Re: [Zope-dev] SVN: Zope/branches/2.12/ LP #1047318: Tighten import restrictions for restricted code.
Hi! Hano Schlichting wrote:
Log message for revision 127792: LP #1047318: Tighten import restrictions for restricted code.
CMF uses some ZTUtils in restricted code: Batch, LazyFilter, make_query and SimpleTreeMaker. The new Zope 2 releases (2.12.24 and 2.13.17) are not compatible with existing CMF releases. Is this intended? CMF could declare the ZTUtils it uses as public. But that would require new CMF releases for the new maintenance releases of Zope. And other packages might have the same problem. Where should this be fixed? Were the restrictions tightened too much in Zope? Cheers, Yuppie
On Mon, Sep 10, 2012 at 10:31 AM, yuppie <y.2012@wcm-solutions.de> wrote:
CMF uses some ZTUtils in restricted code: Batch, LazyFilter, make_query and SimpleTreeMaker. The new Zope 2 releases (2.12.24 and 2.13.17) are not compatible with existing CMF releases. Is this intended?
This wasn't intended.
CMF could declare the ZTUtils it uses as public. But that would require new CMF releases for the new maintenance releases of Zope. And other packages might have the same problem.
ZTUtils is part of Zope2 and clearly intended for use inside templates / restricted code. So it should be fixed there.
Were the restrictions tightened too much in Zope?
I'm not sure. There isn't really any clear documentation on what APIs you are supposed to use. It seems ZTUtils.__init__ sets __allow_access_to_unprotected_subobjects__ = 1 on the module scope level. But it doesn't use the allow_module or ModuleSecurityInfo APIs. I'm guessing this is all historical baggage and the "proper" APIs were only created much later. Maybe some other long term developers can chime in with their perspective? Hanno
On Mon, Sep 10, 2012 at 8:09 AM, Hanno Schlichting <hanno@hannosch.eu> wrote:
On Mon, Sep 10, 2012 at 10:31 AM, yuppie <y.2012@wcm-solutions.de> wrote:
CMF uses some ZTUtils in restricted code: Batch, LazyFilter, make_query and SimpleTreeMaker. The new Zope 2 releases (2.12.24 and 2.13.17) are not compatible with existing CMF releases. Is this intended?
This wasn't intended.
I agree these should have not been restricted.
CMF could declare the ZTUtils it uses as public. But that would require new CMF releases for the new maintenance releases of Zope. And other packages might have the same problem.
ZTUtils is part of Zope2 and clearly intended for use inside templates / restricted code. So it should be fixed there.
Were the restrictions tightened too much in Zope?
I'm not sure. There isn't really any clear documentation on what APIs you are supposed to use. It seems ZTUtils.__init__ sets __allow_access_to_unprotected_subobjects__ = 1 on the module scope level. But it doesn't use the allow_module or ModuleSecurityInfo APIs. I'm guessing this is all historical baggage and the "proper" APIs were only created much later.
Maybe some other long term developers can chime in with their perspective?
Without digging much in the history, I'm inclined to agree with this analysis. I think the new APIs should be used, and tests added, to make sure these ZTUtils utilities are available from restricted code. Cheers, Leo
participants (3)
-
Hanno Schlichting -
Leonardo Rochael Almeida -
yuppie