In message <alpine.DEB.2.21.1910060052090.28559@digraph.polyomino.org.uk>,
Joseph Myers writes:
>OK, this is the opendb calls from roundup.cgi.client.determine_user 
>reopening the database.

Ah ok. I didn't know where the call came from. Thanks.

>And we'd like the permissions somehow to be 
>checked only on the load of the schema that happens at roundup-server 
>initialization time and not on this reopening.

Agreed. But I am not sure that Tracker::__init__ actually loads (as
opposed to compiles) the schema. Tracker::__init__ is only called once
AFAICT by roundup-server and I assume other persistence methods (wsgi
etc.).

>Although really checking the permissions ought to be very efficient,
>and a lot quicker than the rest of loading the schema.

The code I have doing the realtime check is short. The problem was
finding a valid initialized open database handle when code from
security.py is called. Much of it is caled with a weak reference to
the db that is incompletely initialized. The code below is called from
hasPermission. self.db in hasPermission is the db variable.

    def validate_properties(self, db):
        cl = db.getclass(self.klass)
        class_props = cl.getprops(protected=True)
        for p in self.properties:
            if p in class_props:
                continue
            d = dict(property=p, klass=self.klass, permission=self)
            raise ValueError(
                'In permision %(permission)s %(property)s is not a property of class %(klass)s'% d)
        self._properties_valid = True

This is doing a database getclass and getprops for every permission. I
hope these are cheap calls, but I'm not sure. With 110 permissions, I
am not seing a difference in running roundup-admin security with and
without property checks, so I assume cheap.