[Zope] Re: [Crew] Re: External Methods?

Pavlos Christoforou pavlos@gaaros.msrc.sunysb.edu
Tue, 2 Mar 1999 16:00:18 -0500 (EST)


In my experience many situations where external methods are needed do not
require access to the Zope data tree, like the math test example you
presented. 

One approach is to use a second server that does XML-RPC (Fredrik Lundh
has already written a client and a simple server) and set an
account/folder where everybody can upload their scripts and access them
through XML-RPC calls from their Zope environment. I suppose we can write
a product that provides the client site of the XML-RPC based on Fredrik's
implementation. As for the server site Jim once mentioned that the support
should go in ZPublisher but initially a simple server based on python
standard libraries will be adequate. Or use the newly released asyncore
libs though I suspect a multithreading server will be better in this
situation.

If however one requires access to the 'self' argument of an external
method such an approach will not be adequate. Usually though one can
collect the relevant parameters by using DTML calls and send them to the
XML-RPC server for processing.

Pavlos


On Tue, 2 Mar 1999, Tres Seaver wrote:

> Christopher G. Petrilli wrote:
> > 
> > On Tue, Mar 02, 1999 at 01:43:10PM -0600, Tres Seaver wrote:
> > 
> > > The particulars of my case are that the control structures of DTML are not quite
> > > powerful enough to accomplish my task;  of course, strengthening them, even in a
> > > "sandbox" model, still leaves open the possibility for buggy/malicious code to
> > > do ugly things (like your example below).
> > 
> > Well, it might help if you offered what control strucuture you need, we
> > might be able to come up wit han interim solution.
> 
> Ok, the "teeth-cutting" example I am trying to implement generates math-facts
> problems for my five year old.  In Python, two trivial functions:
> 
> 
> I _think_ this one is easy in DTML:
> 
>     def problem( max_term, operators ) :
>         """ Generate a single math-fact problem whose terms are within
>             range( max_term + 1 ), using one of the supplied operators.
>         """
>         lhs = random.randrange( max_term + 1 )
>         rhs = random.randrange( max_term + 1 )
>         operation = operators[ random.randrange( len( operators ) ) ]
>         return ( lhs, operation, rhs )
> 
> But not this one:
> 
>     def gen_problem( max_term, operators ) :
>         """ Generate a math-fact problem whose terms and results are all within
>             range( max_term ), using the supplied operators.
>         """
> 
>         while 1 : # Arbitrary looping! (could benefit from
>                   #   the dreaded assignment-in-conditional :)
> 
>             probStr = "%d %s %d" % problem( max_term, operators )
>             result = eval( probStr )
> 
>             if 0 <= result and result <= max_term :
>                 return probStr
> 
> And of course, the DTML syntax for something like this is going to be ugly.
> 
> > 
> > > Actually, the possibility which seemed most interesting was Doug Wyatt's
> > > suggestion of "federating" a set of independent Zbases under one (at least
> > > apparently one) server.  Then any damage my ExternalMethod did would be to the
> > > Zbase would be on my own head, at least.  If that server were actually a process
> > > running as me, then standard system security procedures should probably be fine.
> > >
> > 
> > TO me this is just a hack to get around it near term, and doesn't fix
> > the problem.  Also if you have 100 users, do you have 100 instances of
> > zope running under 1 ZServer?  That sounds like a true administrative
> > nightmare...  And substantial overkill.
> 
> One instance per "sandbox", not one per user (although on starship this is a
> distinction without a difference).  The "content manager only" applications will
> do fine in a single Zope instance, as now.
> 
> -- 
> =========================================================
> Tres Seaver         tseaver@palladion.com    713-523-6582
> Palladion Software  http://www.palladion.com
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
>