[Zope3-dev] Security and __repr__

[Jim Fulton]

A year or two ago we decided to make __repr__ always available.

This was done for convenience.  When debugging, you often
have security-proxied values and it can be terribly inconvenient
to get security errors when simply evaluating the values at an
interpreter prompt.  To avoid this, we arranged for security proxy
reprs to output something along the lines of:

   <security proxied foo.bar at somaddress>

but many people found this to be very inconvenient.

Making __repr__ always available has two down sides:

- it places a security requirement on class implementors that they
   never reveal any sensitive information in their __repr__ implemetations.
   This would be a pretty significant requirement that might be hard to
   make adequately well-known.

- It makes it harder to see that a value is proxied.  Most objects
   have boring reprs anyway.  Providing a fallback repr that
   shows the class and that shows that something is proxied adds value.

I'd like to go back to using a fallback repr if there isn't a
security dclaration for a repr.

Thoughts?

Jim

-- 
Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org