launchpad-dev team mailing list archive

[Julian Edwards <julian.edwards@xxxxxxxxxxxxx>]

On Tuesday 19 April 2011 15:02:41 Francis J. Lacoste wrote:
> On April 19, 2011, Julian Edwards wrote:
> > {{{
> > 
> > class EditDistroSeriesParent(AuthorizationBase):
> >     """DistroSeriesParent can be edited by the same people who can edit
> >     the derived_distroseries."""
> >     permission = "launchpad.Edit"
> >     usedfor = IDistroSeriesParent
> >     
> >     def checkAuthenticated(self, user):
> >         auth = EditDistroSeriesByReleaseManagerOrDistroOwnersOrAdmins(
> >         
> >             self.obj.derived_series)
> >         
> >         return auth.checkAuthenticated(user)
> > 
> > }}}
> > 
> > Editing the DistroSeriesParent is identical to editing DistroSeries so
> > that  policy is re-used directly.
> > 
> > Did I misunderstand or is this short-circuiting the security policy in a
> > way  I'm not thinking of?
> 
> The above code assumes that the security adapter configured for
> launchpad.Edit on self.obj.derived_series would be
> EditDistroSeriesByReleaseManagerOrDistroOwnersOrAdmins
> 
> That's probably the case currently. But let's say we introduce a new kind
> of derived_series that has a different kind of security adapter
> registered. That would introduce a bug here.

Well, would it though?  If the secondary security adapter changes to what this 
one expects, that also could be considered a bug :-)

Gavin makes a very good point about caching though!