launchpad-dev team mailing list archive

Thread
Date

Re: Notes about security and view code

To: Gary Poster <gary.poster@xxxxxxxxxxxxx>
From: Jonathan Lange <jml@xxxxxxxxxxxxx>
Date: Fri, 31 Jul 2009 17:40:38 +1000
Cc: launchpad-dev@xxxxxxxxxxxxxxxxxxx
In-reply-to: <C30F107C-E64F-4CC2-9673-F342D1E1875C@canonical.com>
Sender: jonathan.lange@xxxxxxxxx

On Thu, Jul 30, 2009 at 12:42 AM, Gary Poster<gary.poster@xxxxxxxxxxxxx> wrote:
> So here's my understanding of where we are.  Please correct and comment!
>

Looks great!

> What are the rules?
>
> - Don't use removeSecurityProxy unless you really have to.  Try to see if
> there is another way.  When reviewing, make sure you are convinced of the
> necessity.  Using removeSecurityProxy is necessary sometimes, and accepted,
> but a red flag.
>

I like this.

> - When writing something like a function that is imported directly by views,
> or a helper method on a view, it should do one of the following:
>  * return an object that is immutable (in Python, as opposed to C), and that
> is not a collection, like None or a string or an int.
>  * return another view object (because it already has followed the security
> rules itself)
>  * return a security-proxied object.
>  * return an immutable collection (i.e., tuple), or a newly created
> non-database collection (i.e., a new list), of any of these things.
>

I'd personally find it helpful to have something here that explains
_why_ these are the rules.

Thanks for writing this up!

jml

References

Notes about security and view code
From: Gary Poster, 2009-07-29