launchpad-dev team mailing list archive
-
launchpad-dev team
-
Mailing list archive
-
Message #00104
Re: Notes about security and view code
Michael Hudson wrote:
> Gary Poster wrote:
>> Hi all.
>>
>> Many moons ago, during a review, Barry and I talked about the way we do
>> security in our view code. I felt that neither the purpose nor the
>> rules for our security story were crystal clear. This led to a
>> discussion in the reviewers meeting, and an action item for me to bring
>> up the discussion with the whole team.
>>
>> It's been so long that I strongly suspect I will miss some important
>> parts of the previous discussions, for which I apologize in advance.
>> Hopefully others will be willing to repeat their past corrections and
>> additions of what I write.
>>
>> So here's my understanding of where we are. Please correct and comment!
>
> It looks pretty accurate to me.
>
>> - An import fascist controls what can be imported. You may only import
>> code in a module's __all__. This actually affects all code, not just
>> view code.
>
> I do wonder what the import fascist buys us these days.
>
> It used to, at least, prevent one from importing database code into
> non-database code, which would have been another way to punch through
> our security, and indeed I thought that was more of the point than the
> __all__ business. It doesn't look like this got updated to prevent
> lp.foo.browser.bar importing from lp.baz.model.quux though, and I don't
> think we've missed it.
That said, the use of the naked SourcePackage class at
branchlisting.py:1663 is at least a bit dodgy. Maybe we should update
the facist...
Cheers,
mwh
Follow ups
References