EventRegistration and Plone 2.5?

[michae...@gmail.com]

Just wondering if there are any plans to upgrade the product for Plone
2.5? At the moment it won't install on that platform.

Thanks

[Justizin]

ER has been in bad shape for a while, and IMO a proper solution won't
come around until this project materializes:

http://www.plone.org/products/remember

What's the problem installing on Plone 2.5? I know this worked in
2.1, at least to some extent.

--
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/

"It's all good." -Søren Kierkegaard

[michael nt milne]

Ok, yes it's based on CMFMember :-(

Here's the event log

2006-07-24T10:35:22 ERROR Zope Couldn't install eventregistration
Traceback (most recent call last):
  File "C:\Program Files\Plone 2\Zope\lib\python\OFS\Application.py", line 790, in install_product
    initmethod(context)
  File "C:\Program Files\Plone 2\Data\Products\eventregistration\__init__.py", line 38, in initialize
    import Event
  File "C:\Program Files\Plone 2\Data\Products\eventregistration\Event.py", line 53, in ?
    from Products.EventRegistration.config import PROJECTNAME
ImportError: No module named EventRegistration.config

[Justizin]

no, it's not afaik, but it should have been.. it's massively insecure..

[michael nt milne]

sorry, are you saying that remember should be based on CMFMember and that CMFMember is massively insecure? Any pointers on the traceback?

I've always had big problems with CMFMember. It loses member informationi regularly. They become orphaned items and then are not replaceable. Infuriating and that's only the start of it. Still I know it is open source.

On 7/24/06, Justizin <just...@gmail.com> wrote:

no, it's not afaik, but it should have been.. it's massively insecure..

On 7/24/06, michael nt milne <michae...@gmail.com> wrote:
> Ok, yes it's based on CMFMember :-(
>
> Here's the event log
>
> 2006-07-24T10:35:22 ERROR Zope Couldn't install eventregistration
> Traceback (most recent call last):
>   File "C:\Program Files\Plone
> 2\Zope\lib\python\OFS\Application.py", line 790, in
> install_product
>     initmethod(context)
>   File "C:\Program Files\Plone
> 2\Data\Products\eventregistration\__init__.py", line 38, in
> initialize
>     import Event
>   File "C:\Program Files\Plone
> 2\Data\Products\eventregistration\Event.py", line 53, in ?
>     from Products.EventRegistration.config import
> PROJECTNAME
> ImportError: No module named EventRegistration.config
>
>
> On 7/24/06, Justizin < just...@gmail.com> wrote:
> >
> ER has been in bad shape for a while, and IMO a proper solution won't
> come around until this project materializes:
>
>   http://www.plone.org/products/remember
>

> What's the problem installing on Plone 2.5 ?  I know this worked in

[Justizin]

remember is the new-world CMFMember.

EventRegistration should have originally been based on CMFMember, but
wasn't. EventRegistration is insecure because it allows anyone who
can find the url to your registration to edit it, which is retarded.

Yes, CMFMember sucks ass and is badly maintained. remember, based on
Membrane, uses zope3 technologies and should be more robust. If it
doesn't work better than CMFMember, we're all screwed, as it's due for
inclusion in Plone 3.0 or 3.5.

[michael nt milne]

Can't you put security on the URLs. I take it you mean the admin URLs? I had a similar  problem with CMFQuestions where users could in theory look at surveys submitted and even edit stuff. I was advised to use the ZMI security tabs so that only managers could look at it etc.

Yes I agree about CMFMember. I'm amazed that a better member solution hasn't been provided before now. It was the first thing I looked at in Plone and couldn't believe how long winded it was to even get close to a proper membership solution. I've basically abandoned CMFMember as it's just too buggy and scary and screws up your member data. How do you explain to a client that many of their members have now disappeared? for no reason :-)

--
michael

[Justizin]

On 7/24/06, michael nt milne <michae...@gmail.com> wrote:
> Can't you put security on the URLs. I take it you mean the admin URLs? I had
> a similar problem with CMFQuestions where users could in theory look at
> surveys submitted and even edit stuff. I was advised to use the ZMI security
> tabs so that only managers could look at it etc.

Well.. here's the problem.

* user goes to website and has access, as anonymous, to create registration

* in order to edit the registration, which it would be ludicrous not
to support, they need modify access as anonymous

* thusly, the only security is the obscurity of the url.

> Yes I agree about CMFMember. I'm amazed that a better member solution hasn't
> been provided before now. It was the first thing I looked at in Plone and
> couldn't believe how long winded it was to even get close to a proper
> membership solution. I've basically abandoned CMFMember as it's just too
> buggy and scary and screws up your member data. How do you explain to a
> client that many of their members have now disappeared? for no reason :-)
>

Well, you should be doing backups, but I can certainly relate. I have
a couple of sites which are stuck on CMFMember and they are horribly
broken. I'm very contemptuous of the CMFMember author because of
this.. I feel he has abandoned the project after promoting its' use
throughout the community.

Still, it is posible to use CMFMember if you are careful, and since
EventRegistration doesn't work properly either, it would benefit from
use of CMFMember.

It would also be possible to wrap up the registration process in a
user's first registration without CMFMember, but I have always leaned
towards using what seems to be the community's chosen membership
solution.

Fortunately, though the original author of CMFMember is responsible
for remember, there are a ton of other stakeholders and hopefully some
momentum for maintaining it.

[michael nt milne]

How about once submitted you can't edit your registration? What you could do is email the site support and say you wish to create a new one etc, or ask them to delete your old registration. How do all these blogging products handle anonymous postings? Saying that I use EasyBlog and found that if you created a membership you were able to delete all the comments! It's being fixed.

On 7/24/06, Justizin <just...@gmail.com> wrote:

[Justizin]

Well, that's a major problem for many use cases, including the
original funders of ER and anyone I would conceivably implement ER
for.

You can implement ER that way for your use if you like, but I'd prefer
not to see that functionality removed in ER trunk. I prefer to view
that as a bug or incomplete feature so that not being able to edit
your registration does not become a status quo for the project.

Blogging products do not handle anonymous postings well, and blog
comments are not event registrations. blogging products for plone
generally do not handle anonymous postings at all OOTB.

Yeh I suggest Quills over EasyBlog. It needs a bit of attention but
it doesn't do anything retarded like let anyone who creates a login
delete all comments. ;)

[michael nt milne]

I agree. I'll try and implement some view security on editing registrations until this gets sorted. I think I'd rather go the more secure route just now. I couldn't imagine trying to explain to a client that some anon person could theoretically edit any registration.

Thing is with blogs alot of people like having anon postings. I guess all you need to do is not allow any editing or deletion once the post has been made unless by a site manager. That's easy to do. CoreBlog also had issues along those lines when I tried it - also lost posts. The only thing with Quills is that it's too basic feature wise.

[Justizin]

On 7/24/06, Justizin <just...@gmail.com> wrote:
> On 7/24/06, michael nt milne <michae...@gmail.com> wrote:
> > I agree. I'll try and implement some view security on editing registrations
> > until this gets sorted. I think I'd rather go the more secure route just
> > now. I couldn't imagine trying to explain to a client that some anon person
> > could theoretically edit any registration.

BTW, please put your improvements in a branch and discuss merging to trunk.

[Justizin]

On 7/24/06, michael nt milne <michae...@gmail.com> wrote:
> I agree. I'll try and implement some view security on editing registrations
> until this gets sorted. I think I'd rather go the more secure route just
> now. I couldn't imagine trying to explain to a client that some anon person
> could theoretically edit any registration.

Me either. ;)

A middleground is that you can require site registration first, but
this is too many steps for some people, and I pretty much agree. It
would be most effective to wrap up the site registration in the event
registration, and catch duplicate e-mail addresses to reuse contact
info..

> Thing is with blogs alot of people like having anon postings. I guess all
> you need to do is not allow any editing or deletion once the post has been
> made unless by a site manager. That's easy to do. CoreBlog also had issues
> along those lines when I tried it - also lost posts. The only thing with
> Quills is that it's too basic feature wise.

I didn't say anon postings are a bad idea, I said that they are:

* orthogonal to anon registrations

* not supported OOTB by most plone blogging products

Plone discussions implement the behaviour you describe OOTB, or Out Of
The Box, but that presents some issues - for instance I can't edit my
own posting. Using a Captcha and suggesting that a user sign-up or
log in during the comment process is better. Supporting things like
OpenID would be even better, but although OpenIDEnabled.org or
whatever is running Plone itself, there is still no code release here.

Fact is, however you allow anon postings to a blog, if you aren't
using a captcha it will be spammed, and this causes most people over
time to disable this feature. Furthermore, there is no widely
available aural captcha solution, which makes Captcha an accessibility
issue.

[michael nt milne]

I've found that even using a CAPTCHA, spammers can get round it. At least that was my experience on PHPBB. However that's a lot more well known. The last time I looked, the guys building PloneBoard weren't doing much in the way of spam protection. I think the argument was that Plone was immune :-) Some sort of natural anti-spam aura.

On 7/24/06, Justizin <just...@gmail.com> wrote:

--
michael

[Justizin]

Well, a Captcha by definition can't be gotten around by spammers,
unless the CAPTCHA is broken, which makes it not a captcha. If a
human uses a Captcha to log in, and then manually posts spam, well,
it's not a spambot, it's a real-live spammer person, and there is
*nothing* you can do about this, ever, except to use tactical nuclear
weapons against their native land, which I am not in favor of.

If someone is arguing that plone is immune, that's only because it
doesn't ship with anonymous discussion ability turned on.

Captchas work for basically everyone but PHPBB, from blogger.com to ..
i dunno .. everyone uses them. Last I asked about this being included
in core plone i was told there was a patent dispute of some sort,
which I don't think is quite the case.

furthermore, btw, for discussions, you can get around captcha *and*
spam by requiring that all comments be approved, but I'm not sure
Ploneboard implements this OOTB right now. It certainly should.

[Justizin]

ploneboard author just told me that it supports moderation, probably
in latest version. that's the best solution to comment-spam, but is a
barrier to encouraging active discussion.

[michael nt milne]

Yes, I agree, moderation isn't great. Spammers can get round basic CAPTCHAS as I found on PHPBB. It had a pretty basic CAPTCHA installed. Computers are getting more intelligent :-) I think the argument was that Plone, or sites built with it, wouldn't be a target for spammers due to it's nature, but I kind of think that anyone is a target....

[Justizin]

On 7/24/06, michael nt milne <michae...@gmail.com> wrote:
> Yes, I agree, moderation isn't great. Spammers can get round basic CAPTCHAS
> as I found on PHPBB. It had a pretty basic CAPTCHA installed. Computers are
> getting more intelligent :-) I think the argument was that Plone, or sites
> built with it, wouldn't be a target for spammers due to it's nature, but I
> kind of think that anyone is a target....
>

I'm not sure who made that argument to you, that is not 'the plone
community reasoning'. If you can't comment anonymously, you can't be
spammed, except by anyone who creates an account.

If PHPBB captcha is broken, again, it's not a captcha. As soon as a
captcha is broken it defies the definition of a captcha, because it
can't be used for telling humans and computers apart. ;)

*real* captchas are not breakable. Please don't subject Plone to
assumptions that it will eventually have problems that PHPBB has.
It's a better app, and we try to Do Things Right(tm), and this is
probably why plone is not vulnerable.

moderation is not bad IMO, but you have to decide on the type of site
you want to have. It's not appropriate for some, but it can be a
handy feature. Again, no spam gets through a moderator.

[michael nt milne]

"If PHPBB captcha is broken, again, it's not a captcha.  As soon as a
captcha is broken it defies the definition of a captcha, because it
can't be used for telling humans and computers apart. ;)"

Fair enough. Ok, quasi, psuedo CAPTCHAS then....:-) . Take your point. CAPTCHAS are going to have to get pretty sophisticated and also as you say there are the accessbility issues. Maybe the new national ID cards in the UK should have a changing digital number attached which could be used for online verification. At least then they would be good for something!

[Justizin]

well, captchas are pretty fine now.. show me a phpbb captcha, then
find another one. compare.

explain to me why only the php community is having trouble making
captchas work. ;)