[Zope-dev] SVN: Zope/branches/2.12/ LP #1047318: Tighten import restrictions for restricted code.

[Leonardo Rochael Almeida]

On Mon, Sep 10, 2012 at 8:09 AM, Hanno Schlichting <hanno at hannosch.eu> wrote:
> On Mon, Sep 10, 2012 at 10:31 AM, yuppie <y.2012 at wcm-solutions.de> wrote:
>> CMF uses some ZTUtils in restricted code: Batch, LazyFilter, make_query and
>> SimpleTreeMaker. The new Zope 2 releases (2.12.24 and 2.13.17) are not
>> compatible with existing CMF releases. Is this intended?
>
> This wasn't intended.

I agree these should have not been restricted.

>> CMF could declare the ZTUtils it uses as public. But that would require new
>> CMF releases for the new maintenance releases of Zope. And other packages
>> might have the same problem.
>
> ZTUtils is part of Zope2 and clearly intended for use inside templates
> / restricted code. So it should be fixed there.
>
>> Were the restrictions tightened too much in Zope?
>
> I'm not sure. There isn't really any clear documentation on what APIs
> you are supposed to use. It seems ZTUtils.__init__ sets
> __allow_access_to_unprotected_subobjects__ = 1 on the module scope
> level. But it doesn't use the allow_module or ModuleSecurityInfo APIs.
> I'm guessing this is all historical baggage and the "proper" APIs were
> only created much later.
>
> Maybe some other long term developers can chime in with their perspective?

Without digging much in the history, I'm inclined to agree with this
analysis. I think the new APIs should be used, and tests added, to
make sure these ZTUtils utilities are available from restricted code.

Cheers,

Leo