Launchpad itself

Person.getAffiliatedPillars doesn't filter out inaccessible private projects

Bug #1095982 reported by William Grant
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Steve Kowalik

Bug Description

Person.getAffiliatedPillars doesn't perform privilege checks on private projects, so it can cause pages like Person:+index to 403 when an inaccessible private project would be shown.

Related branches

lp:~stevenk/launchpad/product-limitedview-with-team-aag
William Grant: Approve (code)
Diff: 127 lines (+35/-16)
5 files modified
lib/lp/registry/interfaces/sharingservice.py (+2/-2)
lib/lp/registry/services/sharingservice.py (+14/-4)
lib/lp/registry/services/tests/test_sharingservice.py (+16/-7)
lib/lp/registry/tests/test_product.py (+2/-2)
lib/lp/security.py (+1/-1)
Revision history for this message
William Grant (wgrant) wrote :

It does actually try to filter, but somewhat fails. It returns a product if the user has an AAG, but due to the bad definition of product privacy an APG is required to actually hold launchpad.View.

Curtis Hovey (sinzui)
Changed in launchpad:
assignee: nobody → Steve Kowalik (stevenk)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r16413 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/16413>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Steve Kowalik (stevenk)
tags: added: qa-ok
removed: qa-needstesting
Steve Kowalik (stevenk)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.