[Zope] Re: [Zope-dev] Introspection, managing External Methods?

Andreas Kostyrka andreas@mtg.co.at
Tue, 20 Jul 1999 15:30:00 +0200 (CEST)


On Sun, 18 Jul 1999, Robin Becker wrote:

> In article <199907181357.XAA01659@mbuna.arbhome.com.au>, Anthony Baxter
> <anthony@interlink.com.au> writes
> >
> >This has come up on a number of occasions - the problem is that an
> >external method can subvert all the protections and access control
> >that Zope provides.
> >
> >Having said that, there's nothing stopping you (or someone else) 
> >writing an external method that allows you to edit external methods. :)
> >
> >Anthony
> >
> Yes I know that external methods can do anything. But since the manager
> can destroy the site what's wrong with allowing editing only for the
> manager. I realise that malicious managers could wipe the hard disk if
> the manager user could, but then so can the manager sitting at the
> console.
Nope. The semantic difference between a .dtml file and a .py file is,
that .dtml always terminate.
Dtmls do not provide general looping or controlflow mechanisms, while
external methods written in Python do. (while 1: pass).

Andreas
-- 
Win95: n., A huge annoying boot virus that causes random spontaneous system
     crashes, usually just before saving a massive project.  Easily cured by
     UNIX.  See also MS-DOS, IBM-DOS, DR-DOS, Win 3.x, Win98.