[Zope3-dev] Security Policy

[Jeffrey P Shell]

On 1/30/02 4:20 PM, "Andy McKay" <andym@ActiveState.com> wrote:

> Am I way ahead of things (or way behind) on asking what sort of security
> policy Zope 3 will have with regards TTW scripting.
> 
> With the move away from DTML towards a more CMF style site will we finally
> have a relaxation of the security rules that stop people importing easily into
> python scripts (for example)? Ideally there would be various levels of
> security in the config that would allow the sys admin to determine how tight
> security is.
> 
> I know Jim doesn't like allowing file access TTW but I think people get very
> frustrated that they cant just use modules in Python Scripts.

In some regards, the sys admin today can allow modules to be imported via
ModuleSecurityInfo, and some other utility functions.  I've used this just
to allow access to some of my own utilities in a site I'm working on so I
don't have to deal with configuring external methods for simple things.

>> Utility Functions For Allowing Import of Modules By Through The Web Code
>> 
>> Instead of manually providing security declarations for each function in a
>> module, the utility function "allow_class" and "allow_module" have been
>> created to help you declare the entire contents of a class or module as
>> public. 
>> 
>> 
>> 
>> 
>> You can handle a module, such as base64, that contains only safe functions by
>> writing allow_module("module_name"). For instance:
>> 
>> 
>>       from Products.PythonScripts.Utility import allow_module
>>       allow_module("base64")
>> 
>> 
>> 
>> This statement declares all functions in the base64 module ( encode, decode,
>> encodestring, and decodestring ) as public, and from a script you will now be
>> able to perform an import statement such as "from base64 import
>> encodestring". 

(from ZDG Chapter 7, <http://www.zope.org/Documentation/ZDG/Security.stx>)

-- 
Jeffrey P Shell 
www.cuemedia.com