[Zope] Python scripts

2012-07-06 Thread Richard Harley

Hi

On Zope 2.10 is there a simple/universal way to only allow python 
scripts to be called by DTML methods or other python scripts and not 
directly TTW?

Thanks
Rich
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Python scripts

2012-07-06 Thread Laurence Rowe
On 6 July 2012 14:09, Richard Harley  wrote:
> On Zope 2.10 is there a simple/universal way to only allow python scripts to
> be called by DTML methods or other python scripts and not directly TTW?

You can check that the script is not the published object with:

if container.REQUEST['PUBLISHED'] is script:
raise 'Forbidden'

For newer versions of Zope raise an exception object:

from zExceptions import Forbidden
if container.REQUEST['PUBLISHED'] is script:
raise Forbidden('Script may not be published.')

Laurence
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Python scripts

2012-07-06 Thread Richard Harley
That works great, thanks. So there is no way to do this across, say, a 
folder with hundreds of scripts in without duplicating the code in each 
individually?



On 06/07/12 13:30, Laurence Rowe wrote:

On 6 July 2012 14:09, Richard Harley  wrote:

On Zope 2.10 is there a simple/universal way to only allow python scripts to
be called by DTML methods or other python scripts and not directly TTW?

You can check that the script is not the published object with:

 if container.REQUEST['PUBLISHED'] is script:
 raise 'Forbidden'

For newer versions of Zope raise an exception object:

 from zExceptions import Forbidden
 if container.REQUEST['PUBLISHED'] is script:
 raise Forbidden('Script may not be published.')

Laurence
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )


Re: [Zope] Python scripts

2012-07-06 Thread Laurence Rowe
On 6 July 2012 16:36, Richard Harley  wrote:
> That works great, thanks. So there is no way to do this across, say, a
> folder with hundreds of scripts in without duplicating the code in each
> individually?

For one Plone hotfix we took the approach of blacklisting certain
scripts by monkey-patching Bindings._bindAndExec (Bindings is a
superclass of PythonScript):

from Shared.DC.Scripts.Bindings import Bindings
from zExceptions import Forbidden

DO_NOT_PUBLISH = [
'script_id',
...
]

def _patched_bindAndExec(self, args, kw, caller_namespace):
'''Prepares the bound information and calls _exec(), possibly
with a namespace.
'''
template_id = hasattr(self, 'getId') and self.getId() or ''
request = getattr(self, 'REQUEST', None)
if (template_id and request and template_id in DO_NOT_PUBLISH and
request.get('PUBLISHED') is self):
raise Forbidden('Script may not be published.')
return self._original_bindAndExec(args, kw, caller_namespace)

Bindings._original_bindAndExec = Bindings._bindAndExec
Bindings._bindAndExec = _patched_bindAndExec

You could create an unpublishable subclass of PythonScript using a
similar technique. Ideally PythonScripts would opt in to being
publishable based on some metadata option.

Laurence
___
Zope maillist  -  Zope@zope.org
https://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 https://mail.zope.org/mailman/listinfo/zope-announce
 https://mail.zope.org/mailman/listinfo/zope-dev )