subject:"Re\: \[Zope\-dev\] how to add to the pythonscript allowed import list\?"

Re: [Zope-dev] how to add to the pythonscript allowed import list?

2001-04-19 Thread Chris McDonough


This may help:

http://www.zope.org/Documentation/ZDG/Security.dtml (see Using
ModuleSecurityInfo Objects)

I think it will be something along the lines of:

from AccessControl import ModuleSecurityInfo
ModuleSecurityInfo('Products').declarePublic('SignedEditions')
ModuleSecurityInfo('Products.SignedEditions').declarePublic('stripCardNumber
', 'verifyCardNumber')


- Original Message -
From: "R. David Murray " [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, April 19, 2001 1:56 PM
Subject: [Zope-dev] how to add to the pythonscript allowed import list?


 I've got a little Product that does some init hacks.  One of the
 things I want to do is expose a couple of python fuctions such that
 they can be imported into pythonscripts.  After much spelunking in
 the mailing list and the PythonMethods wiki on zope.org, I *think*
 that what I need to do is something like this:

 --
 from AccessControl import ModuleSecurityInfo

 security = ModuleSecurityInfo()

 security.declarePublic('SignedEditions')
 security.declarePublic('stripCardNum','verifyCardNumber')
 from cccheck import stripCardNum, verifyCardNumber

 security.apply(globals())
 --

 Now, that SignedEditions one is my attempt to solve the following
 error message when I attempt to do 'from SignedEditions import
stripCardNum':

 Error Type: ImportError
 Error Value: import of "SignedEditions" is unauthorized

 However, it does not solve the problem.

 Hmm.  I just noticed that I forgot to prefix that with "Products.".
 Which would seem to make that error message a bug, since SignedEditions
 shouldn't exist in the import path.  If I do

 from Products.SignedEditions import stripCardNum

 then ZDebug tells me:

 Unauthorized: Access denied for lt;module 'Products.SignedEditions' from
'/usr/local/zope/sites/signededitions/Products/SignedEditions/__init__.py'g
t; because its container, lt;module 'Products' from
'/usr/local/zope/Zope231b1/lib/python/Products/__init__.pyc'gt;, has no
security assertions.

 What do I need to do to assert that it is OK to import from the
 SignedEditions product? The wiki does not seem to address this
 question at all, though it implies that it is possible, since it
 *does* talk about the above assertions to declare things *inside*
 the product as importable.

 (Oh, BTW, I tried changing 'security' to "ZopeSecurity", but that didn't
 seem to change the behavior).

 --RDM


 ___
 Zope-Dev maillist  -  [EMAIL PROTECTED]
 http://lists.zope.org/mailman/listinfo/zope-dev
 **  No cross posts or HTML encoding!  **
 (Related lists -
  http://lists.zope.org/mailman/listinfo/zope-announce
  http://lists.zope.org/mailman/listinfo/zope )



___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] how to add to the pythonscript allowed import list?

2001-04-19 Thread R. David Murray


On Thu, 19 Apr 2001, Chris McDonough wrote:
 http://www.zope.org/Documentation/ZDG/Security.dtml (see Using
 ModuleSecurityInfo Objects)
 
 I think it will be something along the lines of:
 
 from AccessControl import ModuleSecurityInfo
 ModuleSecurityInfo('Products').declarePublic('SignedEditions')
 ModuleSecurityInfo('Products.SignedEditions').declarePublic('stripCardNumber
 ', 'verifyCardNumber')

Thanks, that worked!

I'm going to file a collector report on that misleading error message.

Also, I did read stuff very similar to the text you pointed me to above,
in the PythonMethods wiki.  Clearly, it did *not* tell me as a developer
how to do what the text is saying it is telling me how to do: make it
so I can import a function in a pythonscript.  So I think you should
add a note about the need for the ModuleSecurityInfo('Products').declarePublic
call, and incorporate it into the example (or another example).

Also, the text makes a distinction between marking "external" modules
and marking "embedded" modules.  The former uses the spelling above,
the latter the "security = ModuleSecurityInfo()" spelling.  As far as
I can see, what I am doing is the *latter* case, and what I tried
naively following the directions did not work, but this external
spelling did.  So something needs to be clarified there, as well.

I've filed this as a tracker comment on the ZDG, as well.

--RDM


___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] how to add to the pythonscript allowed import list?

2001-04-19 Thread Chris McDonough


  I think it will be something along the lines of:
 
  from AccessControl import ModuleSecurityInfo
  ModuleSecurityInfo('Products').declarePublic('SignedEditions')
 
ModuleSecurityInfo('Products.SignedEditions').declarePublic('stripCardNumber
  ', 'verifyCardNumber')

 Thanks, that worked!

 I'm going to file a collector report on that misleading error message.

I'm not sure much will be done about it. ;-)


 Also, I did read stuff very similar to the text you pointed me to above,
 in the PythonMethods wiki.  Clearly, it did *not* tell me as a developer
 how to do what the text is saying it is telling me how to do: make it
 so I can import a function in a pythonscript.  So I think you should
 add a note about the need for the
ModuleSecurityInfo('Products').declarePublic
 call, and incorporate it into the example (or another example).

Yes, the wiki is broken.  So is the help system for that matter.  Sigh.

 Also, the text makes a distinction between marking "external" modules
 and marking "embedded" modules.  The former uses the spelling above,
 the latter the "security = ModuleSecurityInfo()" spelling.  As far as
 I can see, what I am doing is the *latter* case, and what I tried
 naively following the directions did not work, but this external
 spelling did.  So something needs to be clarified there, as well.

The fundamental problem is that you need to make explicit declarations for
all packages along the import path.  So making a declaration for a module
that is inside a package won't allow you to import that module unless you've
made security declarations for the containing package.  Since the "Products"
package had no declarations, it was disallowing access.

This is rather confusing and I need to not only fix the ZDG but understand a
bunch of use cases that aren't covered in it.

 I've filed this as a tracker comment on the ZDG, as well.

Thanks!

 --RDM




___
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Re: [Zope-dev] how to add to the pythonscript allowed import list?

Re: [Zope-dev] how to add to the pythonscript allowed import list?

Re: [Zope-dev] how to add to the pythonscript allowed import list?

3 matches

Site Navigation

Mail list logo

Footer information