Jeremy Hylton email@example.com wrote:
Exceptions do seem like a problem.
This reminds me of a similar problem. Object A is a powerful object. Object B is a proxy for A which passes through only a subset of A's methods. So B is suitable to give to Object C, which should be able to use the B subset but not the full A set.
The problem is if the B subset of methods includes a callback idiom, in which Object A calls a function provided by its client and passes a reference to itself as an argument.
class A: def register_event_handler(self, handler): self.handlers.append(handler)
def process_events(self): # ... for handler in self.handlers: handler(self)
This allows C full access to object A's methods if C has access to the register_event_handler() method. (Even if A has private data and even if there is no flaw in the proxy or capability enforcement that prevents C from getting access to A through B.)
So the designer of the B proxy has to not only exclude dangerous methods of A, but also has to either exclude methods that lead to this kind of callback, or else make B a two-faced proxy that registers itself instead of C as the handler, forwards the callback, and passes a reference to itself instead of to A in the callback.