[Zope] ASP vs Zope

Martijn Faassen M.Faassen@vet.uu.nl
Wed, 28 Apr 1999 17:58:12 +0200


Tom Deprez wrote:
 
> First, these q'n :
> 
>  Can ASP be used with Zope. i.e. I suppose Zope can work together with IIS?

ASP can't be mixed with Zope in the sense that you can combine ASP with
Zope directly (as far as i'm aware). Zope can work together with IIS but
then only uses IIS as its webserver (using Persistent CGI).

Of course you can put ASP pages and Zope pages on the same website if
you use IIS, but they can't easily exchange data and such.

> They said that CGI gives to much problems (for every connection a new one
> is started etc)

With normal CGI scripts, each time it's used (for instance if a user
fills in a form or just requests a script generated page) the
interpreter (perl, python, etc) has to be restarted, the script has to
be reloaded, which costs time.

This is however not the biggest problem with CGI scripts. A webserver
such as Apache (and IIS too I think) can be configured so that the
script interpreter and the scripts are kept inside memory, so that the
cost of starting the interpreter and the script is eliminated.

The actual problem with using CGI scripts is that you often need to
combine a lot of separate scripts to do a single web application. This
can get fragile. Also each script tends to invent the wheel by itself
(how to generate HTML, how to handle form data, etc), and each script on
a webserver can do it in a different way. This leads to problems with
maintaining the server. Then there's no integrated security system, so
scripts can lead to security holes.

>   I guess that's why Zope uses a Persistant CGI (if not using ZServer or
> HTTPServer)? Or Is directly working with HTTPServer so that the connection
> keeps on, during the logon of a user?

The web doesn't have this kind of interaction; when you're viewing a
page you'r *not* connected to the webserver at all (ordinarily..there
may be some java that pulls updates from the server once in a while,
etc). Each time you load a page, you connect to the server (or another
server elsewhere on the web) again. The same when you click a button
after you fill in a form. There are ways to make it seem as if you're
'logged onto a server', but what in fact happens is that each time your
web browser sends some identifier (inside the URL or a cookie or
whatever) to the server, and the server remembers which identifier
belongs to which user.
 
> What I find of ASP is that it is quiet easy to understand to get started
> with some objects. But thats perhaps my background is Microsoft.
> 
> But, is it needed? Let's give it a try. See how these things can be done
> with Zope :
> 
> Demo 1:
> 
>  A page displays the time & date 

<!--#var PrincipiaTime fmt="Date"--> 

(there must be some newer Zope way to refer to the current datetime
btw?)

>  and shows a sentence from fontheight 1 to 7.
>  The printing of the sentence is done iterative :
>   I believe <% for iFontSize= 1 to 7
>                     .... %>

In DTML you can do something like:

<!--#in (1, 2, 3, 4, 5, 6, 7)-->
  <font size=<!--#var sequence-item-->>
<!--#/in-->
 
Or however the font size is actually set; it's not really proper HTML
generally.

Note that the (1, 2, 3, 4, 5, 6, 7) is rather verbose; in Python you can
simply do something range(1, 8), which generates a list starting at 1 up
til (but not including) 8. The idea of DTML is that only limited
programming should be done in it, and that for more advanced things you
should use Python (external methods are the easiest way to use Python in
Zope). The idea is that content/layout designers shouldn't put a lot of
code into their document; this should be done somewhere else by a
programmer, in Python. This leads to a way to distribute work; the
layout designer doesn't need to handle a lot of code mixed through his
or her HTML, and the coder doesn't need to wade through a lot of HTML.

ASP as far as I know (I don't know a lot about ASP :) mixes programs
with web pages fully. This can be difficult it's harder to split the job
between the layout designers and the programmers.

That said, I've observed generally tend to push DTML beyond what it is
intended for before resorting to external methods. Perhaps this is so
because of most of us are programmers and therefore naturally lazy and
therefore want to manage our site from the web and not code up external
methods. Not many of us have actually worked together with layout
designers, perhaps, in a Zope project. If anyone has I'm interested in
hearing how this works out.

> Demo 2:
> 
>  A form askes the name and age, + humour (checkbox).
>  The form checks the entered values and complaints if something is wrong :
> 
>   Checks if age is a number. Then checks age is > 0 and <120

In Zope you'd make two DTML documents. One has the form on it. It refers
to the other document which gives the results (or an error). You can do
all this validation with DTML expressions, though if it's complex you
can refer to some external method that does the work. The DTML example
for the age checking would be something like this:

The input document:

<!--#var standard_html_header-->
<form action="checkage" method="get">

<p>Name:
<input name="age:int" type="text">
</p>
<input type="submit" value=" Submit ">
</form>

<!--#var standard_html_footer-->

The checking/report document (id is 'checkage'):

<!--#var standard_html_header-->
<!--#if "0 <= age <= 120"-->
<p>Okay, so you are <!--#var age--> years old.</p>
<!--#else-->
<p>Hey, your age (<!--#var age-->) is ridiculous, it should be 
between 0 and 120!</p>
<!--#/if-->
<!--#var standard_html_footer-->
 
> If wrong data is entered, the previous values are still available in the
> form.
>  i.e. The user only has to change the wrong value and doesn't has to
> reënter the complete form.

This is happens with Zope too; it's just the way the web works. You
simply press the back button to see your form again.
 
> Demo 3:
> 
> users are added into a database. Then users can click on urls, so that only
> the humoures are shown/ the non-humoures and all persons are shown.
> 
> (Everything is written in one .asp file)

You can do this in several ways in Zope. If you want to use a SQL
database, you make a Z SQL method with the SQL for inserting a user into
the database, and a few Z SQL methods for reporting only the humorous
users, the non humorous users, and all the users.

Then you make some documents that do something like:

<table>
<!--#in select_humorous_users-->
  <tr><td>Name:</td><td><!--#var name--></td></tr>
  <tr><td>Age:</td><td><!--#var age--></td></tr>
<!--#/in-->
</table> 

(assuming the table has a name and age field)

You do this for the various queries. You can hyperlink to these pages
from another page.

This doesn't happen in a single file in Zope. I wonder if it's good to
be able to do all of this in a single file, though. The Zope philosophy
is that interfacing with the database and displaying pages on the screen
are separate things (that can be implemented by different people).

> Demo 4:
> 
> Security. Done with a session object. A name is asked. When the name is in
> the database a picture is shown. When the name isn't in the database. The
> person isn't allowed to view the picture.
> 
> If somebody has some scripts available of the above. Please let me know
> (and if I can use them).

In Zope you can add users to the system, and assign each user a number
or roles (or no role, or whatever). You can put the following horribly
complicated thing in your documents (if you put it in your
standard_html_header you never have to think about it anymore though) to
check if the user requesting your page has the right role (for instance
'allowedVisualData').

<!--#call "REQUEST.set('allowedVisualData',
AUTHENTICATED_USER.hasRole(_.None, ['allowedVisualData']))"-->

Now your page will have the variable allowedVisualData defined only if
the user requesting the page has previously logged in, and has that
role.

You can then do something like:

<!--#if allowedVisualData-->
<p>Really this should be a picture. :)</p>
<!--#else-->
<p>
Security violation, cryptic messages! If this were a movie, type
'override' to override security and see the picture anyway. Luckily this
isn't a movie. 
</p>
<!--#/if--> 

Defending-Zope-against-Microsoft-onslaught-ly yours,

Martijn

P.S.
If the a-long-sentence-ly yours signature if unfamiliar to you -- this
is a comp.lang.python thing. Tim Peters (a well known figure in that
newsgroup) started it all. The proper Tim Peters usage is
"long-sentence-here-ly y'rs"; I just use 'yours' out of deliberate
stubbornness. :)