launchpad-dev team mailing list archive

Thread
Date

Re: check_permission removed from security.py

To: launchpad-dev@xxxxxxxxxxxxxxxxxxx
From: "Francis J. Lacoste" <francis.lacoste@xxxxxxxxxxxxx>
Date: Tue, 19 Apr 2011 10:02:41 -0400
In-reply-to: <201104191425.12499.julian.edwards@canonical.com>
Organization: Canonical Ltd.
User-agent: KMail/1.13.6 (Linux/2.6.38-8-generic; KDE/4.6.2; x86_64; ; )

On April 19, 2011, Julian Edwards wrote:
> {{{
> class EditDistroSeriesParent(AuthorizationBase):
>     """DistroSeriesParent can be edited by the same people who can edit
>     the derived_distroseries."""
>     permission = "launchpad.Edit"
>     usedfor = IDistroSeriesParent
> 
>     def checkAuthenticated(self, user):
>         auth = EditDistroSeriesByReleaseManagerOrDistroOwnersOrAdmins(
>             self.obj.derived_series)
>         return auth.checkAuthenticated(user)
> }}}
> 
> Editing the DistroSeriesParent is identical to editing DistroSeries so
> that  policy is re-used directly.
> 
> Did I misunderstand or is this short-circuiting the security policy in a
> way  I'm not thinking of?

The above code assumes that the security adapter configured for launchpad.Edit 
on self.obj.derived_series would be 
EditDistroSeriesByReleaseManagerOrDistroOwnersOrAdmins

That's probably the case currently. But let's say we introduce a new kind of 
derived_series that has a different kind of security adapter registered. That 
would introduce a bug here.


-- 
Francis J. Lacoste
francis.lacoste@xxxxxxxxxxxxx

Attachment: signature.asc
Description: This is a digitally signed message part.

Follow ups

Re: check_permission removed from security.py
From: Julian Edwards, 2011-04-19

References

check_permission removed from security.py
From: Henning Eggers, 2011-04-19
Re: check_permission removed from security.py
From: Gavin Panella, 2011-04-19
Re: check_permission removed from security.py
From: Julian Edwards, 2011-04-19