[Zope-dev] Trying to design a PythonMethod Product

[Evan Simpson]

I'm making a serious run at trying to create a Product which will allow
through-the-web creation of methods written in straight Python.  Right now
what I've get is a pile of brainstorming, and I'd appreciate feedback.

Basically, I plan to take an arbitrary chunk of Python code, wrap it in a
function definition, compile it, and then thrash the resulting bytecodes
with bytecodehacks (see http://starship.python.net/crew/mwh/bch/index.html).
This will serve the dual purposes of enforcing restrictions on what the code
can do, and bending the semantics for better Zope integration.

Thoughts so far:

1. Must store a PythonMethod as raw text for editing purposes.  Compile/hack
on each load, or try to store the compiled function for speed?

2. Allow simple assignment, and no other kind. "x = anything" is legal, but
not "x[0] = ...", "x.spam = ...", "x() = ...", etc.  Tuple/list unpacking
might also be allowed.

3. Disallow "del" and "exec" entirely.

4. Restrict "import" to modules/packages found in a particular location, so
that 'safe' modules can be used.

5. Allow "while" and "for".  Insert 'escape code' at the bottom of every
loop, to allow PythonMethods to 'time out' after some elapsed time or loop
count.

6. Allow "print" to be used to generate rendered output by replacing it with
a function that accumulates text.  If anything other than literal "None" is
returned, the collected "print" text is discarded, otherwise it becomes the
return value (on "return", "return None", and on implicit return, but not on
"x=None; return x", for example).

7. Either disallow "global", or redirect access to globals into a controlled
namespace.

8. Provide the Zope standard builtins (and tags?) as builtins.

or-have-I-missed-a-showstopper-ly y'rs
Evan Simpson