ArchiveView permissions should use subscriptions
Bug #336779 reported by
Michael Nelson
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Low
|
Steve Kowalik |
Bug Description
Currently viewing of private archives is restricted to only admins, the owner of the archive or the members of the team owning the archive.
In the near future, we may want to extend this so that permission to view private archives is determined by the subscriptions to that archive (with the owning person/team being subscribed automatically).
Related branches
lp:~stevenk/launchpad/expose-iarchive-newauth
- Jelmer Vernooij (community): Approve (code)
-
Diff: 212 lines (+83/-43)5 files modifiedlib/lp/soyuz/doc/archiveauthtoken.txt (+1/-8)
lib/lp/soyuz/interfaces/archive.py (+28/-19)
lib/lp/soyuz/model/archive.py (+20/-16)
lib/lp/soyuz/stories/webservice/xx-archive.txt (+10/-0)
lib/lp/soyuz/tests/test_archive.py (+24/-0)
Changed in soyuz: | |
importance: | Undecided → Low |
status: | New → Triaged |
tags: | added: tech-debt |
tags: | added: qa-ok |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in soyuz: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Exposing view permissions for archive subscribers is not that great an idea I don't think, it lets the subscriber see a lot more than the archive owner probably intends.
There is a requirement for the Software Store in 10.04 to be able browse private PPAs via the API. We need to think more carefully about how the API will do that, rather than rushing forwards with a quick hack to open IArchive. We can possibly proxy information via the subscription, which has its own set of permssions.