[Zope-Perl] security
Chris McDonough
chrism@digicool.com
Wed, 24 Jan 2001 13:22:18 -0500
Gisle,
When a Perl Method returns a reference to a hash (or list), a perl ref
object is returned to DTML or Python. This is really neat.
There's one problem I can see, however: Zope's security machinery inside
DTML and Python Scripts expects instances to define a "__roles__" attribute
so they may be accessed in TTW code. Usually, I would do something like
(from PerlMethod __init__.py's __call__ method):
r = apply(perl.safecall, (root, mask, args))
roles = self.aq_acquire('__roles__') # grabs __roles__ of PerlM's
container.
setattr(r, '__roles__', roles)
return r
.. but I can't setattr on the perlref instance, so this doesn't work.
Without jiggering of the security machinery or a way to set __roles__ on
perlref instances, doing (for example) in DTML:
<dtml-in>
<dtml-with "perlmwhichreturnshashref()">
<dtml-in keys>
<dtml-var sequence-item>
</dtml-in>
</dtml-with>
</dtml-in>
... doesn't work (the Zope security policy raises unauthorized at the point
in which you attempt to access keys).
I *think* this can be solved in a couple of ways (each radically different):
- Do type conversion on hashrefs and arrayrefs to Python native datatypes
(dict, list) in a return to Python if the hash or array keys/values are all
string or number types. This is potentially very expensive, and a little
DWIMish.
- Allow perlref instances in Python to have a __dict__ and let us assign to
it from unrestricted code (so we can give it a __roles__).
- Jigger the security machinery to do more DWIM.
Thoughts?