Skip to main content

Provides support for restricted execution of Python scripts in Zope.

Project description

https://github.com/zopefoundation/Products.PythonScripts/actions/workflows/tests.yml/badge.svg https://coveralls.io/repos/github/zopefoundation/Products.PythonScripts/badge.svg?branch=master Current version on PyPI Supported Python versions

Products.PythonScripts

The Python Scripts product provides support for restricted execution of Python scripts, exposing them as callable objects within the Zope environment.

Providing access to extra modules

Python script objects have a limited number of “safe” modules available to them by default. In the course of working with Zope, you will probably wish to make other modules available to script objects.

The Utility.py module in the PythonScripts products provides a simple way to make modules available for use by script objects on a site-wide basis. Before making a module available to Python scripts, you should carefully consider the potential for abuse or misuse of the module, since all users with permission to create and edit Python scripts will be able to use any functions and classes defined in the module. In some cases, you may want to create a custom module that just imports a subset of names from another module and make that custom module available to reduce the risk of abuse.

The easiest way to make modules available to Python scripts on your site is to create a new directory in your Products directory containing an __init__.py file. At Zope startup time, this “product” will be imported, and any module assertions you make in the __init__.py will take effect. Here’s how to do it:

  • In your Products directory (either in lib/python of your Zope installation or in the root of your Zope install, depending on your deployment model), create a new directory with a name like “GlobalModules”.

  • In the new directory, create a file named __init__.py.

  • Edit the __init__.py file, and add calls to the ‘allow_module’ function (located in the Products.PythonScripts.Utility module), passing the names of modules to be enabled for use by scripts. For example:

    # Global module assertions for Python scripts
    from Products.PythonScripts.Utility import allow_module
    
    allow_module('base64')
    allow_module('re')
    allow_module('DateTime.DateTime')

    This example adds the modules ‘base64’, ‘re’ and the ‘DateTime’ module in the ‘DateTime’ package for use by Python scripts. Note that for packages (dotted names), each module in the package path will become available to script objects.

  • Restart your Zope server. After restarting, the modules you enabled in your custom product will be available to Python scripts.

Placing security assertions within the package/module you are trying to import will not work unless that package/module is located in your Products directory.

This is because that package/module would have to be imported for its included security assertions to take effect, but to do that would require importing a module without any security declarations, which defeats the point of the restricted Python environment.

Products work differently as they are imported at Zope startup. By placing a package/module in your Products directory, you are asserting, among other things, that it is safe for Zope to check that package/module for security assertions. As a result, please be careful when place packages or modules that are not Zope Products in the Products directory.

Changelog

5.1 (2024-10-16)

  • Fix behavior when uploading no file in Zope >= 5.8.1.

  • Add support for Python 3.12 and 3.13

  • Drop support for Python 3.7.

  • Show Python Scripts source code in tracebacks. #64

5.0 (2023-02-01)

  • Drop support for Python 2.7, 3.5, 3.6.

4.15 (2022-12-16)

  • Fix insidious buildout configuration bug for tests against Zope 4.

  • Add support for Python 3.11.

4.14 (2022-07-13)

  • Add support for Python 3.10.

  • Remove unused classes SecurityManager and RivilegedUser from .tests.testBindings.

4.13 (2021-07-02)

  • Make sure “Manager” users can always modify proxy roles (#50)

  • Add support for Python 3.9.

  • Update configuration for version 5 of isort.

4.12 (2020-06-03)

  • Add a file parameter to factory function manage_addPythonScript (#45)

  • Fix TypeError when updating an existing script from a file (#43)

4.11 (2020-02-11)

  • Fix PUT issues with string encoding.

4.10 (2020-02-11)

  • Override manage_DAVget to get correct editable sources (#40)

4.9 (2019-10-09)

  • Prevent ResourceWarning/Error by closing default contents file (#39)

4.8 (2019-09-04)

  • Show proper error message for not allowed identifiers. (#33)

  • Restore History ZMI tab as Zope is supporting it again. (#38)

4.7 (2019-05-21)

  • Make sure a template’s _body attribute is a native string in Python 3 (#30)

4.6 (2019-04-15)

  • Fix a serious error that prevents page templates from compiling (#27)

4.5 (2019-04-07)

  • Provide a single default script content template for Python 2 and 3

  • Prevent deprecation warning by using importlib instead of imp (#24)

  • Prevent syntax warning due to outdated default script content (#26)

  • Allow for entering a title when adding a Python Script (#25)

  • adding badges to the README for GitHub and PyPI

  • Package metadata cleanups

  • cleaned up tox test configuration

4.4 (2019-03-08)

  • Specify supported Python versions using python_requires in setup.py (Zope#481)

  • Add support for Python 3.8

4.3 (2019-02-09)

  • Show a message instead of exception for empty file upload (#21)

4.2 (2018-10-11)

  • Add support for Python 3.7.

  • Drop support for Python 3.4.

  • Force recompilation of scripts as the compiled code is now stored on __code__ instead of func_code.

  • Add a Python 3 compatible default script. (#10)

  • Fix security declaration for Products.PythonScripts.standard which was broken since version 3.0. (Zope#209)

  • Fix HTTP-500 error which occurred when entering code containing a syntax error in a PythonScript. It is now rendered as error message like other errors. (#11)

  • Update the tests to RestrictedPython >= 4.0b4, thus requiring at lest this version. (#17)

  • Update HTML code of ZMI for Bootstrap ZMI. (#16)

  • Drop support for historical versions which no longer exist since Zope 4.0a2.

4.1 (2017-06-19)

  • Add support for Python 3.4 up to 3.6.

4.0.1 (2017-02-06)

  • Remove bobobase_modification_time from edit template.

4.0 (2016-08-06)

  • Add compatibility with webdav changes in Zope 4.0a2.

3.0 (2016-07-18)

  • Remove HelpSys support.

2.13.2 (2012-09-09)

  • Correct module security declaration for our standard module.

2.13.1 (2012-09-09)

  • LP #1047318: Adjust tests.

2.13.0 (2010-07-10)

  • Released as separate package.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Products.PythonScripts-5.1.tar.gz (30.2 kB view details)

Uploaded Source

Built Distribution

Products.PythonScripts-5.1-py3-none-any.whl (34.2 kB view details)

Uploaded Python 3

File details

Details for the file Products.PythonScripts-5.1.tar.gz.

File metadata

  • Download URL: Products.PythonScripts-5.1.tar.gz
  • Upload date:
  • Size: 30.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.0 CPython/3.11.9

File hashes

Hashes for Products.PythonScripts-5.1.tar.gz
Algorithm Hash digest
SHA256 8b9d0dea6473c9640720f1b8afb1bf6e62993399e43ffbbc1305b98c8a5dd475
MD5 377443bc577fec9b56eef53501b03f64
BLAKE2b-256 2f887028e9c4b0b6a6ad40651beed8fecc0b9d907c6561d444a54b8c49ef2b41

See more details on using hashes here.

File details

Details for the file Products.PythonScripts-5.1-py3-none-any.whl.

File metadata

File hashes

Hashes for Products.PythonScripts-5.1-py3-none-any.whl
Algorithm Hash digest
SHA256 56a914da0e7b694ee3864531d9e98096a881323a6e16549a454402590608081d
MD5 19e706fcf5c140ec58711ff43bee4135
BLAKE2b-256 012e5c69043d3dc0a4b34be952e07740cc2706caac3266482fca73c99f9e9380

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page