launchpad-dev team mailing list archive

[Michael Hudson <michael.hudson@xxxxxxxxxxxxx>]

Barry Warsaw wrote:
> On Feb 05, 2010, at 04:20 PM, Henning Eggers wrote:
> 
>> 1. The LP API exposes model classes directly to the web, leaving only
>>   the Zope security declaration in ZCML as protection (no view).
> 
> This seems like an especially bad situation for us to be in, because it will
> (has already?) lead to security breaches.  We've been confident that our views
> protect our models from abuse via the web ui, but as we add more API we don't
> get the same level of confidence. 

I've never thought of "security in the view" as very reassuring -- it
would be just as easy to expose the functionality in a new way and lose
the security checks.

> Many objects and methods are exposed in
> both places and need similar constraints.  It's becoming increasingly common
> to expose functionality /only/ through the API (e.g. software center) and
> there is no systematic way to protect such access.

On the contrary, there _is_ a systematic way to protect such access:
security.py.  It's not perfect, certainly, but it's way more systematic
than anything else we do...

> Overloading the models
> with more and more security does not seem like a good long term path.

I can't think of anywhere _better_ to put it.  I think it would be a
nice thing if the entire Launchpad website could be written as an API
client and if the API exposes the model more-or-less directly...

Cheers,
mwh