Re: Function editor

I was looking at the OpenJDK source code and the Rhino engine source
code, and, sure enough, there is a way to prohibit some form of access:

public boolean visibleToScripts(String fullClassName) {
    // first do the security check.
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        int i = fullClassName.lastIndexOf(".");
        if (i != -1) {
            try {
                sm.checkPackageAccess(fullClassName.substring(0, i));
            } catch (SecurityException se) {
                return false;
            }
        }
    }
    // now, check is it a protected class.
    return protectedClasses.get(fullClassName) == null;
}

(protectedClasses turns out to be a hard-coded list)

The semantics of how this is called turns to be as follows:
<http://www.mozilla.org/rhino/apidocs/org/mozilla/javascript/ClassShutter.html#visibleToScripts(java.lang.String)>.

So you could, for example, disable large swathes of packages with the
appropriate security manager settings.

Alternatively, if you want finer control, you could probably overwrite
the ClassShutter via
<http://www.mozilla.org/rhino/apidocs/org/mozilla/javascript/ContextFactory.html#initGlobal(org.mozilla.javascript.ContextFactory)>.

It might also be possible to simply hide the java-related variables with
globals to prevent all access whatsoever.