[Zope] Security?

Casey Duncan casey at zope.com
Mon Dec 1 17:48:34 EST 2003


On Mon, 1 Dec 2003 15:30:36 -0700
"Goldthwaite, Joe" <joe at goldthwaites.com> wrote:

> Maybe I'm taking the wrong approach.  I'm using an external Python module
> because I'm the most comfortable with programming in a computer language.
> The module itself is fairly complex because it needs to pull in multiple
> lines of SQL data and then match them together.  For example, it puts
> current year, prior year, and plan data together into one line.  The line
> order is defined in another table.   I don't think I could do it using just
> ZPT or DTML.
> 
> I could do this with a Python script except that from the examples it looks
> like they're more procedural and don't work with Python classes.  I guess I
> could do that but I'm hesitant to give up OOP.

If you are passing instances of classes you have defined, try adding this class attribute to them:

class Foo:
  __allow_access_to_unprotected_subobjects__ = 1 # Allow ZPT access to instances
  ...

Do this for each class you intend to pass instances of to untrusted zope code.

If you don't control the classes, then either subclass or return simple types (strings, lists of strings, dicts, etc) to ZPT instead.

-Casey



More information about the Zope mailing list