launchpad-dev team mailing list archive

[Abel Deuring <abel.deuring@xxxxxxxxxxxxx>]

On 26.07.2010 12:06, Robert Collins wrote:
> On Mon, Jul 26, 2010 at 11:44 AM, Julian Edwards
> <julian.edwards@xxxxxxxxxxxxx> wrote:
>> On Monday 26 July 2010 10:29:56 Robert Collins wrote:
>>> Lastly, and here I expose my ignorance of some subtleties in zope - I
>>> thought security proxies only lived between view and model objects,
>>> not between model objects?
>>
>> That's right.  Once the code inside a proxied object is running, it's
>> effectively security-free and can see objects that the code outside of it
>> would not normally be able to access.
>>
>> We need to be careful about this, because there's no protection against
>> returning data to the caller that it should not see.
> 
> So I don't understand this overall change then.
> 
> If we're testing view code, we want something like:
> Proxy -> model1 -> model2 etc
> If we're testing model code, given that model code is unproxied as it
> interacts with other model code, we want
> model1 -> model2
> 
> Only view code can depend on security proxies for permission checking,
> so making all our tests have security proxies *does not fit* our
> deployed object structure, and can easily fail by having a false sense
> of security.
> 
> What about this:
> * Write a decorator factory that wraps *anything* it is asked for in a
> proxy, except one attribute 'unwrapped_factory' (which is the thing it
> is decorating).
> 
> * Make the view tests get a decorated launchpad factory
> 
> * Leave unit tests alone.

If we don't work with proxied objects in the unit tests, we may miss
permission problems, unless the view tests cover each code path...

> 
> This requires backing out the recent changes, but I think its the
> right thing todo because it will more accurately match how things work
> in production, which is the driving force behind this change in the
> first place.
> 
> -Rob
>