launchpad-dev team mailing list archive

[Julian Edwards <julian.edwards@xxxxxxxxxxxxx>]

On Monday 26 July 2010 17:54:00 Benji York wrote:
> On Mon, Jul 26, 2010 at 12:13 PM, Julian Edwards
> 
> <julian.edwards@xxxxxxxxxxxxx> wrote:
> > If it is *really* needed, I would *much* rather see an explicit
> > removeSecurityProxy() with a comment explaining why you need to remove
> > the wrapper.  It should be a conscious exception, not a trap you can
> > fall into.
> 
> +1
> 
> I've fallen into that trap myself.
> 
> As a result, if I have to remove a security proxy (in non-test code) I
> ask myself if the operation I'm about to do is one the user shouldn't be
> able to do of their own accord (otherwise it shouldn't be restricted by
> the security proxy in the first place) and I'm removing the security
> proxy because the system needs to perform some action that the user
> himself isn't allowed to do.
> 
> Another rule of thumb I follow is that if I remove a security proxy I
> try not to bind the naked object to a name but instead perform the
> operation in the same expression as the call to removeSecurityProxy.
> That way I don't introduce any unintentional un-proxied operations
> later.

Hi Benji

One of our conventions is to do something like this, although your way is also 
something I've seen in our code.

    naked_thing = removeSecurityProxy(thing)

> If that's not possible I'll explicitly "del" the name binding as soon as
> I'm done with it (with copious comments to explain what's going on).

Adding more comments is rarely bad :)