launchpad-dev team mailing list archive

Thread
Date

LP.cache fully populated for anonymous users

To: Launchpad Development <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
From: Aaron Bentley <aaron@xxxxxxxxxxxxx>
Date: Mon, 14 Nov 2011 10:31:37 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

Just a heads up, I've implemented full support for the LP.cache for
not-logged-in users in r14286.  We need this for the new dynamic bug
listings, because they use the JSONRequestCache to retrieve the next
batch of listings.  This has landed on qastaging.

Historically, we've avoided this because we wanted to obscure email
addresses.  henninge had already added support for obscuring text
fields of web service Resources, but since the JSONRequestCache can
also contain plain Python objects, I've made it obscure plain strings.

There are a few caveats; it is certainly possible to wilfully avoid
this obfuscation by using encoding (such as using "&#x40;" instead of
"@").  Ideally, there would be a sanctioned way to defeat the
obfuscation, like a "structured" string, but we can add that when and
if we need it.

This obfuscation does not affect server-side code, so if you want to
output the contents of the JSONRequestCache (as we do with the new bug
listings on the server side), you must manually obscure it.  For example:

  objects = obfuscate_structure(IJSONRequestCache(request).objects)

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7BNFkACgkQ0F+nu1YWqI0kWwCdGZfUCatbcMIN6onC3T7ypSr2
bVUAnjbsMHedTVmIrmxfARFW5ZjpHF0m
=haM5
-----END PGP SIGNATURE-----

Follow ups

Re: LP.cache fully populated for anonymous users
From: curtis Hovey, 2011-11-14