launchpad-dev team mailing list archive

[Benji York <benji.york@xxxxxxxxxxxxx>]

On Mon, Jul 26, 2010 at 12:13 PM, Julian Edwards
<julian.edwards@xxxxxxxxxxxxx> wrote:
> If it is *really* needed, I would *much* rather see an explicit
> removeSecurityProxy() with a comment explaining why you need to remove the
> wrapper.  It should be a conscious exception, not a trap you can fall into.

+1

I've fallen into that trap myself.

As a result, if I have to remove a security proxy (in non-test code) I
ask myself if the operation I'm about to do is one the user shouldn't be
able to do of their own accord (otherwise it shouldn't be restricted by
the security proxy in the first place) and I'm removing the security
proxy because the system needs to perform some action that the user
himself isn't allowed to do.

Another rule of thumb I follow is that if I remove a security proxy I
try not to bind the naked object to a name but instead perform the
operation in the same expression as the call to removeSecurityProxy.
That way I don't introduce any unintentional un-proxied operations
later.

If that's not possible I'll explicitly "del" the name binding as soon as
I'm done with it (with copious comments to explain what's going on).
-- 
Benji York