Attention

This document was written for an unsupported version of Plone, Plone 2.1.x, and was last updated 1240 days ago.

For more information, see the version support policy.

To learn how to upgrade to the current version of Plone, read the upgrade manual.

Using unauthorized modules in scripts

by Mikko Ohtamaa last modified Dec 30, 2008 03:02 PM
How to authorize scripts and other secure context to use external (unauthorized) Python code, then call this code from page templates

Please refer to this Zope specific tutorial.

If you are creating your own product, you can place authorizing to your Product's __init__.py

Here is some example:

from AccessControl import allow_module
from AccessControl import ModuleSecurityInfo

...
    ModuleSecurityInfo("Products.Usability").declarePublic("isRequestView")
    ModuleSecurityInfo("Products.Usability").declarePublic("issueFieldVisibility")

Then you can call public functions in your page template code:

<a tal:attributes="href python: modules['Products.Usability'].isRequestView(rows.get('link'), context)"

See following Zope methods and classes

  • AccessControl.allow_module
  • AccessControl.allow_class
  • AccessControl.ClassSecurityInfo
  • AccessControl.ModuleSecurityInfo

Note that sometimes secured calls should be placed inside wrapper functions which deal with parameter checking and other validation to prevent opening any security holes.


Contribute

Something wrong or out of date? Anybody can edit or create a new article in the knowledge base. Simply create an account on this site, log in, and click the Edit button to contribute.