plone / plone.server Goto Github PK

Seems we're forever troubled by the zope style of naming things..

Right now, we have module level functions that are both camel case and many that are underscore.

I'm inclined to stick with the underscore way so we're more pythonic. I know this is annoying with zope tech since it uses camel case.

Thoughts?

I think we should focus on using more pyramid-like patterns. It will help people feel more familiar with configuring and building applications on top of it.

Some things specifically where I think this applies:

• authentication/authorization, zope.authentication is lacking and I'm not sure it's an interface we want to follow anyways
• do not use zcml
• provide configuration object
• includeme idiom could also be used
• maybe move json api config to decorators?

Any thoughts?

@bloodbare

I think it'd be better for us to use decorators to define endpoints instead of everything in the json file.

What do you think about doing something like this?

@Service(
    for_=IDataBase,
    method='GET',
    permission='plone.GetPortals'
)
async def get(context, request):
    serializer = getMultiAdapter((context, request), ISerializeToJson)
    return serializer()

See https://github.com/plone/plone.server/blob/master/src/plone.server/plone/server/browser.py#L35 and https://github.com/plone/plone.server/blob/master/src/plone.server/plone/server/traversal.py#L411 for details

It seems to be that using permissions correctly should already handle this use-case right? Simply using a permission that plone.Anonymous is granted should be enough?

Or am I missing something here for why this is necessary? Does it have to do with CORS? In any case, I think we should clear this up.

Also, setting this value maybe should be possible with the @configure decorator.

Accessing http://localhost:8080 responds with "401: Unauthorized"...what's the next step?

Right now allowed types is configured with FTI.

Can we change it so we are allowed to provide an IAllowedTypes adapter. This adapter would have two methods, type_allowed(type_id): check if type is allowed and allowed_types(): provide list of allowed types.

Default adapter provided by plone.server would just look at the fti like it's doing now.

However, this would allow addons to provide their own policies. More specifically, I'm looking to provide a policy that allows you to customize allowed type per folder like in Plone right now--we could make this the default as well if you want.

ideas:

• each object stores an additional zope.securitypolicy.securitymap.PersistentSecurityMap record. We should consider storing this data as a simple dictionary on the content object instead. It would save a select query when retrieving the object.
• even more interesting, we do the above, we could query objects based on roles then
• right now, parent obj data is stored with the zoid reference. If it's possible to get the zoid reference for an active object, that would make doing queries inside folders possible. If not, we might want to figure out a way to also store parent_uuid in the newt table as well.
• we might want to consider providing some sort of query interface that makes sense on top of newt. So users aren't interacting with connection.where()

thoughts:

• I'm curious what the performance is...
• if performance is good, we might want to consider making it a requirement and dropping support for traditional ZODB. This has a lot of potential advantages. OOTB, it greatly reduces the need for elastic search with simple applications

I cloned, ran buildout, tried to run bin/server, and got:

Traceback (most recent call last):
  File "bin/server", line 71, in <module>
    import plone.server.server
  File "/Users/davisagli/Plone/plone.server/src/plone.server/plone/server/server.py", line 3, in <module>
    from plone.server.factory import make_app
  File "/Users/davisagli/Plone/plone.server/src/plone.server/plone/server/factory.py", line 15, in <module>
    from plone.server.traversal import TraversalRouter
  File "/Users/davisagli/Plone/plone.server/src/plone.server/plone/server/traversal.py", line 8, in <module>
    from parts.packages.zope.security.checker import selectChecker, \
ImportError: No module named 'parts'

Some step missing from setup instructions?

Since we can't use thread locals, we aren't using setSite and getSite and then getSiteManager will never return the local site manager as well.

However, it can be useful for addons to provide site-specific functionality, adapters, etc.

A way around this limitation is to have every sort of extendable functionality adapter the "request" objects so registered layers is the way you start hooking in custom functionality.

Thoughts?

If it is not considered good and safe to use the local registry, perhaps we should just remove it and no longer register the settings registry on the local components registry.

registry being used in terms confusingly here--hope that all makes sense.

https://github.com/plone/plone.server/blob/master/src/plone.server/plone/server/traversal.py#L214
refers to txn, which isn't started for non-writable requests.
Which results in:

MainThread plone.server.traversal: Not authorized to render operation 4c8af77fe03645d2a14dd2dba64cf8ce
Traceback (most recent call last):
  File "/Users/roelbruggink/Develop/plone/plone.server/src/plone.server/plone/server/traversal.py", line 207, in handler
    view_result = await self.view()
  File "/Users/roelbruggink/Develop/plone/plone.server/src/plone.server/plone/server/security.py", line 80, in check
    raise Unauthorized(obj, name, permission)
zope.security.interfaces.Unauthorized: (<plone.server.api.portal.DefaultGET object at 0x10209a9b0>, '__call__', 'plone.GetPortals')
MainThread        aiohttp.web: Error handling request
Traceback (most recent call last):
  File "/Users/roelbruggink/Develop/plone/plone.server/src/plone.server/plone/server/traversal.py", line 207, in handler
    view_result = await self.view()
  File "/Users/roelbruggink/Develop/plone/plone.server/src/plone.server/plone/server/security.py", line 80, in check
    raise Unauthorized(obj, name, permission)
zope.security.interfaces.Unauthorized: (<plone.server.api.portal.DefaultGET object at 0x10209a9b0>, '__call__', 'plone.GetPortals')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/roelbruggink/.buildout/eggs/aiohttp-1.0.5-py3.5-macosx-10.11-x86_64.egg/aiohttp/server.py", line 261, in start
    yield from self.handle_request(message, payload)
  File "/Users/roelbruggink/.buildout/eggs/aiohttp-1.0.5-py3.5-macosx-10.11-x86_64.egg/aiohttp/web.py", line 88, in handle_request
    resp = yield from handler(request)
  File "/Users/roelbruggink/Develop/plone/plone.server/src/plone.server/plone/server/traversal.py", line 214, in handler
    await sync(request)(txn.abort)
UnboundLocalError: local variable 'txn' referenced before assignment

Locally I can fix this by removing await sync(request)(txn.abort), but I don't know if this is by design?

Shouldn't every request be in a transaction, just in case someone is writing in a GET?

One problem with using json configuration is that we can't have comments.

What does everyone think of pre-processing our json configs for lines that start with "#" and removing them before passing them off to json.loads?