[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13

Shane Hathaway shane@zope.com
Wed, 18 Dec 2002 08:11:39 -0500 (EST) 

On Wed, 18 Dec 2002, Chris Withers wrote:

> Ken Manheimer wrote:
> >>How does Zope find these declarations?
> >>Answer: by importing the module.
> > 
> > That's not the whole story.  A module need not make its own security
> > declarations - other modules can do so (using eg ModuleSecurityInfo).
> 
> Yeah, but if you're distributing a package (stripogram in this case),
> it's very difficult to help people to make it work. Explaining that they
> either have to go and 'hack their Zope source' by twiddling in
> Products/PythonScripts/standard.py _or_ put the package in Products but
> then make sure they change all their import statements to start with
> 'Products.' _or_ write a pseudo product that does nothing but make the
> security assertions for the package (which they'd have to copy from the
> package source somewhere) just so they can use a package from
> Script(Python)'s all seems like a bit of a nightmare and often ends up
> with complaints of "you said it would work, but it didn't!"

The TransparentFolders product requires users to overwrite one of the
modules in the Zope source.  It's a pain, but people do it, and they don't
complain.  You're able to ask much less of people, by providing a pseudo
product.  You're in a better situation than I am.

That said, here's a variation on one of the ideas you proposed that might
work out just right: if the requested module is not yet in sys.modules,
scan sys.path for a file called <module>/zope_security.py[co].  Don't
import anything yet, just look for the file.  If the file is found, *then*
you can import it, and it will make the declarations.

That strategy may not carry over directly to Zope 3, but I bet Zope 3 will 
do something similar.  It achieves all the right goals, I think.

> > There **must** be some way
> > to prevent import of modules, and it must be a deliberate-allow
> > policy, rather than deliberate-deny.
> 
> Agreed. Evan has made some good suggestions in the collector, which I'm
> going to implement today.

I look forward to it.  I think you can get this right--I've needed 
this functionality myself before.  But please be careful, work on a 
branch, and write unit tests that verify modules don't accidentally get 
imported in order to check declarations.

> > serves as i suggest.  Even if it's not just convenience, and a feature
> > is blocked, that's no excuse to compromise security.
> 
> I don't believe it does compromise security. We're always bending over
> backwards to cater for the use case where semi-trusted users write code.
> This is such an edge case that I really think we should discuss whether
> it needs to exist or not at some point...

It's not an edge case, it's one of Zope's most valuable assets.  We've
been using it at ZC extensively lately.

Shane