Untrusted expression engine.
This engine does not allow modules to be imported; only modules already available may be accessed:
>>> modname = 'zope.app.pagetemplate.tests.trusted' >>> engine = _Engine() >>> context = engine.getContext(engine.getBaseNames()) >>> modname in sys.modules False >>> context.evaluate('modules/' + modname) Traceback (most recent call last): ... KeyError: 'zope.app.pagetemplate.tests.trusted'
(The use of KeyError is an unfortunate implementation detail; I think this should be a TraversalError.)
Modules which have already been imported by trusted code are available, wrapped in security proxies:
>>> m = context.evaluate('modules/sys') >>> m.__name__ 'sys' >>> m._getframe Traceback (most recent call last): ... ForbiddenAttribute: ('_getframe', <module 'sys' (built-in)>)
The results of Python expressions evaluated by this engine are wrapped in security proxies:
>>> r = context.evaluate('python: {12: object()}.values') >>> type(r) <type 'zope.security._proxy._Proxy'> >>> r = context.evaluate('python: {12: object()}.values()[0].__class__') >>> type(r) <type 'zope.security._proxy._Proxy'>
General path expressions provide objects that are wrapped in security proxies as well:
>>> from zope.app.container.sample import SampleContainer >>> from zope.app.testing.placelesssetup import setUp, tearDown >>> from zope.security.checker import NamesChecker, defineChecker >>> class Container(SampleContainer): ... implements(ITraversable) ... def traverse(self, name, further_path): ... return self[name] >>> setUp() >>> defineChecker(Container, NamesChecker(['traverse'])) >>> d = engine.getBaseNames() >>> foo = Container() >>> foo.__name__ = 'foo' >>> d['foo'] = ProxyFactory(foo) >>> foo['bar'] = bar = Container() >>> bar.__name__ = 'bar' >>> bar.__parent__ = foo >>> bar['baz'] = baz = Container() >>> baz.__name__ = 'baz' >>> baz.__parent__ = bar >>> context = engine.getContext(d) >>> o1 = context.evaluate('foo/bar') >>> o1.__name__ 'bar' >>> type(o1) <type 'zope.security._proxy._Proxy'> >>> o2 = context.evaluate('foo/bar/baz') >>> o2.__name__ 'baz' >>> type(o2) <type 'zope.security._proxy._Proxy'> >>> o3 = o2.__parent__ >>> type(o3) <type 'zope.security._proxy._Proxy'> >>> o1 == o3 True >>> o1 is o2 False
Note that this engine special-cases dicts during path traversal: it traverses only to their items, but not to their attributes (e.g. methods on dicts), because of performance reasons:
>>> d = engine.getBaseNames() >>> d['adict'] = {'items': 123} >>> d['anotherdict'] = {} >>> context = engine.getContext(d) >>> context.evaluate('adict/items') 123 >>> context.evaluate('anotherdict/keys') Traceback (most recent call last): ... KeyError: 'keys'>>> tearDown()
There are no attributes in this class.
compile(expression)
getBaseNames()
getCompilerError()
getContext(_ZopeBaseEngine__namespace=None, **namespace)
getFunctionNamespace(namespacename)
Returns the function namespace
getTypes()
registerBaseName(name, object)
registerFunctionNamespace(namespacename, namespacecallable)
Register a function namespace
parameter:
This callable should return an object which can be traversed to get the functions provided by the this namespace.
example:
class stringFuncs(object):
- def __init__(self,context):
- self.context = str(context)
- def upper(self):
- return self.context.upper()
- def lower(self):
- return self.context.lower()
engine.registerFunctionNamespace('string',stringFuncs)
registerType(name, handler)
There are no known subclasses.