[Zope-dev] SVN: Zope/branches/2.12/ LP #1047318: Tighten import restrictions for restricted code.

Hanno Schlichting hanno at hannosch.eu
Mon Sep 10 11:09:27 UTC 2012

On Mon, Sep 10, 2012 at 10:31 AM, yuppie <y.2012 at wcm-solutions.de> wrote:
> CMF uses some ZTUtils in restricted code: Batch, LazyFilter, make_query and
> SimpleTreeMaker. The new Zope 2 releases (2.12.24 and 2.13.17) are not
> compatible with existing CMF releases. Is this intended?

This wasn't intended.

> CMF could declare the ZTUtils it uses as public. But that would require new
> CMF releases for the new maintenance releases of Zope. And other packages
> might have the same problem.

ZTUtils is part of Zope2 and clearly intended for use inside templates
/ restricted code. So it should be fixed there.

> Were the restrictions tightened too much in Zope?

I'm not sure. There isn't really any clear documentation on what APIs
you are supposed to use. It seems ZTUtils.__init__ sets
__allow_access_to_unprotected_subobjects__ = 1 on the module scope
level. But it doesn't use the allow_module or ModuleSecurityInfo APIs.
I'm guessing this is all historical baggage and the "proper" APIs were
only created much later.

Maybe some other long term developers can chime in with their perspective?


More information about the Zope-Dev mailing list