[Zope] Help! How do I get my namespace in Python??

Andrew Wilcox circle@gwi.net
Thu, 16 Dec 1999 12:35:06 -0500


Jim Fulton wrote:
>If this is what you want to do, then you need to pass the namespace 
>to the Python function. You will have to do this explicitly.
>
>
>     def test(self, namespace):
>         return self.myDTMLMethod(self, namespace)
>
>if test is an ordinary Python method (defined
>in some base class), then you don't need to 
>pass self, so from DTML:
>
>     <dtml-var standard_html_header>
>     <dtml-let food="'Popcorn'">
>      test says: <dtml-var expr="test(_)">
>     </dtml-let>
>     <dtml-var standard_html_footer>

This works!

But is there a danger of bypassing security?

I am working on a product, tableView, which Zope hosters may want to
install for their users.

If I don't pass in the namespace, the called DTML doesn't get permissions
to do much of anything.  If I do pass in the namespace, then it looks like
it gets regular permissions.

But if Zope is relying on the namespace to check permissions, then is there
a danger that a user using my product could create their own munged
dictionary, pass it in as the "namespace", and give themselves superuser
status?

For my particular product, it might be OK if the called DTML was part of
the product and not modifiable by the user, but it would be good to know
what's safe and what's not.

Andrew