Concepts
Updated
The Sandbox
The sandbox is based on a very similar premise: if you cannot import the type or module, you cannot use it. Dino does not attempt to use confusing combinations of attributes and permission sets. Instead, you simply set it up as "allow everything but this" (a blacklist) or "don't allow anything except this" (a whitelist).
The key aspect of the Dino sandbox is that it is applied at compile time, not evaluation time. Consider the following code.
// admin.dino
from System.IO import File; // private
def sayHello(name){
print "Hello, " + name;
}
def deleteFile(file){
File.Delete(file);
}// enduser.dino
import script "admin.dino" as admin;
admin.deleteFile("C:\\test.txt");The "enduser.dino" file has access to the "deleteFIle" function because functions are public by default. The sandbox that is applied when the end user is writing their script may prevent them from importing the File type from System.IO but because Dino applies the sandbox at compile time, it does not prevent them from calling a base function that uses this symbol.
To prevent the end user from calling this function, it can be marked as private.
// admin.dino
from System.IO import File; // private
def sayHello(name){
print "Hello, " + name;
}
private def deleteFile(file){
File.Delete(file);
}// enduser.dino
import script "admin.dino" as admin;
admin.sayHello("Rex"); // Ok, sayHello is public
admin.deleteFile("C:\\test.txt") // error, undefined symbol
The Dino sandbox is covered more in depth in Importing Scripts and Types.