On Apr 10, 2009, at 11:32 AM, Hanno Schlichting wrote:
We do have the use-case of allowing trusted people to add templates or code TTW and many other things like data level and view based security. The RestrictedPython case however is something we will gladly give up.
Trusted people!? Are you checking their ID at the door? All you have in terms of trust are their credentials. You don't want to allow many, many things TTW, even if they logged in with the trusted credentials. Otherwise, you give them the same credentials on your physical machine that serves that app (e.g. they import os TTW). Finally, even if you are fine with allowing that because you trust them, who guarantees that every login with those credentials is really that trusted person? Zvezdan