Message6696
In message <alpine.DEB.2.21.1910060052090.28559@digraph.polyomino.org.uk>,
Joseph Myers writes:
>OK, this is the opendb calls from roundup.cgi.client.determine_user
>reopening the database.
Ah ok. I didn't know where the call came from. Thanks.
>And we'd like the permissions somehow to be
>checked only on the load of the schema that happens at roundup-server
>initialization time and not on this reopening.
Agreed. But I am not sure that Tracker::__init__ actually loads (as
opposed to compiles) the schema. Tracker::__init__ is only called once
AFAICT by roundup-server and I assume other persistence methods (wsgi
etc.).
>Although really checking the permissions ought to be very efficient,
>and a lot quicker than the rest of loading the schema.
The code I have doing the realtime check is short. The problem was
finding a valid initialized open database handle when code from
security.py is called. Much of it is caled with a weak reference to
the db that is incompletely initialized. The code below is called from
hasPermission. self.db in hasPermission is the db variable.
def validate_properties(self, db):
cl = db.getclass(self.klass)
class_props = cl.getprops(protected=True)
for p in self.properties:
if p in class_props:
continue
d = dict(property=p, klass=self.klass, permission=self)
raise ValueError(
'In permision %(permission)s %(property)s is not a property of class %(klass)s'% d)
self._properties_valid = True
This is doing a database getclass and getprops for every permission. I
hope these are cheap calls, but I'm not sure. With 110 permissions, I
am not seing a difference in running roundup-admin security with and
without property checks, so I assume cheap. |
|
Date |
User |
Action |
Args |
2019-10-06 01:40:01 | rouilj | set | recipients:
+ rouilj, joseph_myers |
2019-10-06 01:40:01 | rouilj | link | issue2551062 messages |
2019-10-06 01:40:01 | rouilj | create | |
|