[Zope-dev] Allowing python logging from restricted code

2005-10-10 Thread Chris Withers

Hi All,

Would anyone have a problem if I added the necessary security 
declarations to allow the python logging module to be used from 
restricted code?


I'd like do this both for the trunk and the 2.8 branch, unless anyone 
has huge objections...


Furthermore, I'd like to change zope.conf to allow the flexibility of 
defining loggers that ZConfig normally provides out of the box, rather 
than being limited to just the event log and the access log. I'd like to 
just do this for the trunk...


Anyway, please let me know what you think!

cheers,

Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Re: [Zope-Checkins] SVN: Zope/trunk/lib/python/Shared/DC/ZRDB/ Collector #556: sqlvar now returns 'null' rather than 'None'.

2005-10-10 Thread Chris Withers

Andreas Jung wrote:
Argh...there is also a gadfly package coming from Zope 3. So when we 
remove it from the Zope 2 core we get it back with Zope 3 :-)


Well, having a lightweight semi-functional rdb engine in the distro has 
always seemed handy for me, mainly for testing rdb-related components 
with the certainty that the rdb engine you're testing with will always 
be there...


Maybe we should move it to the testing package?

cheers,

Chris

--
Simplistix - Content Management, Zope  Python Consulting
   - http://www.simplistix.co.uk

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] Re: Gadfly (was: Collector #556: sqlvar now returns 'null' rather than 'None'.)

2005-10-10 Thread Jens Vagelpohl


On 10 Oct 2005, at 08:58, Chris Withers wrote:


Andreas Jung wrote:

Argh...there is also a gadfly package coming from Zope 3. So when  
we remove it from the Zope 2 core we get it back with Zope 3 :-)




Well, having a lightweight semi-functional rdb engine in the distro  
has always seemed handy for me, mainly for testing rdb-related  
components with the certainty that the rdb engine you're testing  
with will always be there...


Maybe we should move it to the testing package?


You're just moving the problem around with that. What's the point?

jens

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Allowing python logging from restricted code

2005-10-10 Thread Jim Fulton

Chris Withers wrote:

Hi All,

Would anyone have a problem if I added the necessary security 
declarations to allow the python logging module to be used from 
restricted code?


I'd like do this both for the trunk and the 2.8 branch, unless anyone 
has huge objections...


I think you need to be very careful with this. IMO, this is something
that should not be turned on by default. OTOH, I have no problem with
making this possible to turn on.

Jim

--
Jim Fulton   mailto:[EMAIL PROTECTED]   Python Powered!
CTO  (540) 361-1714http://www.python.org
Zope Corporation http://www.zope.com   http://www.zope.org
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Re: [Zope-Checkins] SVN: Zope/trunk/lib/python/Shared/DC/ZRDB/ Collector #556: sqlvar now returns 'null' rather than 'None'.

2005-10-10 Thread Sidnei da Silva
On Mon, Oct 10, 2005 at 08:58:53AM +0100, Chris Withers wrote:
| Andreas Jung wrote:
| Argh...there is also a gadfly package coming from Zope 3. So when we 
| remove it from the Zope 2 core we get it back with Zope 3 :-)
| 
| Well, having a lightweight semi-functional rdb engine in the distro has 
| always seemed handy for me, mainly for testing rdb-related components 
| with the certainty that the rdb engine you're testing with will always 
| be there...
| 
| Maybe we should move it to the testing package?

If I'm allowed to say anything, I would like to see gadfly being
replaced by sqlite. It's available mostly everywhere except in Windows
by default, as many products already use it. sqlite itself is 'public
domain' and the python da has the same license as zlib if i recall,
which is very permissive as well.

-- 
Sidnei da Silva
Enfold Systems, LLC.
http://enfoldsystems.com
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Re: [Zope-Checkins] SVN: Zope/trunk/lib/python/Shared/DC/ZRDB/ Collector #556: sqlvar now returns 'null' rather than 'None'.

2005-10-10 Thread Andrew Veitch
SQLite implements enough of a subset of SQL to be genuinely useful  
and it's performance isn't too bad either. There is a Zope DA for it  
somewhere too.


We've never been able to use Gadfly for testing as it's so far from  
standard SQL that it just causes more problems than it solves - as we  
saw at the beginning of this thread.


A

On 10 Oct 2005, at 15:03, Sidnei da Silva wrote:


On Mon, Oct 10, 2005 at 08:58:53AM +0100, Chris Withers wrote:
| Andreas Jung wrote:
| Argh...there is also a gadfly package coming from Zope 3. So  
when we

| remove it from the Zope 2 core we get it back with Zope 3 :-)
|
| Well, having a lightweight semi-functional rdb engine in the  
distro has
| always seemed handy for me, mainly for testing rdb-related  
components
| with the certainty that the rdb engine you're testing with will  
always

| be there...
|
| Maybe we should move it to the testing package?

If I'm allowed to say anything, I would like to see gadfly being
replaced by sqlite. It's available mostly everywhere except in Windows
by default, as many products already use it. sqlite itself is 'public
domain' and the python da has the same license as zlib if i recall,
which is very permissive as well.

--
Sidnei da Silva
Enfold Systems, LLC.
http://enfoldsystems.com


--
Logicalware Ltd
Stuart House, Eskmills, Musselburgh, EH21 7PQ, UK
Tel: +44(0)131 273 5130 http://www.logicalware.com



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope )


Re: [Zope-dev] Re: [Zope-Checkins] SVN: Zope/trunk/lib/python/Shared/DC/ZRDB/ Collector #556: sqlvar now returns 'null' rather than 'None'.

2005-10-10 Thread Andreas Jung



--On 10. Oktober 2005 11:03:54 -0300 Sidnei da Silva 
[EMAIL PROTECTED] wrote:





If I'm allowed to say anything, I would like to see gadfly being
replaced by sqlite. It's available mostly everywhere except in Windows
by default, as many products already use it. sqlite itself is 'public
domain' and the python da has the same license as zlib if i recall,
which is very permissive as well.



IMO there is no need to ship the Zope core  with *any* DB package except 
the ZODB. From the maintenance point of view  we should basically ship with 
packages that  we really need and that provide value to the core 
distribution. In Zope 2.6 we included Docutils with provided 
reStructuredText functionality. Updating and maintaining the package has 
been a minor pain in the past. Dealing with exploits in 3rd-party-packages 
(as it happened yesterday
with Docutils) is another issue. The core distribution should only ship 
with packages where we have a certain amount of expertise to deal with such 
issues. I assume nobody of us is a sqlite core developer and knows the 
sources. Otherwise we end up like Plone and ship with more 3rd-party 
packages from release to release.


-aj



pgpbgm8FNc4S3.pgp
Description: PGP signature
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )


[Zope-dev] RestrictedPython, TALES Expressions and CMF

2005-10-10 Thread Sidnei da Silva
(sorry for the cross-post)

I'm currently facing an issue that seems to be a result of a bad
interaction between CMF, TALES and Restricted Python.

The issue currently happens when:

  1. A TALES 'Path Expression' in 'Caching Policy Manager' is evaluated
  2. The result of evaluating a sub-expression is a Python Script (eg:
 object/modified where 'modified' is a Python Script)
  3. The context as built by CMF doesn't define 'here'

What happens in this case is that the call will end up in
PageTemplates/ZRPythonExpr.py:call_with_ns, which is reproduced here
for your pleasure:

  def call_with_ns(f, ns, arg=1):
  td = Rtd()
  td.this = ns['here']
  td._push(ns['request'])
  td._push(InstanceDict(td.this, td))
  td._push(ns)
  try:
  if arg==2:
  return f(None, td)
  else:
  return f(td)
  finally:
  td._pop(3)

Now, given that there has been a decision of deprecating 'here' in
favor of 'context', I'm not exactly sure about the fix.

CMF seems to create expression contexts in two places off the top of
my head: In 'CMFCore/Expression.py' and
'CMFCore/CachingPolicyManager.py'. None of those define 'here' or
'context' but instead just 'object'.

In 'Products/PageTemplates/TALES.py', in the 'translate' function,
'here' is also hardcoded, but that should be less of an issue as code
reaching into that function *should* have a proper expression context.

The question then is, which code is wrong? PageTemplates for relying
on 'here' being defined, or CMF for not defining 'here'? I volunteer
to provide a fix with tests as soon as someone clarifies which one
needs to be fixed.

As a reminder, 'actions' as defined by 'portal_actions' tool and
anything that derives from 'ActionProviderBase' suffer from the same
issue.

-- 
Sidnei da Silva
Enfold Systems, LLC.
http://enfoldsystems.com
___
Zope-Dev maillist  -  Zope-Dev@zope.org
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )