"Chris Angelico" wrote in message
news:CAPTjJmq2bcQPmQ9itVvZrBZJPcbYe5z6vDpKGYQj=8h+qkv...@mail.gmail.com...
On Thu, Aug 25, 2016 at 3:33 PM, Frank Millman <fr...@chagford.com> wrote:
@Peter/Chris
> I don't understand - please explain.
>
> If I store the business rule in Python code, how do I prevent untrusted
> users putting malicious code in there? I presume I would have to execute
> the
> code by calling eval(), which we all know is dangerous. Is there another
> way
> of executing it that I am unaware of?
The real question is: How malicious can your users be?
If the XML file is stored adjacent to the Python script that runs it,
anyone who can edit one can edit the other. Ultimately, that means that
(a) any malicious user can simply edit the Python script, and therefore
(b) anyone who's editing the other file is not malicious.
If that's not how you're doing things, give some more details of what
you're trying to do. How are you preventing changes to the Python script?
How frequent will changes be? Can you simply put all changes through a git
repository and use a pull request workflow to ensure that a minimum of two
people eyeball every change?
All interaction with users is via a gui. The database contains tables that
define the database itself - tables, columns, form definitions, etc. These
are not purely descriptive, they drive the entire system. So if a user
modifies a definition, the changes are immediate.
Does that answer your question? I can go into a lot more detail, but I am
not sure where to draw the line.
Frank
--
https://mail.python.org/mailman/listinfo/python-list
