[Zope] Security and resposability

Dieter Maurer dieter@handshake.de
Sun, 16 Jun 2002 22:37:28 +0200

Chris McDonough writes:
 > With regards to the restrictions on certain Python functions within
 > Zope, eval is definitely a no-no (as you could cause code to be executed
 > that you otherwise would not have privileges to execute, perhaps
 > something like "eval('context.Control_Panel.manage_shutdown()')".
But Zope could expose safe versions of a set of urgently missing
functions, example:

	has_attribute(obj,attr) (defined as "hasattr(aq_base(obj),attr)")

	safe_eval (implemented the same way as evaluation in DTML or Page Template)

 > But
 > I'm afraid I can't actually think up a scenario where deepcopy or copy
 > would cause problems.
What, when I try to "deepcopy" the application root.
I can imagine that this operation is quite a big load for a large
Zope site.