Re: [Zope-dev] how to add to the pythonscript allowed import list?
This may help: http://www.zope.org/Documentation/ZDG/Security.dtml (see Using ModuleSecurityInfo Objects) I think it will be something along the lines of: from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products').declarePublic('SignedEditions') ModuleSecurityInfo('Products.SignedEditions').declarePublic('stripCardNumber ', 'verifyCardNumber') - Original Message - From: "R. David Murray " [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 19, 2001 1:56 PM Subject: [Zope-dev] how to add to the pythonscript allowed import list? I've got a little Product that does some init hacks. One of the things I want to do is expose a couple of python fuctions such that they can be imported into pythonscripts. After much spelunking in the mailing list and the PythonMethods wiki on zope.org, I *think* that what I need to do is something like this: -- from AccessControl import ModuleSecurityInfo security = ModuleSecurityInfo() security.declarePublic('SignedEditions') security.declarePublic('stripCardNum','verifyCardNumber') from cccheck import stripCardNum, verifyCardNumber security.apply(globals()) -- Now, that SignedEditions one is my attempt to solve the following error message when I attempt to do 'from SignedEditions import stripCardNum': Error Type: ImportError Error Value: import of "SignedEditions" is unauthorized However, it does not solve the problem. Hmm. I just noticed that I forgot to prefix that with "Products.". Which would seem to make that error message a bug, since SignedEditions shouldn't exist in the import path. If I do from Products.SignedEditions import stripCardNum then ZDebug tells me: Unauthorized: Access denied for lt;module 'Products.SignedEditions' from '/usr/local/zope/sites/signededitions/Products/SignedEditions/__init__.py'g t; because its container, lt;module 'Products' from '/usr/local/zope/Zope231b1/lib/python/Products/__init__.pyc'gt;, has no security assertions. What do I need to do to assert that it is OK to import from the SignedEditions product? The wiki does not seem to address this question at all, though it implies that it is possible, since it *does* talk about the above assertions to declare things *inside* the product as importable. (Oh, BTW, I tried changing 'security' to "ZopeSecurity", but that didn't seem to change the behavior). --RDM ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] how to add to the pythonscript allowed import list?
On Thu, 19 Apr 2001, Chris McDonough wrote: http://www.zope.org/Documentation/ZDG/Security.dtml (see Using ModuleSecurityInfo Objects) I think it will be something along the lines of: from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products').declarePublic('SignedEditions') ModuleSecurityInfo('Products.SignedEditions').declarePublic('stripCardNumber ', 'verifyCardNumber') Thanks, that worked! I'm going to file a collector report on that misleading error message. Also, I did read stuff very similar to the text you pointed me to above, in the PythonMethods wiki. Clearly, it did *not* tell me as a developer how to do what the text is saying it is telling me how to do: make it so I can import a function in a pythonscript. So I think you should add a note about the need for the ModuleSecurityInfo('Products').declarePublic call, and incorporate it into the example (or another example). Also, the text makes a distinction between marking "external" modules and marking "embedded" modules. The former uses the spelling above, the latter the "security = ModuleSecurityInfo()" spelling. As far as I can see, what I am doing is the *latter* case, and what I tried naively following the directions did not work, but this external spelling did. So something needs to be clarified there, as well. I've filed this as a tracker comment on the ZDG, as well. --RDM ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] how to add to the pythonscript allowed import list?
I think it will be something along the lines of: from AccessControl import ModuleSecurityInfo ModuleSecurityInfo('Products').declarePublic('SignedEditions') ModuleSecurityInfo('Products.SignedEditions').declarePublic('stripCardNumber ', 'verifyCardNumber') Thanks, that worked! I'm going to file a collector report on that misleading error message. I'm not sure much will be done about it. ;-) Also, I did read stuff very similar to the text you pointed me to above, in the PythonMethods wiki. Clearly, it did *not* tell me as a developer how to do what the text is saying it is telling me how to do: make it so I can import a function in a pythonscript. So I think you should add a note about the need for the ModuleSecurityInfo('Products').declarePublic call, and incorporate it into the example (or another example). Yes, the wiki is broken. So is the help system for that matter. Sigh. Also, the text makes a distinction between marking "external" modules and marking "embedded" modules. The former uses the spelling above, the latter the "security = ModuleSecurityInfo()" spelling. As far as I can see, what I am doing is the *latter* case, and what I tried naively following the directions did not work, but this external spelling did. So something needs to be clarified there, as well. The fundamental problem is that you need to make explicit declarations for all packages along the import path. So making a declaration for a module that is inside a package won't allow you to import that module unless you've made security declarations for the containing package. Since the "Products" package had no declarations, it was disallowing access. This is rather confusing and I need to not only fix the ZDG but understand a bunch of use cases that aren't covered in it. I've filed this as a tracker comment on the ZDG, as well. Thanks! --RDM ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )