If the Zope is installed on a machine that someone else has superuser access to, then I'd say that they can see the source to any of your objects. All you need to do is copy the zope directory, run zpasswd.py on the new zope instance, start it up on a new machine or new port, and they can see anything in the ZODB that they want to. They wouldn't have the ability to modify the Zope that you provided, at least without you knowing that the password changed, but I don't know if that matters. Sorry, I know that's not the answer you wanted. What will you use if you don't use Zope? -Paul Harry Wilkinson wrote:
On Monday 29 April 2002 2:36 pm, Paul Winkler wrote:
On Mon, Apr 29, 2002 at 12:16:54PM +0200, Pawel Lewicki wrote:
Hallo, I was asked to make a web-application that seems to be perfect to be built in Zope and Python. And it is also the great opportunity to get to know the second one :) But the main issue is the security of the source-code. I was browsing the archive and haven't found yes/no answer if it is possible. There are a few security layers: 1. Zope management (I suppose the easiest) 2. Data.fs (Can you pull the stored objects and browse externally?)
Yes, should be possible. AFAIK Data.fs is just a big pickle dump, so all you'd need to explore it is a python interpreter.
I don't think it's *just* a big pickle dump, although yes I think the data is pickled Python objects stored in a file. It's a bit more organised than just dumping everything to a file though.
You can access the ZODB through just Python now, I think. I hear a lot of work has gone into making ZODB a standalone Python product. If you want to access data stored in that Data.fs through something other than Zope, I suggest you look at the ZODB source/docs.
HarryW