launchpad-dev team mailing list archive

[Jonathan Lange <jml@xxxxxxxxxxxxx>]

On Mon, Jul 26, 2010 at 11:06 AM, Robert Collins
<robert.collins@xxxxxxxxxxxxx> wrote:
> On Mon, Jul 26, 2010 at 11:44 AM, Julian Edwards
> <julian.edwards@xxxxxxxxxxxxx> wrote:
>> On Monday 26 July 2010 10:29:56 Robert Collins wrote:
>>> Lastly, and here I expose my ignorance of some subtleties in zope - I
>>> thought security proxies only lived between view and model objects,
>>> not between model objects?
>>
>> That's right.  Once the code inside a proxied object is running, it's
>> effectively security-free and can see objects that the code outside of it
>> would not normally be able to access.
>>

This is true, but it's a little more complex than that.

Security proxies live anywhere that someone has explicitly made a
security proxy. Calls to ProxyFactory usually do it.

In Launchpad, we have deliberately registered special ZCML handlers to
make sure that our utilities are wrapped in security proxies (the
"securedutility" directive). Thus, getUtility(IFooSet) returns a
security-proxied IFooSet provider. Methods called on that IFooSet
provider also return security-proxied objects.

We might also have other things that wrap objects up in security
proxies. A little bit of poking around with grep will tell you for
sure.

Now, while many of our model objects continue to access other model
objects using attribute access or direct Storm query, others use
utilities internally. This makes our internal security model Very
Confused. (Poking around will also find model code that checks for
permissions or even duplicates the logic found in
canonical/launchpad/security.py).

jml