Barry Warsaw wrote: > On Feb 05, 2010, at 04:20 PM, Henning Eggers wrote: > >> 1. The LP API exposes model classes directly to the web, leaving only >> the Zope security declaration in ZCML as protection (no view). > > This seems like an especially bad situation for us to be in, because it will > (has already?) lead to security breaches. We've been confident that our views > protect our models from abuse via the web ui, but as we add more API we don't > get the same level of confidence.
I've never thought of "security in the view" as very reassuring -- it would be just as easy to expose the functionality in a new way and lose the security checks. > Many objects and methods are exposed in > both places and need similar constraints. It's becoming increasingly common > to expose functionality /only/ through the API (e.g. software center) and > there is no systematic way to protect such access. On the contrary, there _is_ a systematic way to protect such access: security.py. It's not perfect, certainly, but it's way more systematic than anything else we do... > Overloading the models > with more and more security does not seem like a good long term path. I can't think of anywhere _better_ to put it. I think it would be a nice thing if the entire Launchpad website could be written as an API client and if the API exposes the model more-or-less directly... Cheers, mwh _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
