[Zope] build a safe proxy
Eric Bréhault
ebrehault at gmail.com
Thu Mar 15 16:19:29 EDT 2007
No :-)
I just want to run untrusted Python code using exec and I need this code to
be allowed to access few methods on few Plone portal tools, but nothing
else.
For instance:
portal_membership.getMemberById(id).getProperty('email')
would be accepted but:
portal_membership.addMember()
would be forbidden.
I tried to use zope.security.untrustedpython and also I had a look in
zope.tales.expressions to understand how it works but I didn't succeed in
understanding how I can define what is authorized and what is forbidden.
Apparently it must be done using NamesChecker but I haven't found
documentation about it (I tried to copy/paste the unit tests but
unsuccessfully...).
What would you recommend ? What is the 'official' way to run an untrusted
python code with exec and control what this code can do or not ?
Thanks,
Eric BREHAULT
On 3/15/07, Andreas Jung <lists at zopyx.com> wrote:
>
>
>
> --On 15. März 2007 16:33:56 +0100 Eric Bréhault <ebrehault at gmail.com>
> wrote:
>
> > Hello,
> >
> > I am trying to build a safe proxy to wrap the Plone portal object in
> order
> > to control what is allowed or not.
>
> You're trying to reinvent the Zope security machinery?
>
> -aj
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20070315/4deae139/attachment.htm
More information about the Zope
mailing list