Launchpad itself

branch-rewrite.py sometimes tries to access forbidden tables

Bug #1040143 reported by William Grant on 2012-08-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Triaged	High	Unassigned

Bug Description

branch-rewrite.py's DB user only has SELECT on branch. But sometimes when looking up /+branch URLs it tries to query person, product, productseries, and possibly more.

I haven't managed to reproduce the product/productseries access without an initial person access, despite seeing it on production. To reproduce the person access, ask it to translate a URL like /+branch/~foo/bar/baz.

For now we've cowboyed person/product/productseries permissions on production, but this needs to be fixed or the workaround added to security.cfg before the next fastdowntime.

2012-08-22 15:43:53 ERROR Exception occurred:
Traceback (most recent call last):
  File "./scripts/branch-rewrite.py", line 64, in main
    print rewriter.rewriteLine(line.strip())
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/codehosting/rewrite.py", line 114, in rewriteLine
    resource_location)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/codehosting/rewrite.py", line 61, in _getBranchIdAndTrailingPath
    branch, trailing = lookup.getByHostingPath(location.lstrip('/'))
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchlookup.py", line 291, in getByHostingPath
    return get_first_path_result(path, self.performLookup, (None, ''))
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/interfaces/branchlookup.py", line 203, in get_first_path_result
    for result in results:
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchlookup.py", line 277, in performLookup
    return self.getByLPPath(lookup['lp_path'])
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchlookup.py", line 391, in getByLPPath
    branch = namespace_set.traverse(segments)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchnamespace.py", line 586, in traverse
    person = self._findPerson(person_name)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchnamespace.py", line 616, in _findPerson
    NoSuchPerson, person_name, getUtility(IPersonSet).getByName)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchnamespace.py", line 609, in _findOrRaise
    result = finder(*args)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/registry/model/person.py", line 3433, in getByName
    return Person.selectOne(query)
  [SNIP]
ProgrammingError: permission denied for relation person

Tags:

Related branches

lp:~wgrant/launchpad/security.cfg-cowboys (Merged)

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2012-08-25:

r15862 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/15862) is part of this bug's fix.

Changed in launchpad:
assignee:	nobody → William Grant (wgrant)
tags:	added: qa-needstesting
Changed in launchpad:
status:	Triaged → In Progress

Revision history for this message

William Grant (wgrant) wrote on 2012-08-26:

I've landed the cowboyed permissions, but this still needs urgent investigation.

Changed in launchpad:
assignee:	William Grant (wgrant) → nobody
status:	In Progress → Triaged

William Grant (wgrant) on 2012-08-26

tags:

added: qa-untestable
removed: qa-needstesting

Curtis Hovey (sinzui) on 2012-11-26

Changed in launchpad:
importance:	Critical → High

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.