launchpad-dev team mailing list archive

[Robert Collins <robert.collins@xxxxxxxxxxxxx>]

On Mon, Jul 26, 2010 at 11:44 AM, Julian Edwards
<julian.edwards@xxxxxxxxxxxxx> wrote:
> On Monday 26 July 2010 10:29:56 Robert Collins wrote:
>> Lastly, and here I expose my ignorance of some subtleties in zope - I
>> thought security proxies only lived between view and model objects,
>> not between model objects?
>
> That's right.  Once the code inside a proxied object is running, it's
> effectively security-free and can see objects that the code outside of it
> would not normally be able to access.
>
> We need to be careful about this, because there's no protection against
> returning data to the caller that it should not see.

So I don't understand this overall change then.

If we're testing view code, we want something like:
Proxy -> model1 -> model2 etc
If we're testing model code, given that model code is unproxied as it
interacts with other model code, we want
model1 -> model2

Only view code can depend on security proxies for permission checking,
so making all our tests have security proxies *does not fit* our
deployed object structure, and can easily fail by having a false sense
of security.

What about this:
* Write a decorator factory that wraps *anything* it is asked for in a
proxy, except one attribute 'unwrapped_factory' (which is the thing it
is decorating).

* Make the view tests get a decorated launchpad factory

* Leave unit tests alone.

This requires backing out the recent changes, but I think its the
right thing todo because it will more accurately match how things work
in production, which is the driving force behind this change in the
first place.

-Rob