Person.getAffiliatedPillars doesn't filter out inaccessible private projects

Bug #1095982 reported by William Grant on 2013-01-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Critical
Steve Kowalik

Bug Description

Person.getAffiliatedPillars doesn't perform privilege checks on private projects, so it can cause pages like Person:+index to 403 when an inaccessible private project would be shown.

Related branches

William Grant (wgrant) wrote :

It does actually try to filter, but somewhat fails. It returns a product if the user has an AAG, but due to the bad definition of product privacy an APG is required to actually hold launchpad.View.

Curtis Hovey (sinzui) on 2013-01-08
Changed in launchpad:
assignee: nobody → Steve Kowalik (stevenk)
status: Triaged → In Progress
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Steve Kowalik (stevenk) on 2013-01-10
tags: added: qa-ok
removed: qa-needstesting
Steve Kowalik (stevenk) on 2013-01-11
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers