Gary Poster wrote: > Hi all. > > Many moons ago, during a review, Barry and I talked about the way we do > security in our view code. I felt that neither the purpose nor the > rules for our security story were crystal clear. This led to a > discussion in the reviewers meeting, and an action item for me to bring > up the discussion with the whole team. > > It's been so long that I strongly suspect I will miss some important > parts of the previous discussions, for which I apologize in advance. > Hopefully others will be willing to repeat their past corrections and > additions of what I write. > > So here's my understanding of where we are. Please correct and comment!
It looks pretty accurate to me. > - An import fascist controls what can be imported. You may only import > code in a module's __all__. This actually affects all code, not just > view code. I do wonder what the import fascist buys us these days. It used to, at least, prevent one from importing database code into non-database code, which would have been another way to punch through our security, and indeed I thought that was more of the point than the __all__ business. It doesn't look like this got updated to prevent lp.foo.browser.bar importing from lp.baz.model.quux though, and I don't think we've missed it. Cheers, mwh _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
