Hash: SHA1

Kirk Strauser wrote:
> My company has a Zope server that has no editing rights for external 
> persons - only employees have management permissions.  We also have a 
> company-specific hierarchy of several hundred Python modules that I'd like 
> to access from Zope.  Rather than modifying each and every module as per 
> the instructions in the "Security" chapter of the ZDG, is there a way to 
> say "allow the import of any module inside this part of $PYTHONPATH"?
> Oh, for those curious: part of the reason for moving code from Zope Python 
> scripts and into filesystem code is that my company has officially adopted 
> Python as our new development platform for new projects.  I'm cranking out 
> thousands of lines of code, and the Windows guys are tweaking it to run 
> under IronPython.  The end goal is to have a library of code that runs 
> under Unix, Windows, Mac, or wherever else we might want to explore, and 
> then to write frontends to that library in whatever seems appropriate to 
> the task.  For example, new web apps will be written with Zope calling 
> those modules.  New GUI apps will be written with Visual Studio calling 
> those modules.  Yay Zope and Python!  You're what broke us away from vendor 
> lock-in!

The most straighforward hack to do what you want would be to
monkey-patch 'AccessControl.ZopeGuards.guarded_import', which is the
function that does the current checking.  Slightly less hackish would be
to mutate the security policy, whose 'validate' method is responsible
for checking the policy.  By default, Zope uses the 'C' version of the
security policy, which can't be monkey-patched.

However, your *best* bet is to implement your Zope applications as
filesystem-based products, rather than in "untrusted" code (Python
scripts).  At that point, the modules are easily importable.  You can
arrange for the filesystem products to expose any features which are
needed (e.g., by PageTemplates).

- --
Tres Seaver          +1 540-429-0999          [EMAIL PROTECTED]
Palladion Software   "Excellence by Design"    http://palladion.com
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to