--On 24. Januar 2007 11:30:11 -0500 Tres Seaver <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kirk Strauser wrote:My company has a Zope server that has no editing rights for external persons - only employees have management permissions. We also have a company-specific hierarchy of several hundred Python modules that I'd like to access from Zope. Rather than modifying each and every module as per the instructions in the "Security" chapter of the ZDG, is there a way to say "allow the import of any module inside this part of $PYTHONPATH"? Oh, for those curious: part of the reason for moving code from Zope Python scripts and into filesystem code is that my company has officially adopted Python as our new development platform for new projects. I'm cranking out thousands of lines of code, and the Windows guys are tweaking it to run under IronPython. The end goal is to have a library of code that runs under Unix, Windows, Mac, or wherever else we might want to explore, and then to write frontends to that library in whatever seems appropriate to the task. For example, new web apps will be written with Zope calling those modules. New GUI apps will be written with Visual Studio calling those modules. Yay Zope and Python! You're what broke us away from vendor lock-in!The most straighforward hack to do what you want would be to monkey-patch 'AccessControl.ZopeGuards.guarded_import', which is the function that does the current checking. Slightly less hackish would be to mutate the security policy, whose 'validate' method is responsible for checking the policy. By default, Zope uses the 'C' version of the security policy, which can't be monkey-patched. However, your *best* bet is to implement your Zope applications as filesystem-based products, rather than in "untrusted" code (Python scripts). At that point, the modules are easily importable. You can arrange for the filesystem products to expose any features which are needed (e.g., by PageTemplates).
TrustedExecutables are possibly a solution if you don't have much concerns about security issues. -aj
Description: PGP signature
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )