Show the name of the private team in the public role
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Ian Booth |
Bug Description
private team names and displaynames can only be known to team owners and members. If a private team were placed in a public role observers would see <hidden name>, which is in appropriate. When a private team is in a public role, other users need to know not only of the existence but also the name so that it is not possible to spy on projects or users.
The affected roles include: project maintainer, driver, bug supervisor, security contact, and artefact subscribers.
The current implementation raises an authorisation error if the user does not have permission to access the team. This issue implies that some contexts for team access should permit accessing the team name and displayname. This scenario is challenging. Over the API I would get an error doing:
team = lp.people[
team.name
but not an error when I do
project.
a_team = project.team
a_team.name
Maybe the rule can be simplified? When a team is placed in a public role, a flag on the team is set to indicate that anyone may know the team name and displayname in any context. When the team removes itself from public roles the flag is unset.
Related branches
- Curtis Hovey (community): Approve (code)
- Stuart Bishop: Pending (db) requested
-
Diff: 1050 lines (+519/-236)13 files modifiedlib/canonical/launchpad/security.py (+87/-2)
lib/lp/blueprints/browser/specificationsubscription.py (+2/-0)
lib/lp/bugs/browser/bug.py (+3/-1)
lib/lp/bugs/browser/bugsubscription.py (+3/-1)
lib/lp/bugs/browser/bugtask.py (+2/-0)
lib/lp/bugs/model/bugtask.py (+28/-17)
lib/lp/bugs/model/tests/test_bugtask.py (+20/-1)
lib/lp/code/browser/branch.py (+2/-0)
lib/lp/code/browser/branchsubscription.py (+2/-0)
lib/lp/registry/doc/private-team-visibility.txt (+0/-211)
lib/lp/registry/interfaces/person.py (+3/-3)
lib/lp/registry/tests/test_private_team_visibility.py (+360/-0)
lib/lp/services/features/flags.py (+7/-0)
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: disclosure privacy teams |
Changed in launchpad: | |
assignee: | nobody → Ian Booth (wallyworld) |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Robert does not like the use of a flag or enum to identify when a team name may be known because it ignores context. When a team is placed in a position where another party must know the team name, context is established and only the other party should know of the team.
We want a solution that also address the case of traversing a private project. When a private project give me access to a bug targets to a series, I may know the project and series name/displayname because I must traverse them to get to the bug. The bug may show the names. I may also learn the milestone names shown on the bug, as well as the private team assigned to the bug.
An adapter might solve the issue. adapting an object to IRestrictedObserver could do the proper security check and return either the object or a light representation that only provides access to type, name, and displayname. Consider that most code faults when dealing with private teams were working with displaynames and names. In many cases, they will not raise an unauthorised error if the result set returned the correct items. The tales adapter for team could assume the user has access and catch the UnauthorizedError and return <Hidden name>.
Robert also suggest that instead of solving a hypothetical case, a good solution will solve the case where a user is granted access to a private team's archive. The user may know the name and displayname of the team, can may see the PPA page and subordinate pages. The user may not see the other PPAs, or other team pages.