launchpad-dev team mailing list archive

[Jonathan Lange <jml@xxxxxxxxxxxxx>]

On Mon, Jul 26, 2010 at 5:54 PM, Benji York <benji.york@xxxxxxxxxxxxx> wrote:
> On Mon, Jul 26, 2010 at 12:13 PM, Julian Edwards
> <julian.edwards@xxxxxxxxxxxxx> wrote:
>> If it is *really* needed, I would *much* rather see an explicit
>> removeSecurityProxy() with a comment explaining why you need to remove the
>> wrapper.  It should be a conscious exception, not a trap you can fall into.
>
> +1
>
> I've fallen into that trap myself.
>
> As a result, if I have to remove a security proxy (in non-test code) I
> ask myself if the operation I'm about to do is one the user shouldn't be
> able to do of their own accord (otherwise it shouldn't be restricted by
> the security proxy in the first place) and I'm removing the security
> proxy because the system needs to perform some action that the user
> himself isn't allowed to do.

That sounds like a good idea.

However, the question that I now have is this: what benefit do we gain
by insisting on security-proxied objects in the unit tests for our
model code?

jml