launchpad-dev team mailing list archive

[Jonathan Lange <jml@xxxxxxxxxxxxx>]

On Mon, Jul 26, 2010 at 11:15 AM, Abel Deuring
<abel.deuring@xxxxxxxxxxxxx> wrote:
> On 26.07.2010 12:06, Robert Collins wrote:
>> On Mon, Jul 26, 2010 at 11:44 AM, Julian Edwards
>> <julian.edwards@xxxxxxxxxxxxx> wrote:
>>> On Monday 26 July 2010 10:29:56 Robert Collins wrote:
>>>> Lastly, and here I expose my ignorance of some subtleties in zope - I
>>>> thought security proxies only lived between view and model objects,
>>>> not between model objects?
>>>
>>> That's right.  Once the code inside a proxied object is running, it's
>>> effectively security-free and can see objects that the code outside of it
>>> would not normally be able to access.
>>>
>>> We need to be careful about this, because there's no protection against
>>> returning data to the caller that it should not see.
>>
>> So I don't understand this overall change then.
>>
>> If we're testing view code, we want something like:
>> Proxy -> model1 -> model2 etc
>> If we're testing model code, given that model code is unproxied as it
>> interacts with other model code, we want
>> model1 -> model2
>>
>> Only view code can depend on security proxies for permission checking,
>> so making all our tests have security proxies *does not fit* our
>> deployed object structure, and can easily fail by having a false sense
>> of security.
>>
>> What about this:
>> * Write a decorator factory that wraps *anything* it is asked for in a
>> proxy, except one attribute 'unwrapped_factory' (which is the thing it
>> is decorating).
>>
>> * Make the view tests get a decorated launchpad factory
>>
>> * Leave unit tests alone.
>
> If we don't work with proxied objects in the unit tests, we may miss
> permission problems, unless the view tests cover each code path...
>

I used to agree, but now I'm not so sure. Can you give an example of
the kind of permission problem we might miss, or of one that we've
caught because we were using security proxies in our model tests?

jml