Roundup Tracker - Issues

Issue 2550962

Check uses of assert in roundup code.
Type: Severity: normal
Components: Web interface, Mail interface, Command-line interface, User Interface Versions: devel
Status: new
: : rouilj, schlatterbeck
Priority: normal :

Created on 2018-06-27 00:22 by rouilj, last changed 2019-12-27 02:47 by rouilj.

msg6095 Author: [hidden] (rouilj) Date: 2018-06-27 00:22

I took a quick look. Most of them are obvious debugging only
changes, but I didn't analyze all of them.

3. Assert statements

Don’t use assert statements to guard against pieces of code that a user 
shouldn’t access. Take this simple example

def foo(request, user):
   assert user.is_admin, “user does not have access”
   # secure code...

Now, by default Python executes with __debug__ as true, but in a 
production environment it’s common to run with optimizations. This will 
skip the assert statement and go straight to the secure code regardless 
of whether the user is_admin or not.


Only use assert statements to communicate with other developers, such 
as in unit tests or in to guard against incorrect API usage.
msg6857 Author: [hidden] (rouilj) Date: 2019-12-27 02:47
Ran bandit against roundup code. It flagged a lot of asserts mostly in 
the TAL library, but some others are scattered throughout including 
backend code.

I removed an unneeded assert in cgi/ and converted
an assert to raising an exception in
Date User Action Args
2019-12-27 02:47:18rouiljsetmessages: + msg6857
2018-06-27 07:50:10schlatterbecksetnosy: + schlatterbeck
2018-06-27 00:22:43rouiljcreate