[Zope-Checkins] CVS: Zope2 - PythonScript.py:1.33 standard.py:1.6

shane@digicool.com shane@digicool.com
Thu, 21 Jun 2001 13:45:44 -0400 (EDT) 

Update of /cvs-repository/Zope2/lib/python/Products/PythonScripts
In directory korak.digicool.com:/tmp/cvs-serv24737/lib/python/Products/PythonScripts

Modified Files:
	PythonScript.py standard.py 
Log Message:
Based on some semi-formal performance tests, read guards turned out to be
slower than the old code.  With this change, we're using simple function
calls again to perform security checks.  But the calling sequence is
intended to be easier to comprehend than the old code.  Now instead of
DT_String.String subclasses having a validate() method attached to them, they
subclass AccessControl.DTML.RestrictedDTML, which provides a guarded_getattr()
method and a guarded_getitem() method.

Note that the functionality of guarded_getattr() used to be implemented
both in C and Python (in cDocumentTemplate and DT_Util), but now it's in
one place, ZopeGuards.py.  Thus it's not only reusable but easy to
optimize.

I ran all the tests and ran the new code through the profiler again.  The
change sped up restricted code a little more than expected, which is
definitely a good thing, but that may indicate that nested scopes
have a hidden speed penalty.

Also, RestrictedPython is now restrictive about printing to targets and
two forms of augmented assignment had to be forbidden.



--- Updated File PythonScript.py in package Zope2 --
--- PythonScript.py	2001/06/18 17:39:16	1.32
+++ PythonScript.py	2001/06/21 17:45:13	1.33
@@ -103,7 +103,8 @@
 from AccessControl import getSecurityManager
 from OFS.History import Historical, html_diff
 from OFS.Cache import Cacheable
-from AccessControl import full_read_guard, full_write_guard, safe_builtins
+from AccessControl import full_write_guard, safe_builtins
+from AccessControl.ZopeGuards import guarded_getattr, guarded_getitem
 from zLOG import LOG, ERROR, INFO, PROBLEM
 
 # Track the Python bytecode version
@@ -112,7 +113,7 @@
 del imp
 
 # This should only be incremented to force recompilation.
-Script_magic = 1
+Script_magic = 2
 
 manage_addPythonScriptForm = DTMLFile('www/pyScriptAdd', globals())
 _default_file = os.path.join(package_home(globals()),
@@ -303,7 +304,8 @@
     def _newfun(self, code):
         g = {'__debug__': __debug__,
              '__builtins__': safe_builtins,
-             '_read_': full_read_guard,
+             '_getattr_': guarded_getattr,
+             '_getitem_': guarded_getitem,
              '_write_': full_write_guard,
              '_print_': RestrictedPython.PrintCollector
              }

--- Updated File standard.py in package Zope2 --
--- standard.py	2001/04/27 20:27:43	1.5
+++ standard.py	2001/06/21 17:45:13	1.6
@@ -105,10 +105,10 @@
  html_quote, url_quote, url_quote_plus, newline_to_br, thousands_commas
 
 from Globals import HTML
-from AccessControl import full_read_guard
+from AccessControl.DTML import RestrictedDTML
 
 security.declarePublic('DTML')
-class DTML(HTML):
+class DTML(RestrictedDTML, HTML):
     """DTML objects are DocumentTemplate.HTML objects that allow
        dynamic, temporary creation of restricted DTML."""
     def __call__(self, client=None, REQUEST={}, RESPONSE=None, **kw):
@@ -121,9 +121,6 @@
             return apply(HTML.__call__, (self, client, REQUEST), kw)
 
         finally: security.removeContext(self)
-
-    def read_guard(self, ob):
-        return full_read_guard(ob)
 
 security.apply(globals())