Launchpad itself

Person:+participation is Forbidden if the person participates in a visible team via an invisible one

Bug #1409680 reported by Colin Watson on 2015-01-12

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

Launchpad itself

Fix Released

Critical

Colin Watson

You need to log in to change this bug's status.

Affecting:	Launchpad itself
Filed here by:	Colin Watson
When:	2015-01-12
Confirmed:	2015-01-12
Assigned:	2015-05-06
Started work:	2015-05-06
Completed:	2015-05-11

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Critical

Assigned to

	Me
	Colin Watson (cjwatson)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

When I visit https://launchpad.net/~bzoltan/+participation, I get a Forbidden error. The traceback ends with:

     Module zope.traversing.adapters, line 42, in traverse
    attr = getattr(subject, name, _marker)
    __traceback_info__: (<zope.browserpage.metaconfigure.SimpleViewClass from /srv/launchpad.net/production/launchpad-rev-17298/lib/lp/registry/browser/../templates/person-participation.pt object at 0x2b1a63d06fd0>, 'has_participations', [])
    Module lp.services.propertycache, line 116, in __get__
    value = self.populate(instance)
    Module lp.registry.browser.person, line 2036, in has_participations
    return len(self.active_participations) > 0
    Module lp.services.propertycache, line 116, in __get__
    value = self.populate(instance)
    Module lp.registry.browser.person, line 2031, in active_participations
    team=indirect_team))
    Module lp.registry.browser.person, line 1974, in _asParticipation
    [via_team.displayname for via_team in via[1:-1]])

Unauthorized: (<Person at (redacted)>, 'displayname', 'launchpad.LimitedView')<br />

(I've redacted the team name to avoid mentioning a private team in a public bug.)

I would argue that inaccessible private teams should either be omitted entirely from Person:+participation (my preference, I think) or explicitly shown as redacted, but in either case shouldn't make it impossible to see the other teams of which that person is a member.

Tags: Edit Tag help

Related branches

lp:~cjwatson/launchpad/transitive-participation-visibility

Merged into lp:launchpad at revision 17479

William Grant: Approve (code) on 2015-05-05

William Grant (wgrant) wrote on 2015-01-12:

It's not that simple. It occurs when a user is a participant of a team you can see via a team that you can't.

Changed in launchpad:
importance:	Undecided → Critical
status:	New → Triaged
tags:	added: 403 privacy

William Grant (wgrant) on 2015-02-15

summary:	- Person:+participation is Forbidden if the person is a member of any - inaccessible private team + Person:+participation is Forbidden if the person is a participates in a + visible team via an invisible one
summary:	- Person:+participation is Forbidden if the person is a participates in a + Person:+participation is Forbidden if the person participates in a visible team via an invisible one

Colin Watson (cjwatson) on 2015-05-06

Changed in launchpad:
assignee:	nobody → Colin Watson (cjwatson)
status:	Triaged → In Progress

Launchpad QA Bot (lpqabot) wrote on 2015-05-06:

Fixed in stable r17479 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/17479>.

tags:	added: qa-needstesting
Changed in launchpad:
status:	In Progress → Fix Committed

Colin Watson (cjwatson) on 2015-05-06

tags:

added: qa-ok
removed: qa-needstesting

Colin Watson (cjwatson) on 2015-05-11

Changed in launchpad:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers