An Introduction To Zope

An Introduction to Zope

Brian Lloyd [email protected]

Overview

Zope is a next-generation Open Source application server and portal toolkit developed by Zope Corporation and a large active community of users. It runs on nearly all UNIX platforms as well as Windows NT and can be used with most popular web servers or its own built in web server. Zope is written (and extensible with) Python, a powerful object-oriented programming language, with performance sensitive components written in C.

Unlike common file-based Web templating systems such as ASP or PHP, Zope is a highly object-oriented Web development platform that covers much more of the problem domain for Web application developers. It provides clean separation of data, logic and presentation, an extensible set of built-in objects and a powerful integrated security model. The Zope infrastructure relieves the developer of most of the onerous details of Web application development such as data persistence, data integrity and access control, allowing you to focus on the problem at hand.

Zope provides all of the necessary tools to integrate data and content from nearly any source into powerful, coherent and maintainable Web applications:

• Through-the-Web management

• Integrated access control

• Content management

• Enterprise data access

• Built-in search tools

• Powerful data sharing

• Safe delegation

One of the things that sets Zope apart from other application servers is that it was designed from the start to be tightly coupled not only with the Web object model, but also the Web development model. Today's successful Web applications require the participation of many people across an organization who have different areas of expertise. Zope is specifically designed to accommodate this model, allowing site managers to safely delegate control to design experts, database experts and content managers.

The Web Application Platform

The technology that would become Zope was founded on the realization that the Web is fundamentally object-oriented. A URL to a Web resource is really just a path to an object in a containment hierarchy, and the HTTP protocol provides a way to send messages to that object and receive its response.

Zope was designed from the ground up to reflect the object model of the Web. Objects in Zope are hierarchical, and represent familiar concepts such as Folders, Documents, Images or SQL Queries. URLs map naturally to objects in the hierarchical Zope environment based on their names. For example, the URL "/Marketing/index.html" would be used to access the Document object named "index.html" located in the Folder object named "Marketing".

To create and work with Zope objects, you use your Web browser to access the Zope management interface. All management and application development can be done completely through the Web using only a browser. The Zope management interface provides a familiar Windows Explorer-like view of the Zope object system. Through the management interface a developer can create and script Zope objects or even define new kinds of objects, without requiring access to the file system of the web server.

Fig. 1 - The Zope management interface

Objects can be dropped in anywhere in the object hierarchy. Site managers can work with their objects by clicking on tabs that represent different "views" of an object. These views vary depending on the type of object. A document template (DTML Document), for example, has an "Edit" tab which allows you to edit the document's source, while a Database Connection object provides views that let you modify the connection string or caching parameters for the object. All objects also have a "Security" view that allows you to manage access control settings for that object.

Fig. 2 - Edit view of a DTML Document object

Zope objects are stored in a high-performance transactional object database that can use either the filesystem or an RDBMS as its backing store. Each Web request is treated as a separate transaction by the object database. If an error occurs in your application during a request, any changes made during the request will be automatically rolled back. The object database also provides multi-level undo, allowing a site manager to "undo" changes to the site with the click of a button. The Zope framework makes all of the details of persistence and transactions totally transparent to the application developer.

Content Management

At the heart of Zope is DTML (Document Template Markup Language), a powerful variable insertion and expression language that provides "safe scripting" of Zope objects and dynamic content generation. DTML uses a server-side-include syntax that should look familiar to many Web developers, and it is highly integrated with the Zope security model. The security integration makes it possible to let less privileged users write their own DTML without compromising the security of the site.

Basic variable insertion and conditional testing with DTML is very straightforward. DTML code can use properties and methods of objects in the Zope system as well as Web request and form variables. This example displays the title property of the document being accessed, and a special message if a particular user is logged in:

      The title of this document is: <!--#var document_title-->.
      <p>
      <!--#if "AUTHENTICATED_USER=='Fred'"-->
        Hello Fred!
      <!--#else-->
        Hello stranger!
      <!--#/if-->

Of course, DTML Documents in Zope can also include the content of other DTML Documents. To implement a common design across your web site, you could use two DTML Documents that define your common page header and footer and simply include them in your site content:

      <!--#var standard_html_header-->

      <h2>Welcome to our site!</h2>

      <!--#var standard_html_footer-->

DTML also provides powerful iterative insertion using the "in" tag, which makes it easy to iterate over sequences of objects. The "in" tag can also automatically manage "batch" operations (such as iterating over search results over multiple web requests). This example calls an SQL query object and builds a table by iterating over the resulting record objects:

      <table>
      <!--#in getEmployees-->
      <tr>
        <td><!--#var first_name--></td>
        <td><!--#var last_name--></td>
        <td><!--#var job_title--></td>
        <td><!--#var hire_date--></td>
      <!--#/in-->
      </table>

Using these and many more advanced DTML constructs, Web developers can call SQL queries, create new objects, manipulate object properties and build highly dynamic site content. Here is a more advanced example using the DTML sendmail tag, which allows you to send email from DTML code. This example handles a feedback form, sending an email containing the users name and comments:

      <!--#var standard_html_header-->

      <!--#sendmail smtphost="mailsrv.mydomain.com">
      To: Feedback Department <[email protected]>
      From: Feedback Form <[email protected]>
      Subject: User Feedback

      <!--#var name--> writes:

      <!--#var comments-->

      <!--#/sendmail-->

      <h2>Thanks!</h2>
      <p>
      Thanks for your feedback!
      </p>

      <!--#var standard_html_footer-->

A key concept of "safe scripting" is that unlike some other templating systems, DTML does not allow you to create blocks of arbitrary script code that could compromise the security of your server. Instead, Zope provides a different kind of object called an External Method that encapsulates more complex scripting and can contain arbitrary code. DTML authors can call External Methods from DTML to use their services, but the External Methods themselves are Zope objects in their own right that have their own security settings. This gives a site manager the ability to selectively provide extended services to DTML authors without necessarily allowing them to run arbitrary code on the server.

In most cases DTML alone is all that is needed to accomplish common tasks, and the more advanced DTML tags provided by Zope tend to reduce the need for complex scripting. An example of this is the "tree" tag, which lets you easily create expandable HTML tree controls like the one used in the left-hand frame of the Zope management interface. A comprehensive DTML user's guide is available in several formats on the Zope web site.

Data Access

Zope provides a consistent object oriented way to access all kinds of enterprise data. Data sources can include RDBMS data as well as non- relational data from sources such as LDAP or IMAP servers. Zope supports most common relational databases, including Oracle, Sybase, MySQL and ODBC compliant databases.

To access back end data, you drop in a Database Connection object for the type of database you are using, then begin creating SQL Method objects (queries) that use the connection. DTML can be used in SQL Methods, making it easy to build dynamic queries based on form variables or the request environment. The source for this SQL Method named "getTasks", for example, selects records from a "tasks" table based on the identity of the logged in user:

      select * from tasks
      where
      emp_id='<!--#var AUTHENTICATED_USER-->'

The results of this query can now be used in a DTML Document, which simply calls the query object and iterates over the results:

      <h2><!--#var AUTHENTICATED_USER-->'s tasks</h2>
      <table>
      <!--#in getTasks-->
      <tr>
        <td><!--#var title--></td>
        <td><!--#var due_date--></td>
      </tr>
      <!--#/in-->
      </table>

The object-centric design of Zope allows you to enforce a clean separation of data and presentation. Database programmers can work on SQL Method objects, while content managers can simply call the SQL Methods and use the results in their content. This object model makes it easy to integrate data from multiple data sources. Advanced data access features even allow you to define object behavior for database results, turning flat relational records into "smart data" in your Zope application.

Another benefit of development in the Zope environment is that the Zope transaction model can automatically extend into your back-end database. If your relational database supports transactions, Zope will automatically begin a transaction before running SQL Methods on a database connection, and it will automatically commit the transaction at the end of a successful Web request. If an error occurs during the request the transaction will automatically be rolled back, making transactional integrity totally transparent to the Web developer.

Integrated Searching

Zope provides fast, flexible indexing and searching with drop-in ZCatalog objects. ZCatalogs provide allows highly configurable full-text and fielded indexing of any kind of object on a Zope site. The objects can be indexed by their "content" as well as by their properties, which makes it easy to provide structured searches such as searches by author or by object type.

This object approach to indexing makes it possible to build fully searchable Web sites that integrate data from many different sources. Instead of a basic list of documents, search results from a Zope site might include documents, email message objects from a mailing list, records pulled from a relational database or resources from an LDAP directory.

Data sharing

One of the most powerful aspects of Zope is its simple but sophisticated data sharing model. This model is known as "Acquisition", and the core concept is simply that:

• Zope objects are contained inside other objects (such as Folders).

• Objects can "acquire" properties, content and behavior from their containers.

Acquisition is probably best demonstrated by example. Earlier, we decided to encapsulate our site-wide header and footer into separate DTML Documents that would be included in other site content. This design would quickly break down if we had to add a copy of the header and footer to every Folder on the site so that our content documents could use them. Acquisition allows us to avoid this problem; we can create the header and footer in the top-level Folder of the site, and DTML Documents defined at lower levels in the hierarchy will automatically "acquire" them from above when needed.

The concept of acquisition works with all Zope objects, and provides an extremely powerful way to centralize common resources. A commonly used SQL query, for example, can be defined in one Folder and objects in subfolders can use it automatically through acquisition. If the query needs to be changed, you can change it in one place without worrying about all of the subobjects that use the query.

Because objects are acquired by starting at the current level in the containment hierarchy and searching upward, it is easy to specialize areas of your site with a minimum of work. If, for example, you had a Folder named "Sports" on your site containing sports-related content, you could create a new header and footer document in the Sports Folder that use a sports-related theme. Content in the Sports folder and its subfolders will then use the specialized sports header and footer found in the "Sports" folder rather than the header and footer from the top-level folder on the site.

The uses of acquisition could fill several articles itself. For the purposes of a high-level overview however, the important point is that acquisition provides a simple and powerful way to avoid redundant data and vastly increase the maintainability of a site.

Safe Delegation

A successful Web site requires the collaboration of many people people in an organization: application developers, SQL experts, content managers and often even the end users of the application. On a conventional Web site, maintenance and security can quickly become problematic. How much control do you give to the content manager? How does giving the content manager a login affect your security? What about that SQL code embedded in the ASP files he'll be working on - code that probably exposes your database login?

Zope addresses these issues with its strong object-based design that enforces separation of data and presentation, and a flexible security model designed specifically to handle the unique business models of the Web.

Zope manages users with "User Folders", which are special folders that contain user information. Several Zope add-ons are available that provide extended types of User Folders that get their user data from external sources such as relational databases or LDAP directories.

Objects in Zope provide a much richer set of possible permissions than a conventional file-based system. Permissions vary by object type based on the capabilities of that object. This makes it possible to implement fine-grained access control. For example, you can set access control so that content managers can call SQL Methods, but not change them or even view their source. You can also set restrictions so that a user can only create certain kinds of objects, for instance Folders and DTML Documents but not SQL Methods or other objects.

In addition to strong encapsulation and security, Zope also provides other useful collaboration features. In addition to Web-based access, Zope natively supports other protocols such as FTP, WebDAV and XML-RPC. This standards-based approach allows users to work with Zope using existing Web authoring tools.

With all this collaboration going on of course, something will eventually go wrong. But when it does, instead of running for the backup tape the site manager can simply use the Zope management interface to undo changes to the site back to a point before the problem started. And to avoid that kind of problem altogether users can work in "Versions", which are private views of the object system.

Changes made in a Version are only visible to other users working in that Version and don't affect the public view of the site. When the changes made in a Version are finished and tested the user can "commit" the Version, instantly publishing the changes to the public view of the site.

XML Support

A hot topic in the application server market today is XML support. So how does Zope stack up? In addition to built-in support for XML-based protocols such as WebDAV and XML-RPC, Zope comes with a fast C-based XML parser that can be used by Zope application developers and the Zope object database itself can be exported to an XML format. A prototype "XML Document" add-on is also available that allows a user to upload an XML document into Zope, where the document is automatically parsed and its elements stored as individual Zope objects. This makes it possible to use DTML to generate reports on element subsets or to index individual elements for searching.

Related to XML, Zope includes support for the Document Object Model API, which allows developers to work with Zope objects in either DTML or Python code using familiar DOM calls. Future XML support based on ongoing projects will likely include native XSL processing and the ability to search Zope object hierarchies using XQL (XML Query Language).

More Information

Zope is highly extensible, and advanced users can create new kinds of Zope objects, either by writing new Zope add-ons in Python or by building them completely through the Web. The Zope software provides a number of useful built-in components to help extension authors, including a robust set of framework classes that take care of most of the details of implementing new Zope objects.

A number of Zope add-on products are available that provide features like drop-in Web discussion topics, desktop data publishing, XML tools and e-commerce integration. Many of these products have been written by the highly active members of the Zope community, and most are also Open Source.

Zope Corporation, the publisher of Zope, offers a range of consulting and technical support services for Zope, including an enterprise option for high scalability / high availability Web sites.

More information, documentation and software distributions for Zope and many add-on products are available at the Zope Web site at www.zope.org. There are also several mailing lists for Zope users and developers that are a great place to find out more about Zope.