Evan Simpson <evan@digicool.com> wrote:

----- Original Message ----- From: Tres Seaver <tseaver@palladion.com>

...

That 'leaves.update(..}' is a really ugly workaround to the fact that PythonMethods won't allow the "natural" dictionary manipulation: 'leaves[ leaf.id ] = leaf'. While I understand not wanting to allow key replacement in "global" dictionaries, can we lose this restriction for "local" ones?

Yes we can, provided you code carefully. See my PROPOSAL: in Zope-dev a few weeks ago.

...

(OTOH, we need to look at potential security issues around the use of update(), too).

Too true. Any exposed list or dict needs a sharp examination.

Cheers,

Evan @ digicool

Hmm, maybe we need to wrap any "global" dictionary / list in a "readonly decorator", and let lists/dictionaries declared locally be the "normal" ones. Actually, looking at the stock Python UserDict, we could just wrap any dictionary exposed inside a PythonMethod (DTML, too?) in a UserDict: its __init__() method already makes a (shallow) copy of the dictionary passed to it. Any key assignments done would thus be localized (although mutable values inside the source dictionary could still be munged). Tres. -- ========================================================= Tres Seaver tseaver@palladion.com 713-523-6582 Palladion Software http://www.palladion.com