com/main/slices/take_slice/102

On Nov 23, 3:58 pm, mdipierro  wrote:
> No. You can make a SQLFORM.factory(table1,table2) but it would no DB
> IO so after accepts you would have to do some manual work
>
> On Nov 23, 3:46 pm, appydev  wrote:
>
> > Thank you very much for your response.
>
> > But I still have a doubt:
>
> > Is it possible to modify the registration form to insert data into two
> > tables?
>
> > where one of the tables is auth_user.
>
> > 2010/11/23 mdipierro 
>
> > > On Nov 23, 7:40 am, appydev  wrote:
> > > > Greetings.
>
> > > > I have a problem, I hope you can help me.
>
> > > > I have two models: Teacher, Student. Each with different attributes.
>
> > > > It occurred to me to implement them, linking tables:
>
> > > > db.define_table('teacher',
> > > >                         Field('person', length=64), 
> > > > requires=IS_IN_DB(db,
> > > > 'auth_user.uuid')),
> > > >                          ...
>
> > > > db.define_table('student',
> > > >                         Field('person', length=64), 
> > > > requires=IS_IN_DB(db,
> > > > 'auth_user.uuid')),
> > > >                          ...
>
> > > > Maybe not the best way to do it if they think of a better, please I'd
> > > like
> > > > to hear.
>
> > > > The problem is that I want to make a registration form to "Teacher." But
> > > > generating Auth, just fields "auth_user.
>
> > > > How do I include in a form fields auth_user + fields teacher?
>
> > > Although this can be done the problem is workflow. When a person
> > > register, the person cannot decide to be a teacher. Somebody must
> > > appoint the teacher.
>
> > > I would:
> > > - give the auth_user table a field 'teacher' boolean and default to
> > > false
> > > - have an administrator use appadmin to turn the teacher flag to on
> > > -
>
> > > appydev
> > > View profile
> > >         More options Nov 23, 7:40 am
> > > From: appydev 
> > > Date: Tue, 23 Nov 2010 09:10:50 -0430
> > > Local: Tues, Nov 23 2010 7:40 am
> > > Subject: [web2py] Beginner Auth problem
> > > Reply | Reply to author | Forward | Print | Individual message | Show
> > > original | Remove | Report this message | Find messages by this author
>
> > > Greetings.
>
> > > I have a problem, I hope you can help me.
>
> > > I have two models: Teacher, Student. Each with different attributes.
>
> > > It occurred to me to implement them, linking tables:
>
> > > db.define_table('teacher',Field('person',db.auth_user,writable=False,readable=False,default=auth.user_id),...)
> > > - add code like:
>
> > > if auth.user and auth.user.teacher but not
> > > db(db.teacher.person==auth.user_id).count():
> > >    redirect(URL('page_to_create_teacher_record'))
>
>

[web2py] Re: TOP10 list

[Alex]

Depending on how complicated the calculation is, you can *may* be able
to do the calculation in the DAL.  If it's just a simple sum, you can
use SUM(), then then orderby descending the SUM() amount and
limitby=(0,10).

Otherwise, you could always create a sorted List and as you iterate
through each row, keep track of the top 10 largest rows.  Of course,
the first approach may be much easier :)

Re: [web2py] Re: TOP10 list

[Kenneth Lundström]

Calculation is a lot more complicated then just a sum. I have to select 
data from 3-4 tables and then do the calculations.


Maybe your second suggestion is the solution.  How would you maintain 
the list so ten biggest rows is on the list and the list stays in 
correct order?



Kenneth


Depending on how complicated the calculation is, you can *may* be able
to do the calculation in the DAL.  If it's just a simple sum, you can
use SUM(), then then orderby descending the SUM() amount and
limitby=(0,10).

Otherwise, you could always create a sorted List and as you iterate
through each row, keep track of the top 10 largest rows.  Of course,
the first approach may be much easier :)

Re: [web2py] bug in the book or in the code? linkedin instruction

[Michele Comitini]

Kuba,

you are right, sadly it does not... ;-)

a solution can be putting a new action similar to the following in the
controller:

@auth.requires_login()
def onlogin_add_permission():
  if not auth.has_permission(auth.user_group(auth.user.id), 'create',
 'my_table'):
  auth.add_permission(auth.user_group(auth.user.id),'create','my_table')
  redirect(URL(''))


then in the model:

auth.settings.login_next=URL('onlogin_add_permission')


let me know if it works!

mic


2010/11/23 Kuba Kucharski :
>> does the following work for you?
>>
>> 
>>
>> def onlogin_add_permission():
>>  if not auth.has_permission(auth.user_group(form.vars.id), 'create',
>> 'my_table'):
>>      auth.add_permission(auth.user_group(form.vars.id),'create','my_table')
>>
>>
>> auth.settings.login_onaccept = onlogin_add_permission
>
> very weird thing. looks like onlogin_add_permission() is never
> executed. does this work for YOU?
>

[web2py] Re: web2py SSL + Apache + mod_wsgi issues on Ubuntu 8.08 VM machine

[Hybride]

> What kind of a problems do you have?

It's the standard "You don't have permission to access /admin/default/
index on this server." I know it's silly, and I've went through most
of the files available on how to supposedly fix this, but I can't seem
to get it to work.

> Your are receiving that warning because your certifcate is for domain
> pypy.domain.com but in your configuration your are talking about an
> ip-address.

This is a university computer, so I actually don't have a real domain
name, it's only IP-based (I can't access the domain name through a
browser, but I can access the IP, which is http://147.126.65.92/).
Even if I put the certificate for pypy.domain.com, I come up with the
certificate error. I thought it might be an issue, that's why I posted
it.

On Nov 23, 2:07 am, Kenneth Lundström 
wrote:
> I d say that warning messing in your log is not your problem. It should
> work even if you get those warnings. At least for me it does.
>
> Your are receiving that warning because your certifcate is for domain
> pypy.domain.com but in your configuration your are talking about an
> ip-address.
>
> What kind of a problems do you have?
>
> Kenneth
>
> > I ran into a problem with setting up SSL too which turned out to be
> > caused by an ssl.conf file that was overriding the web2py.conf
> > settings. I had similar messages in error.log, but as the [warn]
> > indicates, they do not seem to be fatal errors. The errors I found
> > were more like File does not exist.
>

Re: [web2py] Beginner Auth problem

[appydev]

Thank you very much for the help.


2010/11/23 appydev 

> Greetings.
>
> I have a problem, I hope you can help me.
>
> I have two models: Teacher, Student. Each with different attributes.
>
> It occurred to me to implement them, linking tables:
>
> db.define_table('teacher',
> Field('person', length=64), requires=IS_IN_DB(db,
> 'auth_user.uuid')),
>  ...
>
> db.define_table('student',
> Field('person', length=64), requires=IS_IN_DB(db,
> 'auth_user.uuid')),
>  ...
>
>
> Maybe not the best way to do it if they think of a better, please I'd like
> to hear.
>
>
> The problem is that I want to make a registration form to "Teacher." But
> generating Auth, just fields "auth_user.
>
> How do I include in a form fields auth_user + fields teacher?
>

[web2py] trying to make auth.settings.login_next more dynamic

[Michele Comitini]

Massimo,
to make  the auth.settings.login_next more dynamic could be this a solution?


in the model:

class FunctorFactory(object):
def __init__(self, f=lambda:None):
self.function = f
def __call__(self):
return self.function()
def __str__(self):
return str(self.function())

def login_next_function():
   blah
   blah
   
   return URL(  )

auth.settings.login_next = FunctorFactory(login_next_function)

tnx
mic

Re: [web2py] Re: web2py SSL + Apache + mod_wsgi issues on Ubuntu 8.08 VM machine

[Kenneth Lundström]

> It's the standard "You don't have permission to access 
/admin/default/  index on this server." I know it's silly, and I've went 
through most of the files available on how to supposedly fix this, but I 
can't seem to get it to work.


You seem to have two different problems. I tried to access address 
http://147.126.65.92/admin and got the "You don't have permission to 
access /admin/default/index on this server." error message, this sounds 
like the admin application is not installed or your webserver is not 
allowed to read the /applications/admin folder. Look at your file 
permissions on /applications folder.


If webserver could access the applications/admin folder you should get a 
"Admin is disabled because insecure channel" messages.



As admin should be accessed via https I tried to access 
https://147.126.65.92/admin but could not get a response from your 
server. Smells like a firewall issue. Port 443 should be open.



Kenneth


Your are receiving that warning because your certifcate is for domain
pypy.domain.com but in your configuration your are talking about an
ip-address.

This is a university computer, so I actually don't have a real domain
name, it's only IP-based (I can't access the domain name through a
browser, but I can access the IP, which is http://147.126.65.92/).
Even if I put the certificate for pypy.domain.com, I come up with the
certificate error. I thought it might be an issue, that's why I posted
it.

On Nov 23, 2:07 am, Kenneth Lundström
wrote:

I d say that warning messing in your log is not your problem. It should
work even if you get those warnings. At least for me it does.

Your are receiving that warning because your certifcate is for domain
pypy.domain.com but in your configuration your are talking about an
ip-address.

What kind of a problems do you have?

Kenneth


I ran into a problem with setting up SSL too which turned out to be
caused by an ssl.conf file that was overriding the web2py.conf
settings. I had similar messages in error.log, but as the [warn]
indicates, they do not seem to be fatal errors. The errors I found
were more like File does not exist.

Re: [web2py] bug in the book or in the code? linkedin instruction

[Kuba Kucharski]

> a solution can be putting a new action similar to the following in the
> controller:
>
> @auth.requires_login()
> def onlogin_add_permission():
>  if not auth.has_permission(auth.user_group(auth.user.id), 'create',
>  'my_table'):
>      auth.add_permission(auth.user_group(auth.user.id),'create','my_table')
>  redirect(URL(''))

> let me know if it works!

thx, now it is working like a charm ;)

one change needed though if someone find this thread later:
>if not auth.has_permission(auth.user_group(auth.user.id), 'create','my_table'):
should be:
>if not auth.has_permission( 'create','my_table',auth.user_group(auth.user.id)):
( http://web2py.com/book/default/chapter/08 )

Re: [web2py] about cron tasks

[António Ramos]

Print in a script called by cron does not print to web2py console.
At least in my windows machine.
Also i read the book and the examples of cron points to files in the file
system forgetting the application folder.

I think cron tasks should be in the application path and inside cron folder
or other for that purpose. Also in admin there should be available all cron
tasks to be edited by editpad.

Right?


Best regards
António

Em 22 de novembro de 2010 15:34, António Ramos escreveu:

> I my pc it does not print.
> Also the path to the script have to include the absolute path?
> Can it be a controller script?
>
>
> Antonio
>
>
> 2010/11/22 Vinicius Assef 
>
> 2010/11/19 António Ramos :
>> > Hello, can cron tasks write output to web2py console?
>>
>> Just use print command.
>>
>
>

[web2py] Development Partnership

[Steve Shepherd]

I am looking for a Web2Py developer or team that can work with me on a new
project.
The application is a Saas service that charges customers monthly so I am
happy to give a % of ownership for working on the project.
Would also look at hourly rate but this will depend on your experience and
previous projects.
I have a design doc and am working on wireframes for the screen design.
Also there is a lot of API and Cron work.
If you have a graphics person this would help with the look.

[web2py] Re: trying to make auth.settings.login_next more dynamic

[mdipierro]

what is the problem you are trying to solve?

On Nov 23, 4:41 pm, Michele Comitini 
wrote:
> Massimo,
> to make  the auth.settings.login_next more dynamic could be this a solution?
>
> in the model:
>
> class FunctorFactory(object):
>     def __init__(self, f=lambda:None):
>         self.function = f
>     def __call__(self):
>         return self.function()
>     def __str__(self):
>         return str(self.function())
>
> def login_next_function():
>    blah
>    blah
>    
>    return URL(  )
>
> auth.settings.login_next = FunctorFactory(login_next_function)
>
> tnx
> mic

[web2py] Re: Development Partnership

[mdipierro]

You may want to look among people who signed up on
experts4solutions.com

On Nov 23, 6:26 pm, Steve Shepherd  wrote:
> I am looking for a Web2Py developer or team that can work with me on a new
> project.
> The application is a Saas service that charges customers monthly so I am
> happy to give a % of ownership for working on the project.
> Would also look at hourly rate but this will depend on your experience and
> previous projects.
> I have a design doc and am working on wireframes for the screen design.
> Also there is a lot of API and Cron work.
> If you have a graphics person this would help with the look.

[web2py] Re: very long wait for http://127.0.0.1:8000/ on IE and Firefox browsers

[Timbo]

Rocket is not dead but I did take several months off due to injury and
a job change.  I'm actually working on 1.2 which should see some
performance improvements on Windows.

I'll go download a copy of web2py and report back.

-tim

On Nov 22, 5:25 pm, Phyo Arkar  wrote:
> Hmm rocket server issue again..?
>
> also what i see is Rocket server is not updated for very long , Massimo , is
> Rocket still in development or dead ? , i dont see any development updates
> there..
>
> On Tue, Nov 23, 2010 at 5:04 AM, Kuba Kucharski 
> wrote:
>
>
>
>
>
>
>
> > Just a hyphotesis, I've seen the issue you are describing many times.
> > It always disapears when I move from Rocket to Apache/WSGI. It seems
> > to me that it got smth to do with handling static files.
>
> > --
> > Kuba

[web2py] Re: very long wait for http://127.0.0.1:8000/ on IE and Firefox browsers

[Timbo]

Set numthreads=0 in your options.py.  See if you still see this
behavior.

-tim

On Nov 23, 7:03 pm, Timbo  wrote:
> Rocket is not dead but I did take several months off due to injury and
> a job change.  I'm actually working on 1.2 which should see some
> performance improvements on Windows.
>
> I'll go download a copy of web2py and report back.
>
> -tim
>
> On Nov 22, 5:25 pm, Phyo Arkar  wrote:
>
>
>
>
>
>
>
> > Hmm rocket server issue again..?
>
> > also what i see is Rocket server is not updated for very long , Massimo , is
> > Rocket still in development or dead ? , i dont see any development updates
> > there..
>
> > On Tue, Nov 23, 2010 at 5:04 AM, Kuba Kucharski 
> > wrote:
>
> > > Just a hyphotesis, I've seen the issue you are describing many times.
> > > It always disapears when I move from Rocket to Apache/WSGI. It seems
> > > to me that it got smth to do with handling static files.
>
> > > --
> > > Kuba

Re: [web2py] Re: trying to make auth.settings.login_next more dynamic

[Michele Comitini]

for one multiple login types, without using RXP

2010/11/24 mdipierro :
> what is the problem you are trying to solve?
>
> On Nov 23, 4:41 pm, Michele Comitini 
> wrote:
>> Massimo,
>> to make  the auth.settings.login_next more dynamic could be this a solution?
>>
>> in the model:
>>
>> class FunctorFactory(object):
>>     def __init__(self, f=lambda:None):
>>         self.function = f
>>     def __call__(self):
>>         return self.function()
>>     def __str__(self):
>>         return str(self.function())
>>
>> def login_next_function():
>>    blah
>>    blah
>>    
>>    return URL(  )
>>
>> auth.settings.login_next = FunctorFactory(login_next_function)
>>
>> tnx
>> mic

Re: [web2py] Re: Development Partnership

[Steve Shepherd]

Thanks Massimo... by the way I haven't been back to web2py for a while as I
had a role that didn't require development.
You and the team have made amazing advances. This is a stellar product with
support beyond belief compared to the old days of Borland and Microsoft.
I am a closet Foxpro programmer and it was never the same after Microsoft
bought it so PLEASE don't sell out to them LOL

On 24 November 2010 14:02, mdipierro  wrote:

> You may want to look among people who signed up on
> experts4solutions.com
>
> On Nov 23, 6:26 pm, Steve Shepherd  wrote:
> > I am looking for a Web2Py developer or team that can work with me on a
> new
> > project.
> > The application is a Saas service that charges customers monthly so I am
> > happy to give a % of ownership for working on the project.
> > Would also look at hourly rate but this will depend on your experience
> and
> > previous projects.
> > I have a design doc and am working on wireframes for the screen design.
> > Also there is a lot of API and Cron work.
> > If you have a graphics person this would help with the look.
>

[web2py] Re: very long wait for http://127.0.0.1:8000/ on IE and Firefox browsers

[Anthony]

On Nov 23, 8:10 pm, Timbo  wrote:
> Set numthreads=0 in your options.py.  See if you still see this
> behavior.

options.py is just for running web2py as a Windows service, no? I'm
not running web2py as a Windows service when I observe the problem.

Anthony

Re: [web2py] Re: very long wait for http://127.0.0.1:8000/ on IE and Firefox browsers

[Jonathan Lundell]

On Nov 23, 2010, at 5:26 PM, Anthony wrote:
> 
> On Nov 23, 8:10 pm, Timbo  wrote:
>> Set numthreads=0 in your options.py.  See if you still see this
>> behavior.
> 
> options.py is just for running web2py as a Windows service, no? I'm
> not running web2py as a Windows service when I observe the problem.

If you're running from the command line, use --options 0.

[web2py] Re: Creating vars in a URL

[DenesL]

Massimo, I have emailed you a patch for this and another smaller
problem.


On Nov 22, 8:23 pm, DenesL  wrote:
> To get a url you should use URL as explained 
> inhttp://web2py.com/book/default/chapter/04#URL
>
> and it should look something like
> URL('reports','export_array_records',vars={'EndTime': '2010-11-08
> 22:00:00', 'String': ['S1', 'S2'], 'StartTime': '2010-11-08
> 21:00:00'}, extension='csv')
>
> but that will create the String part as ['S1','S2'] literally
> String=%5B%27S1%27%2C+%27S2%27%5D
>
> which I think it is neither what you want nor correct,
> but to get it right would require a patch to web2py:
> String='S1'&String='S2'
>
> Denes

[web2py] Re: Development Partnership

[vihang]

Steve,

Can you email me the project details. I have a team of web2py
developers at my end.

Vihang

On Nov 24, 6:16 am, Steve Shepherd  wrote:
> Thanks Massimo... by the way I haven't been back to web2py for a while as I
> had a role that didn't require development.
> You and the team have made amazing advances. This is a stellar product with
> support beyond belief compared to the old days of Borland and Microsoft.
> I am a closet Foxpro programmer and it was never the same after Microsoft
> bought it so PLEASE don't sell out to them LOL
>
> On 24 November 2010 14:02, mdipierro  wrote:
>
>
>
>
>
>
>
> > You may want to look among people who signed up on
> > experts4solutions.com
>
> > On Nov 23, 6:26 pm, Steve Shepherd  wrote:
> > > I am looking for a Web2Py developer or team that can work with me on a
> > new
> > > project.
> > > The application is a Saas service that charges customers monthly so I am
> > > happy to give a % of ownership for working on the project.
> > > Would also look at hourly rate but this will depend on your experience
> > and
> > > previous projects.
> > > I have a design doc and am working on wireframes for the screen design.
> > > Also there is a lot of API and Cron work.
> > > If you have a graphics person this would help with the look.

[web2py] Re: Upgrade web2py on webfaction

[JoeCodeswell]

Here's how I just upgraded to Version 1.89.5 on webfaction. It seemed
to work.

'wp' is the name of my webFaction-application-directory which
contains:

$ tree -L 2
.
|-- apache2
|   |-- bin
|   |-- conf
|   |-- lib
|   |-- logs
|   `-- modules
|-- bin
|-- htdocs
|   `-- index.py
|-- lib
|   `-- python2.5
|-- web2py
|   |-- ABOUT
|   |-- LICENSE
|   |-- Makefile
|   |-- NEWINSTALL
|   |-- README
|   |-- VERSION
|   |-- __init__.py
|   |-- app.yaml
|   |-- appengine_config.py
|   |-- applications
|   |-- cgihandler.py
|   |-- deposit
|   |-- epydoc.conf
|   |-- epydoc.css
|   |-- fcgihandler.py
|   |-- gaehandler.py
|   |-- gluon
|   |-- httpserver.pid
|   |-- logging.example.conf
|   |-- modpythonhandler.py
|   |-- options_std.py
|   |-- parameters_80.py
|   |-- parameters_8000.py
|   |-- queue.yaml
|   |-- routes.example.py
|   |-- scripts
|   |-- setup_app.py
|   |-- setup_exe.py
|   |-- site-packages
|   |-- splashlogo.gif
|   |-- web2py.py
|   |-- web2py_src_downloaded.zip
|   |-- welcome.w2p
|   `-- wsgihandler.py
`-- web2py_src.zip

16 directories, 31 files

Here are the commands. They seemed to work.
$ cd /home/my_acct/webapps/wp/apache2/bin
$ ./stop

$ cd /home/my_acct/webapps/wp
$ rm web2py_src.zip
$ wget -q http://www.web2py.com/examples/static/web2py_src.zip
$ unzip -q web2py_src.zip
replace web2py/gluon/__init__.py? [y]es, [n]o, [A]ll, [N]one,
[r]ename: A

$ cd /home/my_acct/webapps/wp/apache2/bin
$ ./start

You will need to replace 'my_acct' with your account [login] name, and
'wp' with the name of your webFaction-application-directory to make
this work for you.

All the best,

Joe


On Nov 19, 6:18 am, Bruno Rocha  wrote:
> I did the upgrade by admin 2 times and that broke my system.
>
> Now I am taking advantage of the application feature of webfaction,
> I create a pure new instalation of web2py names per example "myapp2" I test
> this app throught IP:PORT addr
>
> Copy the applications from old web2py to new.
>
> $cp /webapps/myapp1/web2py/applications/* -R /webapps/myapp2/applications/
>
> Test again by IP:PORT
>
> Go to the admin panel on websites item edit your website pointing '/' to
> myapp2 , and so
>
> That is the safety way I've found in webfaction
>
> 2010/11/19 Johann Spies 
>
> > Thanks Annet and Golden Tiger.
>
> > Regards
> > Johann
>
> > --
> >  May grace and peace be yours in abundance through the full knowledge of
> > God and of Jesus our Lord!  His divine power has given us everything we need
> > for life and godliness through the full knowledge of the one who called us
> > by his own glory and excellence.
> >                                                     2 Pet. 1:2b,3a
>
> --
>
> Bruno Rochahttp://about.me/rochacbruno/bio

[web2py] Re: your assignment freelancer.org

[Richard]

Is this appropriate for the web2py mailing list? Many students cheat
on assignments.


On Nov 19, 6:50 pm, mdipierro  wrote:
> This looks like somebody's homework assignment
>
> http://www.i-freelancer.org/php/python-expert-for-a-small-assignment-...
>
> Massimo

Re: [web2py] Re: Development Partnership

[Steve Shepherd]

Vihang

I need to see some examples of work?

Are you interested in % share type of development?

I will need an NDA signed before showing you all the details.

Steve

On 24 November 2010 16:13, vihang  wrote:

> Steve,
>
> Can you email me the project details. I have a team of web2py
> developers at my end.
>
> Vihang
>
> On Nov 24, 6:16 am, Steve Shepherd  wrote:
> > Thanks Massimo... by the way I haven't been back to web2py for a while as
> I
> > had a role that didn't require development.
> > You and the team have made amazing advances. This is a stellar product
> with
> > support beyond belief compared to the old days of Borland and Microsoft.
> > I am a closet Foxpro programmer and it was never the same after Microsoft
> > bought it so PLEASE don't sell out to them LOL
> >
> > On 24 November 2010 14:02, mdipierro  wrote:
> >
> >
> >
> >
> >
> >
> >
> > > You may want to look among people who signed up on
> > > experts4solutions.com
> >
> > > On Nov 23, 6:26 pm, Steve Shepherd  wrote:
> > > > I am looking for a Web2Py developer or team that can work with me on
> a
> > > new
> > > > project.
> > > > The application is a Saas service that charges customers monthly so I
> am
> > > > happy to give a % of ownership for working on the project.
> > > > Would also look at hourly rate but this will depend on your
> experience
> > > and
> > > > previous projects.
> > > > I have a design doc and am working on wireframes for the screen
> design.
> > > > Also there is a lot of API and Cron work.
> > > > If you have a graphics person this would help with the look.
>

[web2py] Re: Upgrade web2py on webfaction

[GoldenTiger]

On 19 nov, 15:18, Bruno Rocha  wrote:
> I did the upgrade by admin 2 times and that broke my system.
>
> Bruno Rochahttp://about.me/rochacbruno/bio

do you remember versions that broke it?

Re: [web2py] is_in_db error message translation

[Vinicius Assef]

Are you getting some error message?


On Tue, Nov 23, 2010 at 7:43 PM, Richard Vézina
 wrote:
> Hello,
> I try this :
> db.table1.field1.requires=\
>
>  IS_IN_DB(db,'othertable.field1',orderby=('field1'),error_message=T('value
> not available'))
> But not working...
> How may I translate the IS_IN_DB error message?
> Should we have an other attribute for IS_IN_DB function?
> Richard

[web2py] Re: Creating vars in a URL

[mdipierro]

uploading to trunk. thanks

On Nov 23, 8:54 pm, DenesL  wrote:
> Massimo, I have emailed you a patch for this and another smaller
> problem.
>
> On Nov 22, 8:23 pm, DenesL  wrote:
>
> > To get a url you should use URL as explained 
> > inhttp://web2py.com/book/default/chapter/04#URL
>
> > and it should look something like
> > URL('reports','export_array_records',vars={'EndTime': '2010-11-08
> > 22:00:00', 'String': ['S1', 'S2'], 'StartTime': '2010-11-08
> > 21:00:00'}, extension='csv')
>
> > but that will create the String part as ['S1','S2'] literally
> > String=%5B%27S1%27%2C+%27S2%27%5D
>
> > which I think it is neither what you want nor correct,
> > but to get it right would require a patch to web2py:
> > String='S1'&String='S2'
>
> > Denes
>
>

[web2py] CRUD json/xml/etc not using format

[Kurt Grutzmacher]

I'm wondering if this is expected behavior or not with CRUD. Given two
tables:

db.define_table('hash_types',
Field('htype', 'string', requires=IS_NOT_EMPTY()),
format='%(htype)s',
)

db.define_table('hashes',
Field('enchash', required=True, unique=True, label="Encrypted
hash"),
Field('htype', 'reference hash_types', label="Hash type", ),
)

And a CRUD read controller:

def read():
return dict(hashes=crud.read(db.hashes, request.args(0)))

If I perform a regular request (http://server:8000/app/default/read/1)
then the db.hashes.htype returns the string.

If I request read.json version (http://server:8000/app/default/
read.json/1) then htype return the id number, not the string/format:

{"hashes": {"enchash": "string", "htype": 1, "id": 1}}

Is that to be expected?

[web2py] Re: CRUD json/xml/etc not using format

[mdipierro]

Yes.

On Nov 23, 10:29 pm, Kurt Grutzmacher  wrote:
> I'm wondering if this is expected behavior or not with CRUD. Given two
> tables:
>
> db.define_table('hash_types',
>     Field('htype', 'string', requires=IS_NOT_EMPTY()),
>     format='%(htype)s',
> )
>
> db.define_table('hashes',
>     Field('enchash', required=True, unique=True, label="Encrypted
> hash"),
>     Field('htype', 'reference hash_types', label="Hash type", ),
> )
>
> And a CRUD read controller:
>
> def read():
>     return dict(hashes=crud.read(db.hashes, request.args(0)))
>
> If I perform a regular request (http://server:8000/app/default/read/1)
> then the db.hashes.htype returns the string.
>
> If I request read.json version (http://server:8000/app/default/
> read.json/1) then htype return the id number, not the string/format:
>
> {"hashes": {"enchash": "string", "htype": 1, "id": 1}}
>
> Is that to be expected?

[web2py] Re: very long wait for http://127.0.0.1:8000/ on IE and Firefox browsers

[Anthony]

On Nov 23, 9:26 pm, Jonathan Lundell  wrote:
> > On Nov 23, 8:10 pm, Timbo  wrote:
> >> Set numthreads=0 in your options.py.  See if you still see this
> >> behavior.
>
> > options.py is just for running web2py as a Windows service, no? I'm
> > not running web2py as a Windows service when I observe the problem.
>
> If you're running from the command line, use --options 0.

Do you mean use the -n command line option to set numthreads to 0,
e.g.:

   python web2py.py -a password -i 127.0.0.1 -p 8000 -n 0

I tried this, but in that case, I can't get 127.0.0.1:8000 to load at
all (it just hangs indefinitely).

Anthony

[web2py] Getting AttributeError:EXISTS instance has no __call__ method when deploying to AppEngine from Admin Console

[Narendran]

Hello Web2Py,
I'm now just trying out Web2py 1.85.1, and learning to deploy my apps
on Google AppEngine. I'm able to deploy my web2py app successfully by
running appcfg.py from command prompt, but if I try to do the same
from admin console using "Deploy on Google App Engine" feature, I keep
getting the following error:
***
Traceback (most recent call last):
  File "/usr/lib/web2py/gluon/restricted.py", line 188, in restricted
exec ccode in environment
  File "/usr/lib/web2py/applications/admin/controllers/gae.py", line
81, in 
  File "/usr/lib/web2py/gluon/globals.py", line 96, in 
self._caller = lambda f: f()
  File "/usr/lib/web2py/applications/admin/controllers/gae.py", line
41, in deploy
if form.accepts(request,session):
  File "/usr/lib/web2py/gluon/sqlhtml.py", line 999, in accepts
hideerror=hideerror,
  File "/usr/lib/web2py/gluon/html.py", line 1557, in accepts
status = self._traverse(status,hideerror)
  File "/usr/lib/web2py/gluon/html.py", line 558, in _traverse
newstatus = c._traverse(status,hideerror) and newstatus
  File "/usr/lib/web2py/gluon/html.py", line 558, in _traverse
newstatus = c._traverse(status,hideerror) and newstatus
  File "/usr/lib/web2py/gluon/html.py", line 558, in _traverse
newstatus = c._traverse(status,hideerror) and newstatus
  File "/usr/lib/web2py/gluon/html.py", line 558, in _traverse
newstatus = c._traverse(status,hideerror) and newstatus
  File "/usr/lib/web2py/gluon/html.py", line 565, in _traverse
newstatus = self._validate()
  File "/usr/lib/web2py/gluon/html.py", line 1336, in _validate
(value, errors) = validator(value)
AttributeError: EXISTS instance has no __call__ method
***

I've tried including appengine directory to python path and it doesn't
help. Could someone help me on this?

--
Thanks
Narendran

PS: I see that the password textbox in the deployment form is actually
a text field. I think it should be changed to password field.

[web2py] web2py.gluon.html.XML allowing relative urls

[Jlew]

I noticed that the XML module does not allow relative URL's when
sanitize is set to true.  I would think that local urls would be
helpful to allow as the web2py URL function produces relative urls.
It would only make sense to allow relative links. I found a case where
html links generated from url function and stored in the db would
later be removed when passed through an XML with sanitize on.

Searching into the issue I found that this is because the XssCleaner
in web2py.gluon.sanitizer has a method url_is_acceptable which only
allows absolute urls.

Here is a patch that allows relative urls.

diff --git a/gluon/sanitizer.py b/gluon/sanitizer.py
--- a/gluon/sanitizer.py
+++ b/gluon/sanitizer.py
@@ -151,11 +151,12 @@

 def url_is_acceptable(self, url):
 """
-Requires all URLs to be \"absolute.\"
+Accepts relative and absolute urls
 """

 parsed = urlparse(url)
-return parsed[0] in self.allowed_schemes and '.' in parsed[1]
+return (parsed[0] in ['http', 'https', 'ftp'] and '.' in
parsed[1]) \
+or (parsed[0] == '' and parsed[2][0:1]=='/')

 def strip(self, rawstring, escape=True):
 """