Plone
This is here to serve as contents for the atom/rss feed for Plone, also read by planet.plone.org.
Lightning talks Thursday
Lightning talks during the Plone Conference 2012.
Lightning talks on Thursday during the Plone conference 2012.
Mikko Ohtomaa
Python Finland is in two weeks. Registration today. Come to me.
Balász Reé - SlickGrid Touch
Making a complex Javascript table widget work on mobile devices. Older Javascript widget often do not work on touch devices. How can we make it feel like a touch application? You may need to support lots of different gestures.
https://github.com/mleidman/SlickGrid
Look for the fastbreak application made by Paul Everitt.
Maurizio Delmonte - Project management
Project management application. ScrumDo. Based on Django, integration in Plone is hard. We created something based on ScrumDo. It is a friend of xm (eXtremeManagement tool). Dexterity based. Come talk to us, especially Simone and Giorgio who have built it.
Armin Stross-Radschinski - brochures
We created a Python Software Foundation Python Brochure. We did several professional brochures for Zope and Plone and now also Python. You can order them from us. Very nice to give to customers considering Python or for recruiting new developers to make them curious for Python. Some advertisement space is still available.
Elizabeth Leddy - log files
Fixing systems that are bad, clogged up. Start hunting for log files. Where are they. You have the var/log directory in your buildout. Try locate *.log. The Z2.log will give you valuable information for caching. It tells you which requests really end up at your Zope instance. Also look in /var/log, for example fail.log and messages, auth.log (who is trying to login to your computer). Search your system admin if you are not sure or want to find more logs. Or get me to help you.
Martijn Faassen - Crom
crom is zope.component redone. zope.component has an ancient, crufty API. crom is modern, fit for 2012, and backwards incompatible:
IFoo(a) IFoo(a, b) IFoo(a, default=default) IFoo.component(a)
See https://github.com/faassen/crom and also https://github.com/faassen/grokker (martian-rewrite).
Manabu Terada - Fuzzy search on Plone
PyCon Jp chairman. On an intranet you cannot use Google, but you want the same suggestions when searching. I want to use fuzzy search. Use c2.search.fuzzy. Search for 'foundasion' and it wil say 'did you mean foundation?' It also works in Japanese (use MeCab). It uses the Levenshtein distance and an Automata system.
Philipp Bauer- noticeboard
http://corkboard.me reimplemented in Plone for a client. Improvement ideas: let me know.
Code: https://github.com/starzel/collective.noticeboard (we want to move it to the Plone collective in November)
Lars van de Kerkhof - Post-install hook for virtualenv
Makes the bin directory of your buildout end up in your path and gets bash completion for it.
https://github.com/specialunderwear/buildout-bash-completion
Wolfgang Thomans - Migration success story
460 GB of data in Oracle. Problems with the data. With some regular expressions we cleaned up. 130 GB of binary data left. Put it in a sane data structure with only the relevant data. Add transmogrifier to the mix. We created stub objects in the database. We moved the blob files to the correct location in the blobstorage. We got it done in time.
Jamie Lentin - diazo errors
Diazo theme, grab it from the internet, change stuff, grab a beer, refresh, and oh there is no content. No idea. Look at the rules file. Nice if that would be colored to show what was wrong. It works, but I am still working on it. Join me.
Tom Gross - webassets
Always looking to speed up Plone. Sometimes you can avoid Plone, partly. Put all resources on the filesystem and use webassets to let it get hosted via nginx. It also supports SASS.
Eric Brehault - Resurrectio
Chrome extension recording a sequence of browser actions to create a test script. Exporting as CasperJS test file.
Jonass Baumann
Book publishing add-on. Meant for high precision PDF generation. Based on LaTeX and simplelayout. We use it for some clients, for example for financial reports (500 pages), court report (100 pages).
Domen Kozar - Agile, baby!
The way we pay people does not fit the agile way. Some bugs stay open a long time. I launched http://fundhub.org/. You submit a pledge that you want a bug to be fixed, you add bitcoins as payment, a developer fixes the bug and gets the bitcoins. Credit card will also be possible later.
New to Plone? Come talk to Armin and others and we have some questions for you.
Annual members meeting of the Plone Foundation
Annual members meeting Plone Foundation during the Plone Conference 2012.
Annual members meeting Plone Foundation during the Plone conference 2012.
There are seven nominees for the Plone Foundation board and there are seven places, so this year there is no election. The new board is accepted by acclamation. Geir Bækholt, Maurizio Delmonte and Sjoerd van Elferen are stepping down. Carol Ganz, Érico Andrei, Matt Hamilton, Paul Roeland, Steve McMahon, Elizabeth Leddy and Matthew Wilkes are the new board.
The report created by Paul and sent to the membership list are accepted.
Meeting adjourned.
Maurits van Rees - Internationalization in your package
My own talk during the Plone Conference 2012.
See example package and slides at https://github.com/mauritsvanrees/maurits.i18ntalk
Ramon Navarro Bosch, Victor Fernandez de Alba - plone.app.multilingual: Next generation multilingual history
Talk during the Plone Conference 2012.
Ramon Navarro Bosch and Victor Fernandez de Alba talk about plone.app.multilingual: Next generation multilingual history during the Plone conference 2012.
(Sorry, I missed the first part.)
There is no canonical language in plone.app.multilingual.
There support for a neutral root folder.
We have a translation map. Good for the mental sanity of site managers and translators. It show content and its related translations.
We have support for Google Translation Service. This is a paid service.
There is a migration path from LinguaPlone. It is non-destructive: the original information is still there on the content items. Lookup your code for LP dependencies before you migrate.
Some internals. There is an ITranslatable marker interface. Some adapters. We store the relations in a separate catalog. Unified interface for getting and setting the language of an Archetypes and dexterity item.
Now a demo. Works well.
Roadmap:
- XLIFF support
- remove the catalog patch
- support for Iterate
- LinguaPlus/Linguatools have a set of useful tools
- locator translation policy: allow user to decide in which folder a new translation should show up
- translation workflow support
- plone.app.toolbar support
Thanks to a lot of people who helped us!
Code: https://github.com/plone/plone.app.multilingual
Releases: http://pypi.python.org/pypi/plone.app.multilingual
See also: http://pam.iskra.cat
Alan Hoey - Security for product developers
Talk during the Plone Conference 2012.
Alan Hoey talks about security for product developers during the Plone conference 2012.
I'm Alan Hoey. I work for the Code Distillery. I am on the Plone Security team. I will talk about security in your add-on. The Plone core is reasonably secure, with a good track record. Add-ons are usually not audited though. A vast majority of developers probably try to the right thing, but some things may slip through the tracks. This talk is about what happens when you do not pay attention. If you have not thought about it, you may be vulnerable.
What are common vulnerabilities? It can be simple things like ratings on products or pages that get wrong, like getting an average score of 999 out of 5. There can be denial of service attacks. Cross Site Scripting and Cross Site Request Forgery (CSRF). Boxes can be taken over if you don't pay attention.
Why should you care? You don't want those calls from a customer whose server is hacked.
Object publishing in Zope. Zope will publish anything as long as it does not start with an underscore. So use security declarations. If some method is not meant to be published, you can decide not to add a doc string, which will work until someone innocently decides to add a doc string anyway.
Try to look at your code with the mind of an attacker.
Traversal. Look out with importing os as an attacker may be able to traverse to it. Do not use unrestrictedTraverse unless you know what you are doing.
All classes should use ClassSecurityInfo: declarePrivate, declarePublic, declareProtected. There is also ClassSecurityInformation, which is by default closed, but does not work. We should fix it. Monkey patches need security declarations, just like everything else does.
ZMI properties are readable when you can view the object. So not a good place to put API keys. The registry is a nice place: you cannot read it from the web.
The security on BrowserView is very good. If you override the __init__ method and set the context and request, or anything else, you have thrown that security away.
Use plone.protect on all forms that need CSRF protection. Also the postonly attribute.
Acquisition is scary from a security view point. Be aware that a script can be called on any context. It is better to use container instead of context.
Do not give Restricted Python access to untrusted users.
Do not use allow_module. Use ModuleSecurityInfo instead.
Zope Page Templates. Do not use structure if you do not need it.
Deployment. Please do not miss hotfixes. Do not think that you can hide acl_users in Apache and think you are safe.