Show the name of the private team in the public role

Robert does not like the use of a flag or enum to identify when a team name may be known because it ignores context. When a team is placed in a position where another party must know the team name, context is established and only the other party should know of the team.

We want a solution that also address the case of traversing a private project. When a private project give me access to a bug targets to a series, I may know the project and series name/displayname because I must traverse them to get to the bug. The bug may show the names. I may also learn the milestone names shown on the bug, as well as the private team assigned to the bug.

An adapter might solve the issue. adapting an object to IRestrictedObserver could do the proper security check and return either the object or a light representation that only provides access to type, name, and displayname. Consider that most code faults when dealing with private teams were working with displaynames and names. In many cases, they will not raise an unauthorised error if the result set returned the correct items. The tales adapter for team could assume the user has access and catch the UnauthorizedError and return <Hidden name>.

Robert also suggest that instead of solving a hypothetical case, a good solution will solve the case where a user is granted access to a private team's archive. The user may know the name and displayname of the team, can may see the PPA page and subordinate pages. The user may not see the other PPAs, or other team pages.

See also bug 405277 which has a fairly comprehensive analysis about this sort of issue.

We have solved the traversal case where archive and branch subscribers may know the identifying information about the private team.

We need to solve the cases where the user may know the private team's identifying information, but it is not obvious from the request that the user is permitted. Consider the API scenario where a private team owns a public project. After I retrieve the project, accessing project.owner must succeed. I may access the LimitView attributes like name and display_name.

The purple team is sceptical that a comprehensive and fast query can be written without denormalised data. There is a finite number of public interactions that are currently implement and queries could be written to check those:

    Product.owner
    Product.security_contact
    Product.driver
    Product.bug_supervisor
    Distribution.owner
    Distribution.security_contact
    Distribution.driver
    Distribution.bug_supervisor
    Project.owner
    Project.driver

    BugTask.assignee
    Branch.owner
    Branch.reviewer
    BranchMergeProposal.reviewer
    CodeReviewVote.reviewer
    Specification.approver
    Specification.drafter
    Specification.assignee
    Question.assignee

    BugSubscription.person
    BranchSubsription.person
    SpecificationSubscription.person
    QuestionSubscription.person

^ This check must exclude deactivate projects and products. It must exclude private projects and distributions in the future (which will be tracked in separate bug)
^ Private bugs and branch are not public interactions.
^ CodeReviewVote is tainted. Teams cannot vote, but a team can be placed in a voting position temporarily.
^ Branches owned by a private team on a project not owned by the team reveal the team.

I think someone of these columns could be treated as separate bugs. The case of a private team's branch on someone else's project might not be a case of public to everyone. Maybe the branch is revealed to the users in the project privacy/security policy.

Fixed in stable r14588 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/14588>.