[Zope] Python scripts
Hi On Zope 2.10 is there a simple/universal way to only allow python scripts to be called by DTML methods or other python scripts and not directly TTW? Thanks Rich ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Python scripts
On 6 July 2012 14:09, Richard Harley wrote: > On Zope 2.10 is there a simple/universal way to only allow python scripts to > be called by DTML methods or other python scripts and not directly TTW? You can check that the script is not the published object with: if container.REQUEST['PUBLISHED'] is script: raise 'Forbidden' For newer versions of Zope raise an exception object: from zExceptions import Forbidden if container.REQUEST['PUBLISHED'] is script: raise Forbidden('Script may not be published.') Laurence ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Python scripts
That works great, thanks. So there is no way to do this across, say, a folder with hundreds of scripts in without duplicating the code in each individually? On 06/07/12 13:30, Laurence Rowe wrote: On 6 July 2012 14:09, Richard Harley wrote: On Zope 2.10 is there a simple/universal way to only allow python scripts to be called by DTML methods or other python scripts and not directly TTW? You can check that the script is not the published object with: if container.REQUEST['PUBLISHED'] is script: raise 'Forbidden' For newer versions of Zope raise an exception object: from zExceptions import Forbidden if container.REQUEST['PUBLISHED'] is script: raise Forbidden('Script may not be published.') Laurence ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Python scripts
On 6 July 2012 16:36, Richard Harley wrote: > That works great, thanks. So there is no way to do this across, say, a > folder with hundreds of scripts in without duplicating the code in each > individually? For one Plone hotfix we took the approach of blacklisting certain scripts by monkey-patching Bindings._bindAndExec (Bindings is a superclass of PythonScript): from Shared.DC.Scripts.Bindings import Bindings from zExceptions import Forbidden DO_NOT_PUBLISH = [ 'script_id', ... ] def _patched_bindAndExec(self, args, kw, caller_namespace): '''Prepares the bound information and calls _exec(), possibly with a namespace. ''' template_id = hasattr(self, 'getId') and self.getId() or '' request = getattr(self, 'REQUEST', None) if (template_id and request and template_id in DO_NOT_PUBLISH and request.get('PUBLISHED') is self): raise Forbidden('Script may not be published.') return self._original_bindAndExec(args, kw, caller_namespace) Bindings._original_bindAndExec = Bindings._bindAndExec Bindings._bindAndExec = _patched_bindAndExec You could create an unpublishable subclass of PythonScript using a similar technique. Ideally PythonScripts would opt in to being publishable based on some metadata option. Laurence ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )