Allowing users to execute random code within the webapp environment is a really bad idea. A simple db.auth_user.truncate() within any of those user functions would tear your whole app apart.
Some suggestion is the creation of any kind of engine or environment in which to execute code safely. In order to do that you can use the app to inspect the code for forbidden commands or check to whether the function returns a result or not. In python you can create context managers that could take care of that. You can also try to launch user defined code as independent threads. See threading module. In a sense, those user functions are dynamic, so should be text that you can store in the database or text files in a private folder. The application could pull that data and use exec(random_code) within a safe environment. There are some examples in david beazly's video about metaprogramming <https://www.youtube.com/watch?v=sPiWg5jSoZI>. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
