Thursday, December 31, 2009

How to find the latest Plone release

The versions of Plone listed on aren't always up-to-date. This is because it's updated only when the complete installer is available.

Us folks who just want to run a buildout can just look at, and add this to the find-links and extends in their buildout. It's just as stable a release.

Tuesday, December 29, 2009

Overriding a view class

I had some trouble overriding one of Plone (4)'s view classes. The tutorial at
were a great help.

The step below should not be needed anymore.,A fix for it has been committed to Plone 4 trunk. You can just use Interface
But the missing step was to subclass the theme marker interface from IDefaultPloneLayer, instead of from zope.interface.Interface

from plone.theme.interfaces import IDefaultPloneLayer

class IPloneInvitePolicy(IDefaultPloneLayer):
""" A marker interface for the theme layer """

Friday, December 18, 2009

The difference between view classes and skin templates, from a security point of view

Did some Googling for this, couldn't figure it out. Found help on the chat:

(03:31:51 PM) khink: So, does anyone else know about if ZCML-registered templates are executed with other permissions than skin templates?
(03:31:56 PM) ender_ left the room (quit: ).
(03:33:02 PM) optilude: khink: templates for views (such as those registered with browser:page) are considered filesystem code
(03:33:08 PM) optilude: so they are not executed in restrictedpython
(03:33:13 PM) optilude: and so you can do whatever you want there
(03:33:19 PM) optilude: they still have a view permission, obviously
(03:33:28 PM) khink: optilude: But permission restrictions should apply, right?
(03:33:39 PM) optilude: khink: what kind of permission restrictions do you mean?
(03:33:59 PM) cbess [] entered the room.
(03:34:17 PM) khink: If I'm Anonymous, i shouldn't be able to see a field (on an AT type) which is protected by a permission, i thought.
(03:34:35 PM) khink: optilude: Permission 'Set own password', that is.
(03:34:37 PM) optilude: mmm
(03:34:45 PM) optilude: khink: you might
(03:34:59 PM) khink: It seems to happen:
(03:35:00 PM) optilude: if the template accesses the data (getWhatever) then sure
(03:35:12 PM) optilude: khink: if you use the AT display widget it may make an explicit permission check
(03:35:25 PM) optilude: but basically, you can do context/getFoo with impunity
(03:35:34 PM) khink: But the same template in the skins folder does not show the field.
(03:35:44 PM) khink: That surprised me.
(03:36:09 PM) optilude: khink: because in a skin script, whenever you do traversal, zope does security
(03:36:22 PM) optilude: in filesystem code, there's no such check
(03:37:10 PM) khink: optilude: So in fact, fs code renders permissions defined on individual fields useless?
(03:37:40 PM) optilude: no
(03:37:48 PM) optilude: they still work
(03:38:00 PM) optilude: they still stop someone from going http://mysite/foo/bar/getPassword
(03:38:11 PM) khink: optilude: true
(03:38:14 PM) optilude: or someone with ZMI access from writing a script/template TTW that accesses stuff they shouldn't
(03:38:30 PM) optilude: the zope security model is that if you have filesystem access, you're not subjected to the sandbox
(03:38:42 PM) optilude: ZCML-registered browser views (with templates or not) are filesystem code
(03:38:44 PM) optilude: you can't make them through the web
(03:39:08 PM) optilude: so you can also do things in there that you can't do in a TTW template, e.g. use the re module or access a variable starting with an underscore
(03:39:17 PM) optilude: and, importantly, you can do this:
(03:39:29 PM) optilude: tal:condition="checkPermission('Read foo', context)"
(03:39:30 PM) optilude: right
(03:39:33 PM) optilude: or do that in a view class
(03:39:36 PM) FinnArild: I have said it before, and I will say it again: I just LOVE zsyncer.
(03:39:39 PM) khink: optilude: Yes, i see the advantage of that.
(03:39:52 PM) optilude: FinnArild: blog about it
(03:39:54 PM) optilude: people don't know about it
(03:39:56 PM) khink: optilude: Thanks for explaining!

Bottom line: anyone who is allowed to use the view gets access to the data it renders. (Of course, this also means that permissions for individual fields are not checked.) So you can't rely on any pre-defined security or permission settings.

Saturday, December 5, 2009

Plone as a DMS

In order to use Plone as a Document Management System, you'll want Plone to be accessible through the desktop. Users won't want do download a file from the website.

On Windows, Enfold Desktop is a nice solution, it blends in with your Folder and Network browsing. On Linux and Mac it can be accomplished with WebDav (which is available on Windows XP and 2003 Server, but ED is much nicer).

Zope has to be configured as a WebDav server. Add this to your buildout:

zope-conf-additional =
enable-ms-author-via on

address 8484
force-connection-close off

See for more on Webdav and see for details about configuring your Zope's settings.

When testing WebDav locally, i found that going to localhost doesn't get me anywhere: i need to specify an IP (

Changed documents are uploaded immediately. "Page" types are shown in the WebDav folder as ".html" files, but they're really just text files with an HTML part in it, so they're not easily editable for users.