Use Products.PythonScripts in Add-on

Nimo · May 25, 2022, 9:49am

Hi,

I have a Problem while developing a Add-on, which should use Products.PythonScripts.
First I thought it was Zope Related but it seems that is not the case.

I have a content-type with a script-body textfield for a user (Manager) to paste Pythoncode into.
During the IObjectAddedEvent I create the the PythonScript via manage_addPythonScript and fill it with the script_body text of the created content object.
During the __call__ of the view I execute the script with some dynamic input data.

So far so good.

My Problem is, that the execution of the PythonScript wants to write something into the Database.
If I comment out the script execution and return dummy data all works fine.
I dug through some packages but can not find any hint why my addons seems to write something into the database. As I said, I thought it was a bug, but in zope everything seems to work. So maybe it musst be on the plone or on my addons side. (For reference its the issue/54 in zopefoundation/Products.PythonScripts on gitub)

Can anybody point me in some direction, I'm really confused and lost.

mtrebron · May 25, 2022, 10:16am

There are a bunch of restrictions in place as to what Pythonscripts are allowed to do. From this old Zope guide:

Security Restrictions
Scripts are restricted in order to limit their ability to do harm. What could be harmful? In general, scripts keep you from accessing private Zope objects, making harmful changes to Zope objects, hurting the Zope process itself, and accessing the server Zope is running on. These restrictions are implemented through a collection of limits on what your scripts can do.

Loop limits
Scripts cannot create infinite loops. If your script loops a very large number of times Zope will raise an error. This restriction covers all kinds of loops including for and while loops. The reason for this restriction is to limit your ability to hang Zope by creating an infinite loop.

Import limits
Scripts cannot import arbitrary packages and modules. You are limited to importing the Products.PythonScripts.standard utility module, the AccessControl module, those modules available via DTML (string, random, math, sequence), and modules which have been specifically made available to scripts by product authors. See Appendix B, "API Reference" for more information on these modules. If you want to be able to import any Python module, use an External Method, as described later in the chapter.

Access limits
You are restricted by standard Zope security policies when accessing objects. In other words the user executing the script is checked for authorization when accessing objects. As with all executable objects you can modify the effective roles a user has when calling a script using Proxy Roles (see Chapter 7, "Users and Security", for more information.) In addition, you cannot access objects whose names begin with underscore, since Zope considers these objects to be private.

Writing limits
In general you cannot change Zope object attributes using scripts. You should call scripts on Zope objects to change them, rather than directly changing instance attributes.

Despite these limits, a determined user could use large amounts of CPU time and memory using Python-based Scripts. So malicious scripts could constitute a kind of denial of service attack by using lots of resources. These are difficult problems to solve and DTML suffers from the same potential for abuse. As with DTML, you probably shouldn't grant access to scripts to untrusted people.

Nimo · May 25, 2022, 10:53am

Thx, I know this already and it its the reason why I want to use this Package.
My Problem is it seems during execution the PythonScript seems to write something in the ZODB. Nothing in my script writes something. Only some transformation of lists and dicts.
All Security Restrictions work as expected.

yurj · May 25, 2022, 11:11am

try to look at the Undo link in the zope root (now under databases). Generally, the link is something like /Control_Panel/Database/main/manage_UndoForm

If your script does something that modifies the database, maybe it is recorded there. Also, exceptions are logged, so check error_log if something pops up.

Nimo · May 25, 2022, 11:28am

Nice. Great idea with the undo link. I will try it.

zopyx · May 25, 2022, 2:57pm

Please do not write any new code using PythonScripts. The concept of PythonScripts is so old and obsolete. In any case: write Python related code as a browser view.

dieter · May 25, 2022, 4:16pm

Jonathan Hofmann via Plone Community wrote at 2022-5-25 09:59 +0000:

...
My Problem is, that the execution of the PythonScript wants to write something into the Database.

When a ZODB object is modified in a transaction for the first
time, the _register (--> method of ZODB.Connection.Connection)
is called with this object (informing the connection that
this object's state must be stored in the database on commit).
You could put a breakpoint on this method and then analyse
the call stack.

Nimo · May 30, 2022, 7:30am

Thanks for the assessment.
I thought PythonScripts was old but not obsolete.
Is there any other Concept to execute a custom script created ttw by a user (Manager) securely?
My idea is to create a content-type which fetches json data from a specified rest api endpoint. Performs some user defined transformation of the data (via a Python Script) and fills a table with the transformed data in its view.

Nimo · May 30, 2022, 8:47am

Thanks very much. This tip got me in the right direction to find my mistake.
I finally found out what wrote into the database.

It had nothing to do with the PythonScript.
It was just a simple assignment my brain overlooked stubbornly.