Changing a bug's information_type grants access to all direct subscribers
Bug #1014922 reported by
Ian Booth
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
j.c.sackett |
Bug Description
When a bug is changed from public -> private, users in specified roles need to be automatically subscribed eg security contact is subscribed to embargoed security bug. Furthermore, subscribers to the bug need to be granted access if they cannot see the bug in its new state. However, all direct subscribers on the bug are granted access when the information type changes. What we want instead is for users not in one of the allowed roles, or who do not have access to the bug via an AAG or APG, to be excluded.
Related branches
lp:~jcsackett/launchpad/remove-bad-subscribers
- Curtis Hovey (community): Approve (code)
- Diff: 0 lines
Changed in launchpad: | |
assignee: | nobody → j.c.sackett (jcsackett) |
status: | Triaged → In Progress |
tags: | added: privacy |
tags: | added: information-type |
security vulnerability: | yes → no |
visibility: | private → public |
security vulnerability: | no → yes |
visibility: | public → private |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
Jon, there is a method on the sharing service, getPeopleWithou tAccess( ), which can be used to easily see which of a list of people cannot see the bug. This will be useful in determining which of the direct subscribers cannot see the bug via an APG or AAG.