branch-rewrite.py sometimes tries to access forbidden tables

Bug #1040143 reported by William Grant on 2012-08-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Unassigned

Bug Description

branch-rewrite.py's DB user only has SELECT on branch. But sometimes when looking up /+branch URLs it tries to query person, product, productseries, and possibly more.

I haven't managed to reproduce the product/productseries access without an initial person access, despite seeing it on production. To reproduce the person access, ask it to translate a URL like /+branch/~foo/bar/baz.

For now we've cowboyed person/product/productseries permissions on production, but this needs to be fixed or the workaround added to security.cfg before the next fastdowntime.

2012-08-22 15:43:53 ERROR Exception occurred:
Traceback (most recent call last):
  File "./scripts/branch-rewrite.py", line 64, in main
    print rewriter.rewriteLine(line.strip())
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/codehosting/rewrite.py", line 114, in rewriteLine
    resource_location)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/codehosting/rewrite.py", line 61, in _getBranchIdAndTrailingPath
    branch, trailing = lookup.getByHostingPath(location.lstrip('/'))
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchlookup.py", line 291, in getByHostingPath
    return get_first_path_result(path, self.performLookup, (None, ''))
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/interfaces/branchlookup.py", line 203, in get_first_path_result
    for result in results:
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchlookup.py", line 277, in performLookup
    return self.getByLPPath(lookup['lp_path'])
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchlookup.py", line 391, in getByLPPath
    branch = namespace_set.traverse(segments)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchnamespace.py", line 586, in traverse
    person = self._findPerson(person_name)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchnamespace.py", line 616, in _findPerson
    NoSuchPerson, person_name, getUtility(IPersonSet).getByName)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/code/model/branchnamespace.py", line 609, in _findOrRaise
    result = finder(*args)
  File "/home/wgrant/launchpad/lp-branches/devel/lib/lp/registry/model/person.py", line 3433, in getByName
    return Person.selectOne(query)
  [SNIP]
ProgrammingError: permission denied for relation person

Related branches

Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
assignee: nobody → William Grant (wgrant)
tags: added: qa-needstesting
Changed in launchpad:
status: Triaged → In Progress
William Grant (wgrant) wrote :

I've landed the cowboyed permissions, but this still needs urgent investigation.

Changed in launchpad:
assignee: William Grant (wgrant) → nobody
status: In Progress → Triaged
William Grant (wgrant) on 2012-08-26
tags: added: qa-untestable
removed: qa-needstesting
Curtis Hovey (sinzui) on 2012-11-26
Changed in launchpad:
importance: Critical → High
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers