plone.app.uuid.utils.uuidToObject/URL filters on expired items, necessary?

classic Classic list List threaded Threaded
6 messages Options
Fred van Dijk Fred van Dijk
Reply | Threaded
Open this post in threaded view
|

plone.app.uuid.utils.uuidToObject/URL filters on expired items, necessary?

I am trying to fix a bug in an add'on where links between objects were stored in uuids and upon
presentation/editing the objects were fetched using plone.app.uuid utils/uuidToObject. 

The problem is that the editing worked fine for users with the Manager role, but Editors in the
site got an error message on a NoneType. uuidToObject is using a simple catalog(UID=uuid)
search to retrieve the item, but if the content object referenced has an expiry date, none is returned
(except if you're a manager).

I don't want to mess with security (unrestrictedSearchResults), and I can fix the add'on code by doing
my own uuid search/retrtieval), but is there any harm in adding  "show_all=1, show_inactive=1" to the
uuidTo* function catalog calls in plone.app.uuid so that expired items sill still be fetchable?

I already have the unique identifier and want the object if 'm allowed to, filtering on expiration dates at
this low level seems a bit too restrictive and is normally already done at the searchResults catalog functions
where you expect multiple items returned to list/process)

(show_all=1, show_inactive=1 credits go to https://www.fourdigits.nl/blog/listing-expired-plone-content)

With kind regards,

Fred van Dijk
--
Vasteland 78
3011 BN Rotterdam
Tel: +31 (0)10 2959251


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
Fred van Dijk Fred van Dijk
Reply | Threaded
Open this post in threaded view
|

Re: plone.app.uuid.utils.uuidToObject/URL filters on expired items, necessary?

Hi,

To answer my own question, yes changing this will probably hurt as existing code is expecting this kind of
filtering to happen and will start listing expired content for anonymous users in listings etc. by looping over
uuids and "filtering" with uuidToObject. so it's backwards incompatible for some or many add'ons.

With kind regards,

Fred van Dijk
--
Vasteland 78
3011 BN Rotterdam
Tel: +31 (0)10 2959251



I don't want to mess with security (unrestrictedSearchResults), and I can fix the add'on code by doing
my own uuid search/retrtieval), but is there any harm in adding  "show_all=1, show_inactive=1" to the
uuidTo* function catalog calls in plone.app.uuid so that expired items sill still be fetchable?

I already have the unique identifier and want the object if 'm allowed to, filtering on expiration dates at
this low level seems a bit too restrictive and is normally already done at the searchResults catalog functions
where you expect multiple items returned to list/process)

(show_all=1, show_inactive=1 credits go to https://www.fourdigits.nl/blog/listing-expired-plone-content)

With kind regards,

Fred van Dijk
--
Vasteland 78
3011 BN Rotterdam
Tel: +31 (0)10 2959251

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
hvelarde hvelarde
Reply | Threaded
Open this post in threaded view
|

Re: plone.app.uuid.utils.uuidToObject/URL filters on expired items, necessary?

In reply to this post by Fred van Dijk
I think you have two options here:

* use a context manager to assign a different role temporarily
(http://docs.plone.org/external/plone.api/docs/api/env.html)

* ignore the error with a try/except block

it depends on how do you want to handle it: if the user can't see some
objects with its current role, do you really want to mess with them anyway?

best regards

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers
johannes raggam johannes raggam
Reply | Threaded
Open this post in threaded view
|

Re: plone.app.uuid.utils.uuidToObject/URL filters on expired items, necessary?

In reply to this post by Fred van Dijk
What if you fix plone.app.uuid and add the ``show_all=False,
show_inactive=False`` parameters to the uuidToObject (and possibly
others?) method signature and pass it to the catalog call?


On Wed, 2015-04-01 at 11:22 +0200, Fred van Dijk wrote:

> Hi,
>
>
> To answer my own question, yes changing this will probably hurt as
> existing code is expecting this kind of
> filtering to happen and will start listing expired content for
> anonymous users in listings etc. by looping over
> uuids and "filtering" with uuidToObject. so it's backwards
> incompatible for some or many add'ons.
>
>
> With kind regards,
>
>
> Fred van Dijk
> --
> Zest - www.zestsoftware.nl
> Vasteland 78
> 3011 BN Rotterdam
> Tel: +31 (0)10 2959251
>
>
>
>
>
>
> > I don't want to mess with security (unrestrictedSearchResults), and
> > I can fix the add'on code by doing
> > my own uuid search/retrtieval), but is there any harm in adding
> >  "show_all=1, show_inactive=1" to the
> > uuidTo* function catalog calls in plone.app.uuid so that expired
> > items sill still be fetchable?
> >
> >
> > I already have the unique identifier and want the object if 'm
> > allowed to, filtering on expiration dates at
> > this low level seems a bit too restrictive and is normally already
> > done at the searchResults catalog functions
> > where you expect multiple items returned to list/process)
> >
> >
> > (show_all=1, show_inactive=1 credits go to
> > https://www.fourdigits.nl/blog/listing-expired-plone-content)
> >
> >
> > With kind regards,
> >
> >
> > Fred van Dijk
> > --
> > Zest - www.zestsoftware.nl
> > Vasteland 78
> > 3011 BN Rotterdam
> > Tel: +31 (0)10 2959251
> >
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website,
> > sponsored
> > by Intel and developed in partnership with Slashdot Media, is your
> > hub for all
> > things parallel software development, from weekly thought leadership
> > blogs to
> > news, videos, case studies, tutorials and more. Take a look and join
> > the
> > conversation now.
> > http://goparallel.sourceforge.net/_______________________________________________
> > Plone-developers mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/plone-developers
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________ Plone-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-developers

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers

signature.asc (188 bytes) Download Attachment
Patrick Gerken-3 Patrick Gerken-3
Reply | Threaded
Open this post in threaded view
|

Re: plone.app.uuid.utils.uuidToObject/URL filters on expired items, necessary?

On 01.04 17:00, Johannes Raggam wrote:
> What if you fix plone.app.uuid and add the ``show_all=False,
> show_inactive=False`` parameters to the uuidToObject (and possibly
> others?) method signature and pass it to the catalog call?

This is a bad idea. Have you considered the other failure modes?
What about Unauthorized exceptions?

The first problem here is that the failure modes aren't
mentioned in the documentation and probably not tested in the tests.
This is a bug in plone.app.uuid.

Passing multiple flags as an argument is also not a very good idea. As
you mention it already, you plan to pass them on to the catalog.
That means you start to add ties from plone.app.uuid to the catalog.
It could very well happen that during Sorrento or some other sprint we
decide to make it easier to swap out Catalog by something different.
Then a design decision could be to have independent UUID catalog and the
flags don't make sense any more or force us to reimplement catalog
specific logic.

The way the traverse API handles it sounds like a better approach, there
we have unrestrictedTraverse.

>
>
> On Wed, 2015-04-01 at 11:22 +0200, Fred van Dijk wrote:
> > Hi,
> >
> >
> > To answer my own question, yes changing this will probably hurt as
> > existing code is expecting this kind of
> > filtering to happen and will start listing expired content for
> > anonymous users in listings etc. by looping over
> > uuids and "filtering" with uuidToObject. so it's backwards
> > incompatible for some or many add'ons.
> >
> >
> > With kind regards,
> >
> >
> > Fred van Dijk
> > --
> > Zest - www.zestsoftware.nl
> > Vasteland 78
> > 3011 BN Rotterdam
> > Tel: +31 (0)10 2959251
> >
> >
> >
> >
> >
> >
> > > I don't want to mess with security (unrestrictedSearchResults), and
> > > I can fix the add'on code by doing
> > > my own uuid search/retrtieval), but is there any harm in adding
> > >  "show_all=1, show_inactive=1" to the
> > > uuidTo* function catalog calls in plone.app.uuid so that expired
> > > items sill still be fetchable?
> > >
> > >
> > > I already have the unique identifier and want the object if 'm
> > > allowed to, filtering on expiration dates at
> > > this low level seems a bit too restrictive and is normally already
> > > done at the searchResults catalog functions
> > > where you expect multiple items returned to list/process)
> > >
> > >
> > > (show_all=1, show_inactive=1 credits go to
> > > https://www.fourdigits.nl/blog/listing-expired-plone-content)
> > >
> > >
> > > With kind regards,
> > >
> > >
> > > Fred van Dijk
> > > --
> > > Zest - www.zestsoftware.nl
> > > Vasteland 78
> > > 3011 BN Rotterdam
> > > Tel: +31 (0)10 2959251
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Dive into the World of Parallel Programming The Go Parallel Website,
> > > sponsored
> > > by Intel and developed in partnership with Slashdot Media, is your
> > > hub for all
> > > things parallel software development, from weekly thought leadership
> > > blogs to
> > > news, videos, case studies, tutorials and more. Take a look and join
> > > the
> > > conversation now.
> > > http://goparallel.sourceforge.net/_______________________________________________
> > > Plone-developers mailing list
> > > [hidden email]
> > > https://lists.sourceforge.net/lists/listinfo/plone-developers
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > things parallel software development, from weekly thought leadership blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________ Plone-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-developers
>


> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/

> _______________________________________________
> Plone-developers mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/plone-developers


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers

signature.asc (836 bytes) Download Attachment
johannes raggam johannes raggam
Reply | Threaded
Open this post in threaded view
|

Re: plone.app.uuid.utils.uuidToObject/URL filters on expired items, necessary?

On Wed, 2015-04-01 at 18:49 +0200, Patrick Gerken wrote:

> On 01.04 17:00, Johannes Raggam wrote:
> > What if you fix plone.app.uuid and add the ``show_all=False,
> > show_inactive=False`` parameters to the uuidToObject (and possibly
> > others?) method signature and pass it to the catalog call?
>
> This is a bad idea. Have you considered the other failure modes?
> What about Unauthorized exceptions?
>
> The first problem here is that the failure modes aren't
> mentioned in the documentation and probably not tested in the tests.
> This is a bug in plone.app.uuid.
What are failure modes?

It would be up to the developer who sets ``show_all`` to true to handle
unauthorized exceptions.

> Passing multiple flags as an argument is also not a very good idea. As
> you mention it already, you plan to pass them on to the catalog.
> That means you start to add ties from plone.app.uuid to the catalog.
> It could very well happen that during Sorrento or some other sprint we
> decide to make it easier to swap out Catalog by something different.
> Then a design decision could be to have independent UUID catalog and the
> flags don't make sense any more or force us to reimplement catalog
> specific logic.

If we plan to replace the catalog, for example with zope.catalog, the
easiest way would be to keep the catalog tool in Plone including it's
method signature. I don't think these flags will be obsolete, because we
likely want to support filtering of expired and unauthorized content
with any catalog implementation. Also, no one is using Products.ZCatalog
directly, but the wrapper in CMFPlone, which uses the wrapper in
CMFCore. All those wrappers (at least the ones in CMFPlone) can actually
help us replacing the framework behind.

I have wide open ears to fix the tight coupling of to ancient code in
Plone, so I don't want to argue too much against your concerns. But
having no way to bypass the expired content filtering for uuidToObject
sounds a bit weird, for the reasons Fred already mentioned.


>
> The way the traverse API handles it sounds like a better approach, there
> we have unrestrictedTraverse.
> >
> >
> > On Wed, 2015-04-01 at 11:22 +0200, Fred van Dijk wrote:
> > > Hi,
> > >
> > >
> > > To answer my own question, yes changing this will probably hurt as
> > > existing code is expecting this kind of
> > > filtering to happen and will start listing expired content for
> > > anonymous users in listings etc. by looping over
> > > uuids and "filtering" with uuidToObject. so it's backwards
> > > incompatible for some or many add'ons.
> > >
> > >
> > > With kind regards,
> > >
> > >
> > > Fred van Dijk
> > > --
> > > Zest - www.zestsoftware.nl
> > > Vasteland 78
> > > 3011 BN Rotterdam
> > > Tel: +31 (0)10 2959251
> > >
> > >
> > >
> > >
> > >
> > >
> > > > I don't want to mess with security (unrestrictedSearchResults), and
> > > > I can fix the add'on code by doing
> > > > my own uuid search/retrtieval), but is there any harm in adding
> > > >  "show_all=1, show_inactive=1" to the
> > > > uuidTo* function catalog calls in plone.app.uuid so that expired
> > > > items sill still be fetchable?
> > > >
> > > >
> > > > I already have the unique identifier and want the object if 'm
> > > > allowed to, filtering on expiration dates at
> > > > this low level seems a bit too restrictive and is normally already
> > > > done at the searchResults catalog functions
> > > > where you expect multiple items returned to list/process)
> > > >
> > > >
> > > > (show_all=1, show_inactive=1 credits go to
> > > > https://www.fourdigits.nl/blog/listing-expired-plone-content)
> > > >
> > > >
> > > > With kind regards,
> > > >
> > > >
> > > > Fred van Dijk
> > > > --
> > > > Zest - www.zestsoftware.nl
> > > > Vasteland 78
> > > > 3011 BN Rotterdam
> > > > Tel: +31 (0)10 2959251
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
> > > > Dive into the World of Parallel Programming The Go Parallel Website,
> > > > sponsored
> > > > by Intel and developed in partnership with Slashdot Media, is your
> > > > hub for all
> > > > things parallel software development, from weekly thought leadership
> > > > blogs to
> > > > news, videos, case studies, tutorials and more. Take a look and join
> > > > the
> > > > conversation now.
> > > > http://goparallel.sourceforge.net/_______________________________________________
> > > > Plone-developers mailing list
> > > > [hidden email]
> > > > https://lists.sourceforge.net/lists/listinfo/plone-developers
> > >
> > > ------------------------------------------------------------------------------
> > > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > > things parallel software development, from weekly thought leadership blogs to
> > > news, videos, case studies, tutorials and more. Take a look and join the
> > > conversation now. http://goparallel.sourceforge.net/
> > > _______________________________________________ Plone-developers mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/plone-developers
> >
>
>
>
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub for all
> > things parallel software development, from weekly thought leadership blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
>
> > _______________________________________________
> > Plone-developers mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/plone-developers
>

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Plone-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/plone-developers

signature.asc (188 bytes) Download Attachment