launchpad-dev team mailing list archive

[Barry Warsaw <barry@xxxxxxxxxxxxx>]

On Feb 05, 2010, at 04:20 PM, Henning Eggers wrote:

>1. The LP API exposes model classes directly to the web, leaving only
>   the Zope security declaration in ZCML as protection (no view).

This seems like an especially bad situation for us to be in, because it will
(has already?) lead to security breaches.  We've been confident that our views
protect our models from abuse via the web ui, but as we add more API we don't
get the same level of confidence.  Many objects and methods are exposed in
both places and need similar constraints.  It's becoming increasingly common
to expose functionality /only/ through the API (e.g. software center) and
there is no systematic way to protect such access.  Overloading the models
with more and more security does not seem like a good long term path.

I don't have any answers though.

-Barry

Attachment: signature.asc
Description: PGP signature