[Zope-Coders] Re: [Zope-Checkins] CVS: Zope/lib/python/AccessControl - ZopeGuards.py:1.13

Chris Withers chrisw@nipltd.com
Wed, 18 Dec 2002 13:36:40 +0000 

Shane Hathaway wrote:
> 
> The TransparentFolders product requires users to overwrite one of the
> modules in the Zope source.

You might be able to use the stuff that PlugginIndexes use to get imported first 
to make sure you hot-swap the required module before other stuff needs it, so 
removing the need to actually replce the module on disk.

> That said, here's a variation on one of the ideas you proposed that might
> work out just right: if the requested module is not yet in sys.modules,
> scan sys.path for a file called <module>/zope_security.py[co].  Don't
> import anything yet, just look for the file.  If the file is found, *then*
> you can import it, and it will make the declarations.

Did you see my followup in the collector? I prefer that idea but yours may be 
just as simple to implement...

> That strategy may not carry over directly to Zope 3, but I bet Zope 3 will 
> do something similar.  It achieves all the right goals, I think.

Indeed. Unless someone creates a zope_security module for some other reason :-S

> I look forward to it.  I think you can get this right--I've needed 
> this functionality myself before.  But please be careful, work on a 
> branch, and write unit tests that verify modules don't accidentally get 
> imported in order to check declarations.

Hmmm... how, and more importantly, where should I write these unit tests?

>>I don't believe it does compromise security. We're always bending over
>>backwards to cater for the use case where semi-trusted users write code.
>>This is such an edge case that I really think we should discuss whether
>>it needs to exist or not at some point...
> 
> It's not an edge case, it's one of Zope's most valuable assets.  We've
> been using it at ZC extensively lately.

Really? That's changed recently then. BTW, I don't count customers as 
'semi-trusted users'. They are fully trusted users, especially if they choose to 
get involved in writing code ;-)

If they're not customers, then I'm pretty interested. Are they projects you can 
discuss?

cheers,

Chris