"When `_method` isn't enough: enforcing access control in Python at runtime"

1 / 2

"When `_method` isn't enough: enforcing access control in Python at runtime"

DEV Community·Jhoel Peralta·21 days ago

#F1JEGU4m

#when #python #opensource #fullscreen #self #strictaccess

Reading 0:00

15s threshold

TL;DR. Python's underscore prefix is documentation, not enforcement. In small codebases that's fine. In codebases shared across teams, the convention drifts — and reviewers spend cycles pointing it out instead of catching real bugs. I shipped a 1.0 of strictaccess , a small library that turns the convention into a runtime contract with @private / @protected / @public decorators. It also has an explicit "Limitations" page declaring it is not a security boundary. The problem You've seen this in every Python codebase past 20 contributors: class PaymentService : def __init__ ( self , gateway ): self . _gateway = gateway # "protected by convention" def _charge ( self , amount ): # "internal helper, don't call" ... def process ( self , order ): self . _charge ( order . total ) Enter fullscreen mode Exit fullscreen mode Three months later, someone writes: # Quick fix: bypass validation, the manager said it's urgent. service . _charge ( order . total + tip ) Enter fullscreen mode Exit fullscreen mode It works.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

"When `_method` isn't enough: enforcing access control in Python at runtime"