This tutorial is intended to be a conversation with newbies to Dabo.  Please
check the Dabo wiki for more information and other tutorials.
 
Let me say what this is not.  It is not a tutorial on Python , installation of
Databases, or the use of SQL.  I have to assume you understand the syntax of
Python and SQL.  And you will follow the install instructions provided by
your favorite database.  I will make an effort not use any thing to advanced
and I'm sure the code will be easy to read even for a laymen.
 
OK let's start with some background.  Dabo's primary goal is to provide an
easy way to create a desktop application and most desktop applications
require persistent data.  In that light Dabo supports several database
engines.  SQLite, MySQL, MS-SQL, FireBird, and my favorite Postgres.
However, Dabo does not provide the actual interfaces to access the database
engines.  The developer is expected to download and install the python
interfaces to the database of choice.  Please check the
http://dabodev.com/wiki/FrontPage for instructions on where to find the
required files.  For example if you are using Postgres you will need
psycopg2.  The wiki provides the link to
http://initd.org/tracker/psycopg/wiki/PsycopgTwo where you will find the
required files.  I highly recommend that you test your setup by connecting
with the database and retrieving some data.  That way you know your setup
works and therefore you would expect Dabo to work too.
 
I know some reader will be thinking that their favorite database is better
than my choice.  I don't disagree nor do I agree.  It's just that I have had
great success with Postgres and it is the database I'm using for this
tutorial.   However, everything thing I'll be showing should apply to any of
the databases supported.  In it's basic form Dabo database support is
agnostic.  But rest assured that Dabo can  support your favorite databases
advance features too.
 
Dabo is a 3 tier framework.  The User Interface, Business Rules, and the
Database.  We will be working with "bizObjects".  What is a 'bizObject" you
ask?  There is a very good explanation on the wiki FAQ –
http://dabodev.com/wiki/FAQs#Bizobj.  I like to think of it in simple terms.
It's the code that allows me to create, save, and delete data using my UI.
The "bizObject" provides validation and understands my data (business
rules?).  A simple but very powerful concept.  So to support the bizObject we
need to supply a few things, a connection to a database, a description of the
table, and any rules we want enforced.
 
The Connection:
 
All the python interfaces Dabo uses are suppose to comply with DB-API 2.0.
That means there is a standard way to access the database.  Here's the link
http://www.python.org/dev/peps/pep-0249/ if you need to check it out.  If you
do read it there is a section on "connection" and you come to realize that
what is passed for the connection parameter is not defined.  It  (the
parameters) depends on what is required by the database engine.  So Dabo
needs you to supply those parameters before it can make a connection to your
database.
 
Right off the bat let me say the easiest way to setup a connection is to use
the "CxnEditor.py" app.  It works and and is a great example of Dabo eating
it's own dog food (CxnEditor was created using Dabo).  I use it for my
projects and if there was a better way - I'd use it.  But it really does not
do much (all the real work is done in the framework).  CxnEditor creates a
XML file that contains the parameters required by the python connection
interface that applies to your database.  Like user name, password, host,
database name or anything else that is needed to allow a database connection.
It makes sense that we will need a connection before we start asking for data
from the database.  But where do you put the code and what does the code look
like.
 
When you are hand coding a form you will create something similar to the
following:
 
class MainForm(dabo.ui.dForm):
 
        def afterInit(self):
                #place some UI code here
 
                self.layout()
 
if __name__ == "__main__":
        app = dabo.dApp()
 
        app.BasePrefKey = "fileTutor"
        app.setAppInfo("appName", "File Tutorial ")
 
        app.MainFormClass = MainForm
 
        app.start()
 
And in the "class MainForm" (our entry point) you will need to add a
method "createBizobjs".  This is where you will add your connection
instructions and add descriptions of bizObjects.  To start we add the
connection information as follows:
 
#this method uses the cnxml file created by CxnEditor
def createBizobjs(self):
        self.Application.addConnectFile("FileName.cnxml")
                # FileName = the name created with the CxnEditor.py
                # This call will actually create the connection if it hasn't already
                # been made. If it has, it returns the existing connection, so that
                # multiple connections aren't used up.
        self.connection = self.Application.getConnectionByName("connectionName")
 
Don't let the two names "FileName.cnxml" and "connectionName" confuse you.
The "connectionName" is the name of the connection within the
file "FileName.cnxml".  It is possible to have more than one connection name
within the same file but that is beyond this tutorial.  So "self.connection"
is the actual connection we will be providing to our bizObjects.  Remember,
that is what really is allowing our program to talk to the database.   When
ever Dabo needs to communicate with the database it uses
the "self.connection" object.
 
For those of you that need to know how to create a "self.connection" without
using the CxnEditor here it is:
 
from dConnectInfo import dConnectInfo
connInterface = dConnectInfo(DbType="Postgres")
connInterface.Host = "192.168.1.201"
connInterface.Database = "DatabaseName"
connInterface.User = "john"
connInterface.PlainTextPassword = "passWord"
 
self.connection = dConnection(connInterface).getConnection()
 
If your database needs more – such as a port address.  Add it – as in
 
connInterface.Port = "5432".
 
But take my advise and use the CxnEditor.  It's easy and it works.  There
maybe some special case where the cnxml file will not meet your needs.  But I
haven't run into it.
 
So our code looks like:
 
class MainForm(dabo.ui.dForm):
 
        def afterInit(self):
                #place some UI code here
 
                self.layout()
 
        def createBizobjs(self):
                self.Application.addConnectFile("FileName.cnxml")
                # FileName = the name created with the CxnEditor.py
                # This call will actually create the connection if it hasn't already
                # been made. If it has, it returns the existing connection, so that
                # multiple connections aren't used up.
                self.connection = self.Application.getConnectionByName("connectionName")
 
if __name__ == "__main__":
        app = dabo.dApp()
 
        app.BasePrefKey = "bizObjTutor"
        app.setAppInfo("appName", "bizObject Tutorial ")
 
        app.MainFormClass = MainForm
 
        app.start()
 
So far we haven't said much.  Only that we need a connection to a database and
the bizObjects use it to communicate with the database.  But without this
information nothing happens and the most powerful Dabo feature is useless.
 
The next installment I'll provide a small form with a UI and we will build our
first bizObject.  Your job will be to insure that you have your favorite
database running and working with python.
 
John Fabiani

 
 
 
JohnF-4 wrote:
>
>
> For those of you that need to know how to create a â€Ã
“self.connection”
> without
> using the CxnEditor here it is:
>
> from dConnectInfo import dConnectInfo
>
 
Should this be:
 
        from dabo.db import dConnectInfo
 
I couldn't get it to work any other way ( I was testing around in ipython ).
I did notice the Wiki has the following though:
 
        from connectInfo import ConnectInfo
        from dConnection import dConnection
 
 
Brian
--
View this message in context: http://www.nabble.com/a-Simple-tutorial-on-
bizObjects%60-tp14258738p14261495.html
Sent from the dabo-users mailing list archive at Nabble.com.
 
 
 

johnf wrote:
(snip...)
> Right off the bat let me say the easiest way to setup a connection is to use
> the â€Ã
“CxnEditor.py” app.  It works and and is a great example of Dabo eating
> it's own dog food (CxnEditor was created using Dabo).  I use it for my
> projects and if there was a better way - I'd use it.  But it really does not
> do much (all the real work is done in the framework).  CxnEditor creates a
> XML file that contains the parameters required by the python connection
> interface that applies to your database.  Like user name, password, host,
> database name or anything else that is needed to allow a database connection.
 
Hi, so CxnEditor creates a XML file. Now you have in an ASCII file your
sensitive information (user, password - of course it will be a user with
append/update/delete rights) for anyone to see. My question is, how
would you manage the database security?
 
TIA
 
 
 

On Dec 10, 2007, at 5:50 PM, Ricardo Aráoz wrote:
 
> Hi, so CxnEditor creates a XML file. Now you have in an ASCII file
> your
> sensitive information (user, password - of course it will be a user
> with
> append/update/delete rights) for anyone to see. My question is, how
> would you manage the database security?
 
        First off, the Password is stored in an obscured format. If your
password was the word 'password', it would be stored in the XML as
something like 'V14IA4U54DAEG76V6EG1CX35'. This will stop casual
glances from revealing much.
 
        However, anyone with a copy of Dabo will be able to extract the
original from that, since the tools are all available to everyone.
Therefore, we strongly suggest that you change your app's Crypto
property to your own class; as long as that class has an encrypt()
and a decrypt() method, the app will use that instead of the default
SimpleCrypt that ships with Dabo.
 
-- Ed Leafe
-- http://leafe.com
-- http://dabodev.com
 
 
 
 

On Monday 10 December 2007 02:50:04 pm Ricardo Aráoz wrote:
> johnf wrote:
> (snip...)
>
> > Right off the bat let me say the easiest way to setup a connection is to
> > use the â€Ã
“CxnEditor.py” app.  It works and and is a great example of Dabo
> > eating it's own dog food (CxnEditor was created using Dabo).  I use it
> > for my projects and if there was a better way - I'd use it.  But it
> > really does not do much (all the real work is done in the framework).
> > CxnEditor creates a XML file that contains the parameters required by the
> > python connection interface that applies to your database.  Like user
> > name, password, host, database name or anything else that is needed to
> > allow a database connection.
>
> Hi, so CxnEditor creates a XML file. Now you have in an ASCII file your
> sensitive information (user, password - of course it will be a user with
> append/update/delete rights) for anyone to see. My question is, how
> would you manage the database security?
>
> TIA
 
Currently, there is little real security.  Although the password has
encryption.  However, it is very easy to subclass the login.py routines and
add real security and still use the XML files.  But for the purposes of the
tutorial what CxnEditor provides is enough.
 
But here's a question.   What are you using for database security?  I have
seen ODBC connections that use 'sa' and the same password for everyone that
used the program.  I have seen RSA key fobs that cost a $100.00 for each
seat.  What would you like to see in Dabo?
 
 
 
--
John Fabiani
 
 

On Monday 10 December 2007 01:09:27 pm bsnipes wrote:
> JohnF-4 wrote:
> > For those of you that need to know how to create a â€Ã
“self.connection”
> > without
> > using the CxnEditor here it is:
> >
> > from dConnectInfo import dConnectInfo
>
> Should this be:
>
>         from dabo.db import dConnectInfo
>
> I couldn't get it to work any other way ( I was testing around in ipython
> ). I did notice the Wiki has the following though:
>
>         from connectInfo import ConnectInfo
>         from dConnection import dConnection
>
>
> Brian
 
Good catch.  I believe the later is the preferred way.
--
John Fabiani
 
 

On Dec 10, 2007 4:10 PM, johnf <jfabiani@yolo.com> wrote:
> On Monday 10 December 2007 02:50:04 pm Ricardo Aráoz wrote:
> > johnf wrote:
> > (snip...)
> >
> > > Right off the bat let me say the easiest way to setup a connection is to
> > > use the "CxnEditor.py" app.  It works and and is a great example of Dabo
> > > eating it's own dog food (CxnEditor was created using Dabo).  I use it
> > > for my projects and if there was a better way - I'd use it.  But it
> > > really does not do much (all the real work is done in the framework).
> > > CxnEditor creates a XML file that contains the parameters required by the
> > > python connection interface that applies to your database.  Like user
> > > name, password, host, database name or anything else that is needed to
> > > allow a database connection.
> >
> > Hi, so CxnEditor creates a XML file. Now you have in an ASCII file your
> > sensitive information (user, password - of course it will be a user with
> > append/update/delete rights) for anyone to see. My question is, how
> > would you manage the database security?
> >
> > TIA
>
> Currently, there is little real security.  Although the password has
> encryption.  However, it is very easy to subclass the login.py routines and
> add real security and still use the XML files.  But for the purposes of the
> tutorial what CxnEditor provides is enough.
>
> But here's a question.   What are you using for database security?  I have
> seen ODBC connections that use 'sa' and the same password for everyone that
> used the program.  I have seen RSA key fobs that cost a $100.00 for each
> seat.  What would you like to see in Dabo?
 
We have to be very careful with this.  I don't know where the lines
are with ITAR but we (devs in the US) cannot export encryption
technology above a certain standard.  If someone wants to tackle this
feel free, but please send an email to the dev list containing the
specs of the encryption standard before you commit so that we don't do
anything that would be a felony...
 
I wonder if we could hook GnuPG?
 
Cheers,
 
Nate L.
 
 

On Dec 10, 2007, at 6:32 PM, Nate Lowrie wrote:
 
> We have to be very careful with this.  I don't know where the lines
> are with ITAR but we (devs in the US) cannot export encryption
> technology above a certain standard.  If someone wants to tackle this
> feel free, but please send an email to the dev list containing the
> specs of the encryption standard before you commit so that we don't do
> anything that would be a felony...
 
        I don't see a problem with this. We will not be supplying the
encryption, period. We will only be supplying the hooks. It makes no
sense to supply a publicly-available, open-source reversible
encryption, since anyone can download Dabo and decrypt away.
 
        Where we *can* enhance Dabo is to add better support for alternative
database access, such as user-supplied passwords, hardware dongles,
and the like.
 
-- Ed Leafe
-- http://leafe.com
-- http://dabodev.com
 
 
 
 

On Monday 10 December 2007 03:32:17 pm Nate Lowrie wrote:
> On Dec 10, 2007 4:10 PM, johnf <jfabiani@yolo.com> wrote:
> > On Monday 10 December 2007 02:50:04 pm Ricardo Aráoz wrote:
> > > johnf wrote:
> > > (snip...)
> > >
> > > > Right off the bat let me say the easiest way to setup a connection is
> > > > to use the "CxnEditor.py" app.  It works and and is a great example
> > > > of Dabo eating it's own dog food (CxnEditor was created using Dabo).
> > > > I use it for my projects and if there was a better way - I'd use it.
> > > > But it really does not do much (all the real work is done in the
> > > > framework). CxnEditor creates a XML file that contains the parameters
> > > > required by the python connection interface that applies to your
> > > > database.  Like user name, password, host, database name or anything
> > > > else that is needed to allow a database connection.
> > >
> > > Hi, so CxnEditor creates a XML file. Now you have in an ASCII file your
> > > sensitive information (user, password - of course it will be a user
> > > with append/update/delete rights) for anyone to see. My question is,
> > > how would you manage the database security?
> > >
> > > TIA
> >
> > Currently, there is little real security.  Although the password has
> > encryption.  However, it is very easy to subclass the login.py routines
> > and add real security and still use the XML files.  But for the purposes
> > of the tutorial what CxnEditor provides is enough.
> >
> > But here's a question.   What are you using for database security?  I
> > have seen ODBC connections that use 'sa' and the same password for
> > everyone that used the program.  I have seen RSA key fobs that cost a
> > $100.00 for each seat.  What would you like to see in Dabo?
>
> We have to be very careful with this.  I don't know where the lines
> are with ITAR but we (devs in the US) cannot export encryption
> technology above a certain standard.  If someone wants to tackle this
> feel free, but please send an email to the dev list containing the
> specs of the encryption standard before you commit so that we don't do
> anything that would be a felony...
>
> I wonder if we could hook GnuPG?
>
> Cheers,
>
> Nate L.
just .02
I have considered several ways to improve security for Dabo and we might
discuss them in the near future.  But the truth is my client really don't
want security.  What they want is the ability to filter users access to
modules and maybe some tracking.  I have one client I have known for over
twenty years and they refuse to change a twenty year old root password.
 
If you force users to use something other than a pets name or birthday then
they write it down on paper and tape to the monitor.  Private sector - under
100 employees - forget it.
 
 
 
--
John Fabiani
 
 

On Dec 10, 2007 4:40 PM, Ed Leafe <ed@leafe.com> wrote:
> On Dec 10, 2007, at 6:32 PM, Nate Lowrie wrote:
>
> > We have to be very careful with this.  I don't know where the lines
> > are with ITAR but we (devs in the US) cannot export encryption
> > technology above a certain standard.  If someone wants to tackle this
> > feel free, but please send an email to the dev list containing the
> > specs of the encryption standard before you commit so that we don't do
> > anything that would be a felony...
>
>         I don't see a problem with this. We will not be supplying the
> encryption, period. We will only be supplying the hooks. It makes no
> sense to supply a publicly-available, open-source reversible
> encryption, since anyone can download Dabo and decrypt away.
 
Wow...The weakest encryption algorithms have strength in the
algorithm.  The strongest have all of the strength in the key.  DSA
and RSA are published standards free for anyone to download.  You can
decode the message without a key, but it involves factoring a number
with 2^16+ digits into its 2 prime numbers, a task you can't brute
force in a lifetime with all of the computing power in the world.
 
You can supply a publicly available, open-source symmetric cipher, and
have it be strong and unbreakable without the key.  The only problem
is key management.  You could hash the key with a password...
 
Cheers,
 
Nate L.
 
 

Ed Leafe wrote:
> On Dec 10, 2007, at 5:50 PM, Ricardo Aráoz wrote:
>
>> Hi, so CxnEditor creates a XML file. Now you have in an ASCII file
>> your
>> sensitive information (user, password - of course it will be a user
>> with
>> append/update/delete rights) for anyone to see. My question is, how
>> would you manage the database security?
>
>       First off, the Password is stored in an obscured format. If your
> password was the word 'password', it would be stored in the XML as
> something like 'V14IA4U54DAEG76V6EG1CX35'. This will stop casual
> glances from revealing much.
>
 
Cool. Thanks.
 
>       However, anyone with a copy of Dabo will be able to extract the
> original from that, since the tools are all available to everyone.
> Therefore, we strongly suggest that you change your app's Crypto
> property to your own class; as long as that class has an encrypt()
> and a decrypt() method, the app will use that instead of the default
> SimpleCrypt that ships with Dabo.
>
 
Noted.
 
 

johnf wrote:
> On Monday 10 December 2007 02:50:04 pm Ricardo Aráoz wrote:
>> johnf wrote:
>> (snip...)
>>
>>> Right off the bat let me say the easiest way to setup a connection is to
>>> use the â€Ã
“CxnEditor.py” app.  It works and and is a great example of Dabo
>>> eating it's own dog food (CxnEditor was created using Dabo).  I use it
>>> for my projects and if there was a better way - I'd use it.  But it
>>> really does not do much (all the real work is done in the framework).
>>> CxnEditor creates a XML file that contains the parameters required by the
>>> python connection interface that applies to your database.  Like user
>>> name, password, host, database name or anything else that is needed to
>>> allow a database connection.
>> Hi, so CxnEditor creates a XML file. Now you have in an ASCII file your
>> sensitive information (user, password - of course it will be a user with
>> append/update/delete rights) for anyone to see. My question is, how
>> would you manage the database security?
>>
>> TIA
>
> Currently, there is little real security.  Although the password has
> encryption.  However, it is very easy to subclass the login.py routines and
> add real security and still use the XML files.  But for the purposes of the
> tutorial what CxnEditor provides is enough.
>
> But here's a question.   What are you using for database security?  I have
> seen ODBC connections that use 'sa' and the same password for everyone that
> used the program.  I have seen RSA key fobs that cost a $100.00 for each
> seat.  What would you like to see in Dabo?
>
 
Was thinking about something that combines a user given password with
"something else" to obtain the DB password, nothing too fancy, though I
guess I would have to find a way to obscure the "something else".
 
 
 
 

On Dec 10, 2007, at 6:51 PM, johnf wrote:
 
> I have considered several ways to improve security for Dabo and we
> might
> discuss them in the near future.  But the truth is my client really
> don't
> want security.
 
        This is the point where many get confused: what the framework needs,
vs. what any particular client needs.
 
        Frameworks have to try to accommodate all (well, nearly all!) client
types. The trick to a good framework is in providing the stuff you
may need, while keeping it from getting in the way if you don't.
 
-- Ed Leafe
-- http://leafe.com
-- http://dabodev.com
 
 
 
 

On Monday 10 December 2007 04:35:29 pm Ed Leafe wrote:
> Frameworks have to try to accommodate all (well, nearly all!) client ÂÂ
> types. The trick to a good framework is in providing the stuff you ÂÂ
> may need, while keeping it from getting in the way if you don'
 
+1
I just was getting it off my chest.  I have put so many hours into security
only to find my clients bypassing all of it.  It would upset a good nun!
 
--
John Fabiani
 
 

On Dec 10, 2007, at 6:55 PM, Nate Lowrie wrote:
 
> Wow...The weakest encryption algorithms have strength in the
> algorithm.  The strongest have all of the strength in the key.  DSA
> and RSA are published standards free for anyone to download.  You can
> decode the message without a key, but it involves factoring a number
> with 2^16+ digits into its 2 prime numbers, a task you can't brute
> force in a lifetime with all of the computing power in the world.
 
        I understand all that. My point was that security needs are too
individual for us to try to anticipate something that fits everyone.
So in this regard, we've chosen to leave it up to the developer to
provide the correct solution for the problem they are solving. You
can create any encryption class your clients need, and as long as it
exposes encrypt() and decrypt() methods, all it takes is one line to
have your Dabo app use it.
 
-- Ed Leafe
-- http://leafe.com
-- http://dabodev.com
 
 
 
 

Ricardo Aráoz wrote:
> johnf wrote:
> (snip...)
>> Right off the bat let me say the easiest way to setup a connection is to use
>> the â€Ã
“CxnEditor.py” app.  It works and and is a great example of Dabo eating
>> it's own dog food (CxnEditor was created using Dabo).  I use it for my
>> projects and if there was a better way - I'd use it.  But it really does not
>> do much (all the real work is done in the framework).  CxnEditor creates a
>> XML file that contains the parameters required by the python connection
>> interface that applies to your database.  Like user name, password, host,
>> database name or anything else that is needed to allow a database connection.
>
> Hi, so CxnEditor creates a XML file. Now you have in an ASCII file your
> sensitive information (user, password - of course it will be a user with
> append/update/delete rights) for anyone to see. My question is, how
> would you manage the database security?
>
> TIA
 
The password gets stored encrypted.
It's possible to use your own en/decrypt functions.
 
Uwe