On 26.07.2010 17:03, Jonathan Lange wrote: > On Mon, Jul 26, 2010 at 11:15 AM, Abel Deuring > <[email protected]> wrote: >> On 26.07.2010 12:06, Robert Collins wrote: >>> On Mon, Jul 26, 2010 at 11:44 AM, Julian Edwards >>> <[email protected]> wrote: >>>> On Monday 26 July 2010 10:29:56 Robert Collins wrote: >>>>> Lastly, and here I expose my ignorance of some subtleties in zope - I >>>>> thought security proxies only lived between view and model objects, >>>>> not between model objects? >>>> >>>> That's right. Once the code inside a proxied object is running, it's >>>> effectively security-free and can see objects that the code outside of it >>>> would not normally be able to access. >>>> >>>> We need to be careful about this, because there's no protection against >>>> returning data to the caller that it should not see. >>> >>> So I don't understand this overall change then. >>> >>> If we're testing view code, we want something like: >>> Proxy -> model1 -> model2 etc >>> If we're testing model code, given that model code is unproxied as it >>> interacts with other model code, we want >>> model1 -> model2 >>> >>> Only view code can depend on security proxies for permission checking, >>> so making all our tests have security proxies *does not fit* our >>> deployed object structure, and can easily fail by having a false sense >>> of security. >>> >>> What about this: >>> * Write a decorator factory that wraps *anything* it is asked for in a >>> proxy, except one attribute 'unwrapped_factory' (which is the thing it >>> is decorating). >>> >>> * Make the view tests get a decorated launchpad factory >>> >>> * Leave unit tests alone. >> >> If we don't work with proxied objects in the unit tests, we may miss >> permission problems, unless the view tests cover each code path... >> > > I used to agree, but now I'm not so sure. Can you give an example of > the kind of permission problem we might miss, or of one that we've > caught because we were using security proxies in our model tests?
I can't give any good example. My reason simply is this: if we get an Unauthorized exception while iterating over the result of getUtility(IFooSet).getStuff(), we know that we should either fix getStuff() or use/write a method getStuffForUser(some_person). _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
