subscribed team cannot view branch owned by (a different) private team
Bug #605130 reported by
Monty Taylor
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Ian Booth |
Bug Description
Bear with me - this is a slightly obtuse edge case.
Make a private branch associated with a project.
Subscribe a team to that branch.
Add a member to that team that cannot otherwise view the branch.
Now, as that member, go to the code.lp.net page for the project- you should see that the branch exists.
Click the link - you should experience FAIL.
BUT - if you bzr lp-login as that user and do a bzr branch of that branch, is does work as expected.
So, a team subscription does allow viewing of the branch, but for some reason web UI for this is bunk.
Related branches
lp:~wallyworld/launchpad/view-private-branch-artifacts-605130
- Curtis Hovey (community): Approve (code)
-
Diff: 200 lines (+123/-3)3 files modifiedlib/lp/code/browser/branch.py (+9/-1)
lib/lp/code/browser/branchsubscription.py (+14/-2)
lib/lp/code/browser/tests/test_branch.py (+100/-0)
lp:~wallyworld/launchpad/private-owned-entity-traversal
- Curtis Hovey (community): Approve (code)
-
Diff: 263 lines (+118/-38)5 files modifiedlib/canonical/launchpad/security.py (+38/-27)
lib/lp/app/browser/launchpad.py (+2/-2)
lib/lp/app/tests/test_tales.py (+30/-5)
lib/lp/registry/doc/private-team-visibility.txt (+38/-0)
lib/lp/testing/factory.py (+10/-4)
lp:~wallyworld/launchpad/private-owned-entity-traversal-2
- Curtis Hovey (community): Approve (code)
-
Diff: 991 lines (+310/-170)22 files modifiedlib/canonical/launchpad/interfaces/_schema_circular_imports.py (+5/-5)
lib/canonical/launchpad/security.py (+38/-27)
lib/canonical/launchpad/webapp/authorization.py (+1/-1)
lib/canonical/launchpad/webapp/interaction.py (+2/-1)
lib/lp/app/browser/launchpad.py (+2/-2)
lib/lp/app/browser/tales.py (+8/-0)
lib/lp/app/tests/test_tales.py (+16/-9)
lib/lp/bugs/browser/tests/test_bugsubscription_views.py (+1/-1)
lib/lp/code/browser/tests/test_branchlisting.py (+4/-3)
lib/lp/registry/browser/tests/test_mailinglists.py (+8/-6)
lib/lp/registry/browser/tests/test_person_view.py (+12/-8)
lib/lp/registry/configure.zcml (+6/-4)
lib/lp/registry/doc/person.txt (+2/-1)
lib/lp/registry/doc/private-team-visibility.txt (+61/-0)
lib/lp/registry/interfaces/person.py (+79/-77)
lib/lp/registry/interfaces/role.py (+2/-1)
lib/lp/registry/model/personroles.py (+10/-8)
lib/lp/registry/stories/webservice/xx-derivedistroseries.txt (+2/-1)
lib/lp/registry/tests/test_person_vocabularies.py (+3/-2)
lib/lp/registry/tests/test_team_webservice.py (+4/-5)
lib/lp/soyuz/tests/test_archive_subscriptions.py (+33/-3)
lib/lp/testing/factory.py (+11/-5)
lp:~sinzui/launchpad/rollback-private-traversal
- Curtis Hovey (community): Approve (code)
-
Diff: 1271 lines (+201/-453)26 files modifiedlib/canonical/launchpad/interfaces/_schema_circular_imports.py (+5/-5)
lib/canonical/launchpad/security.py (+27/-38)
lib/canonical/launchpad/webapp/authorization.py (+1/-1)
lib/canonical/launchpad/webapp/interaction.py (+1/-2)
lib/lp/app/browser/launchpad.py (+2/-2)
lib/lp/app/browser/tales.py (+0/-8)
lib/lp/app/tests/test_tales.py (+9/-16)
lib/lp/bugs/browser/tests/test_bugsubscription_views.py (+1/-1)
lib/lp/code/browser/branch.py (+1/-9)
lib/lp/code/browser/branchsubscription.py (+2/-14)
lib/lp/code/browser/tests/test_branch.py (+0/-100)
lib/lp/code/browser/tests/test_branchlisting.py (+3/-4)
lib/lp/code/stories/branches/xx-subscribing-branches.txt (+20/-14)
lib/lp/registry/browser/tests/test_mailinglists.py (+6/-8)
lib/lp/registry/browser/tests/test_person_view.py (+8/-12)
lib/lp/registry/configure.zcml (+4/-6)
lib/lp/registry/doc/person.txt (+1/-2)
lib/lp/registry/doc/private-team-visibility.txt (+0/-61)
lib/lp/registry/interfaces/person.py (+85/-85)
lib/lp/registry/interfaces/role.py (+1/-2)
lib/lp/registry/model/personroles.py (+8/-10)
lib/lp/registry/stories/webservice/xx-derivedistroseries.txt (+1/-2)
lib/lp/registry/tests/test_person_vocabularies.py (+2/-3)
lib/lp/registry/tests/test_team_webservice.py (+5/-4)
lib/lp/soyuz/tests/test_archive_subscriptions.py (+3/-33)
lib/lp/testing/factory.py (+5/-11)
lp:~sinzui/launchpad/private-traversal-4
- Ian Booth (community): Approve (code)
- Steve Kowalik (community): Approve (code)
-
Diff: 978 lines (+419/-174)16 files modifiedlib/canonical/launchpad/interfaces/_schema_circular_imports.py (+6/-5)
lib/canonical/launchpad/security.py (+38/-27)
lib/lp/app/browser/launchpad.py (+2/-2)
lib/lp/app/browser/tales.py (+8/-0)
lib/lp/app/tests/test_tales.py (+16/-9)
lib/lp/bugs/browser/tests/test_bugsubscription_views.py (+1/-1)
lib/lp/code/browser/branch.py (+9/-1)
lib/lp/code/browser/branchsubscription.py (+14/-2)
lib/lp/code/browser/tests/test_branch.py (+100/-0)
lib/lp/code/browser/tests/test_branchlisting.py (+4/-3)
lib/lp/code/stories/branches/xx-subscribing-branches.txt (+14/-20)
lib/lp/registry/configure.zcml (+6/-4)
lib/lp/registry/doc/private-team-visibility.txt (+61/-0)
lib/lp/registry/interfaces/person.py (+99/-99)
lib/lp/registry/interfaces/role.py (+2/-1)
lib/lp/soyuz/tests/test_archive_subscriptions.py (+39/-0)
affects: | launchpad → launchpad-code |
summary: |
- subscribed team cannot view private branch + subscribed team cannot view branch owned by (a different) private team |
Changed in launchpad: | |
importance: | Medium → High |
Changed in launchpad: | |
assignee: | nobody → Ian Booth (wallyworld) |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
tags: |
added: bad-commit-14477 qa-bad removed: qa-ok |
tags: | added: bad-commit-14490 |
tags: |
added: bad-commit-14489 removed: bad-commit-14490 |
tags: |
added: qa-bad removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → In Progress |
tags: |
added: qa-untestable removed: qa-needstesting |
tags: |
added: qa-ok removed: qa-needstesting |
tags: | removed: bad-commit-14489 |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This has to do with how we actually handle branch traversal. We have a
denormalised field that stores the full unique name of the branch. This is
what is used for branch access and code browse.
However the web UI traversal goes through each segment of the URL, and thus
hits the private team that is the owner of the branch, and causes the page to
be forbidden to the subscriber.
status triaged
importance medium
tag privacy