Disable user-submitted python code by default

MI-DPLA / combine

Combine /kämˌbīn/ - Metadata Aggregator Platform

MIT License

26 stars 11 forks source link

Disable user-submitted python code by default #460

Closed antmoth closed 4 years ago

antmoth commented 4 years ago

Because user-submitted python code is a security hole big enough to fly a 747 through, we should default to not allowing it and include a server-side flag to enable it.

Don't forget to document.

antmoth commented 4 years ago

I'm thinking that this should not prevent people from running existing transforms that include python code, but should prevent them from creating new transforms or editing (the code of?) existing transforms that include python code or running test transforms that use python code.

Everywhere I write 'transforms', ditto validations and field mappers and record identifier transforms.

antmoth commented 4 years ago

Closed by #462

antmoth commented 4 years ago

I missed the "test XYZ scenario" pages. Gotta fix those too.