Deactivating a product doesn't hide its productseries' bugs

Bug #1321055 reported by Scott Ritchie
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
High
Unassigned

Bug Description

I used to work for iSwifter, and while I was there we created a private Launchpad project to host some private PPAs for us. At the time we were also considering moving away from Jira, so I filed https://bugs.launchpad.net/iswifter/iswifter-server/+bug/1025939 as a sort of placeholder bug to see if we might use Launchpad for bugs.

I no longer work there, and am no longer a member of the private team, however when I do a search of my own reported bugs I can see the above bug in the result list, including its current status and heat level. This is an information leak of some kind, as I might be able to infer things from it (in this case it's rather innocuous, but I could in principle track where and what bugs I filed people were now working on / discussing).

Related branches

Revision history for this message
William Grant (wgrant) wrote :

You still have permission to see that bug, but you can't navigate to it because it's on a deactivated project. We normally exclude bugs on inactive projects from searches, but apparently we don't also apply that same check to bugs on series on inactive projects.

information type: Private Security → Public
Revision history for this message
William Grant (wgrant) wrote :

BugTaskFlat.active exists, and it's set by bugtask_flatten, but it doesn't currently follow Product.active changes so we don't yet use it in bugtasksearch:

        extra_clauses.append(
            Or(BugTaskFlat.product == None, Product.active == True))
        join_tables.append(
            (Product, LeftJoin(Product, And(
                            BugTaskFlat.product_id == Product.id,
                            Product.active))))

We should make setting Product.active trigger an update on all affected BugTaskFlat rows, or we should just fix the bugtasksearch check to consider ProductSeries too.

summary: - Search results show bugs I reported but should no longer be able to see
- due to leaving private team
+ Deactivating a product doesn't hide its productseries' bugs
William Grant (wgrant)
Changed in launchpad:
importance: Undecided → High
status: New → Triaged
tags: added: bugs search series trivial
Changed in launchpad:
assignee: nobody → Ines Almeida (ines-almeida)
Changed in launchpad:
status: Triaged → In Progress
Changed in launchpad:
status: In Progress → Fix Committed
Changed in launchpad:
status: Fix Committed → Triaged
status: Triaged → In Progress
Revision history for this message
Ines Almeida (ines-almeida) wrote :

Previous fix was reverted due to a found issue.

Changed in launchpad:
status: In Progress → Triaged
assignee: Ines Almeida (ines-almeida) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.