launchpad-dev team mailing list archive

[Abel Deuring <abel.deuring@xxxxxxxxxxxxx>]

On 26.07.2010 17:03, Jonathan Lange wrote:
> On Mon, Jul 26, 2010 at 11:15 AM, Abel Deuring
> <abel.deuring@xxxxxxxxxxxxx> wrote:
>> On 26.07.2010 12:06, Robert Collins wrote:
>>> On Mon, Jul 26, 2010 at 11:44 AM, Julian Edwards
>>> <julian.edwards@xxxxxxxxxxxxx> wrote:
>>>> On Monday 26 July 2010 10:29:56 Robert Collins wrote:
>>>>> Lastly, and here I expose my ignorance of some subtleties in zope - I
>>>>> thought security proxies only lived between view and model objects,
>>>>> not between model objects?
>>>>
>>>> That's right.  Once the code inside a proxied object is running, it's
>>>> effectively security-free and can see objects that the code outside of it
>>>> would not normally be able to access.
>>>>
>>>> We need to be careful about this, because there's no protection against
>>>> returning data to the caller that it should not see.
>>>
>>> So I don't understand this overall change then.
>>>
>>> If we're testing view code, we want something like:
>>> Proxy -> model1 -> model2 etc
>>> If we're testing model code, given that model code is unproxied as it
>>> interacts with other model code, we want
>>> model1 -> model2
>>>
>>> Only view code can depend on security proxies for permission checking,
>>> so making all our tests have security proxies *does not fit* our
>>> deployed object structure, and can easily fail by having a false sense
>>> of security.
>>>
>>> What about this:
>>> * Write a decorator factory that wraps *anything* it is asked for in a
>>> proxy, except one attribute 'unwrapped_factory' (which is the thing it
>>> is decorating).
>>>
>>> * Make the view tests get a decorated launchpad factory
>>>
>>> * Leave unit tests alone.
>>
>> If we don't work with proxied objects in the unit tests, we may miss
>> permission problems, unless the view tests cover each code path...
>>
> 
> I used to agree, but now I'm not so sure. Can you give an example of
> the kind of permission problem we might miss, or of one that we've
> caught because we were using security proxies in our model tests?

I can't give any good example. My reason simply is this: if we get an
Unauthorized exception while iterating over the result of
getUtility(IFooSet).getStuff(), we know that we should either fix
getStuff() or use/write a method getStuffForUser(some_person).