[Grok-dev] security notifications in grokui.admin
uli at gnufix.de
Tue Dec 23 07:09:04 EST 2008
there is now an implementation of the security notifier feature
available in `grokui.admin` trunk (not released yet, of course).
It works as follows:
- on startup it installs (if not done yet) and registers a persistent
SecurityNotifier utility in the root folder (its site manager to be
- By default it is disabled. If it is disabled, no lookups are done.
- A message (viewlet) is displayed on all admin UI pages giving the
current security status fetched by this utility.
- If the `SecurityNotifier` is disabled, the message is something like
``Security notifications are disabled.``.
- The security notifier can be enabled/disabled on the ``server`` page
of the admin UI.
- If the `SecurityNotifier` is enabled, it looks up
http:grok.zope.org/releaseinfo/ for a file named like
and displays its content literally if any. If no such file is found,
nothing is displayed.
Some side notes:
- If enabled, lookups are done not more often than every hour. This way
we make sure, that not every request to the admin UI also leads to a
request to the grok server.
- There is support for setting a different lookup URL. This way you
can maintain a private copy of the grok releaseinfo directory which
is asked instead of the grok site. Might improve privacy.
As messages are not restricted to security stuff, it is also
possible for providers etc. to set up messages for there customers
- I also added support for some 'Info Views' (thanks to Tonis
suggestions) which can easily be retrieved with `curl` and similar
tools. Currently you can get the grok version used in background and
any security notification this way. Just fetch
to get the current grok version used in plain text and
to get the current security notification. Here the same restrictions
apply as above: if the security notifier is disabled, you will only
get 'Security notifications are disabled.' and will have to enable
them manually on the server page. Furthermore real lookups are done
not more often than once every hour. Triggering this view more often
therefore makes no sense.
- The security notifier is looked up from the admin UI by usual
getUtility calls asking for
`grokui.admin.interfaces.ISecurityNotifier`. This means, that you
can also override the standard security notifier and implement your
own if you like. Every notifier that proper implements the interface
is usable by the admin UI.
- Looking up HTTP messages is done using a specialized HTTP handler
that aborts after a connection timeout of two seconds. This way no
serious hangs should occur when working without internet
- Any lookup URL works that is supported by urllib2, which includes
also 'file://...' URLS. This means, that you can even create a
private directory on your server, where you place copies of the
grok.zope.org/releaseinfo messages or your own messages.
- The `SecurityNotifier` keeps a version number, so that it can be
updated automatically in upcoming releases.
- The notifications are fetched and displayed 'as-is'. No format
conversions or special parsing happens.
As you can see, I tried to incorporate some of the suggestions on the
list (many thanks for that) while others are (yet) not implemented.
I am yet undecided about Brandon's suggestion to keep one file for all
versions instead of several files for different versions on the grok
site. If we prefer the 'one-file'-approach, then we should have an
agreement about the format, so that also multiline notifications can be
held in such a file.
Anyway, this is the point where you can give you input.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://mail.zope.org/pipermail/grok-dev/attachments/20081223/f8bf9177/attachment.bin
More information about the Grok-dev