[Zope] safe read-only access to acquisition parent objects

[Eric Bréhault]

Hello,

I have build a Plone product which allows users to enter a piece of Python
code.
This way, users can easily define their own actions without changing the
product source code.

Those pieces of code are executed using the exec Python command.

The problem is that nothing prevents the user to access any other object in
the ZODB (using getParentNode, or traverse) and to modify it (as far as the
user is allowed to use the method which runs his piece of code,
AccessControl will not check his permission during the execution itself).

So my first idea was to cut all the acquisition chain: I replace self with
aq_base(self) just before running the piece of code, and there is no way to
access anything outside the current object itself.

It is OK, but my product contains some methods which use Plone portal tools
(like MailHost, portal_membership), and I would like to offer the ability to
use those methods in the user defined pieces of code.
Of course, as I remove the acquisition chain, those methods doesn't work.

So my question is: is there a way to provide a read-only access to the
current object's acquisition parents ?
I thought about different ways:
- can we "lock" an object in the ZODB ?
- can we build a read-only proxy to an object ?
- can we make a temporary copy of an object that will be stored in the ZODB
? (regarding that point, I know how to do it, but I am not sure about the
performances...)

Any suggestion ?

Regards,

Eric BREHAULT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20070305/c7e2f478/attachment.htm