On Mon, Jul 26, 2010 at 11:44 AM, Julian Edwards <[email protected]> wrote: > On Monday 26 July 2010 10:29:56 Robert Collins wrote: >> Lastly, and here I expose my ignorance of some subtleties in zope - I >> thought security proxies only lived between view and model objects, >> not between model objects? > > That's right. Once the code inside a proxied object is running, it's > effectively security-free and can see objects that the code outside of it > would not normally be able to access. > > We need to be careful about this, because there's no protection against > returning data to the caller that it should not see.
So I don't understand this overall change then. If we're testing view code, we want something like: Proxy -> model1 -> model2 etc If we're testing model code, given that model code is unproxied as it interacts with other model code, we want model1 -> model2 Only view code can depend on security proxies for permission checking, so making all our tests have security proxies *does not fit* our deployed object structure, and can easily fail by having a false sense of security. What about this: * Write a decorator factory that wraps *anything* it is asked for in a proxy, except one attribute 'unwrapped_factory' (which is the thing it is decorating). * Make the view tests get a decorated launchpad factory * Leave unit tests alone. This requires backing out the recent changes, but I think its the right thing todo because it will more accurately match how things work in production, which is the driving force behind this change in the first place. -Rob _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
