At 10:17 AM 1/19/2003, Tue Wennerberg wrote:
So it's a question of trust. But surely a script developer can be trusted not to cause a DoS on the site he's working on! Script developers should be empowered, not crippled!
Zope empowers the admin to control the environment. If the admin trusts the developers, that trust can be extended... but it is appropriate that someone with command-line access should be involved any time a developer wants to run unrestricted code. I think it's a question of preferring a configuration that is "more secure" by default and giving admins full power to loosen restrictions as they see fit.
And some script developers don't have access to the file system.
That's exactly the point.
So there it is. I'm writing this because I think that Zope is missing out on a great feature, and because I haven't gotten any answers indicating that there are other (worse) reasons why regular expressions are banned. Am I wrong? Am I being silly here?
It might be fun and/or interesting to make a product that validates and performs regexes in a trustworthy fashion. I'm not a regex guru, so I'm not sure exactly what level of validation is involved here. Installing something like this would still require admin participation, but could hook into the existing access controls such that use of the product could be restricted on a per-developer basis. Just thinkin'... Dylan