Person:+participation is Forbidden if the person participates in a visible team via an invisible one

Bug #1409680 reported by Colin Watson on 2015-01-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Critical
Colin Watson

Bug Description

When I visit https://launchpad.net/~bzoltan/+participation, I get a Forbidden error. The traceback ends with:

     Module zope.traversing.adapters, line 42, in traverse
    attr = getattr(subject, name, _marker)
    __traceback_info__: (<zope.browserpage.metaconfigure.SimpleViewClass from /srv/launchpad.net/production/launchpad-rev-17298/lib/lp/registry/browser/../templates/person-participation.pt object at 0x2b1a63d06fd0>, 'has_participations', [])
    Module lp.services.propertycache, line 116, in __get__
    value = self.populate(instance)
    Module lp.registry.browser.person, line 2036, in has_participations
    return len(self.active_participations) > 0
    Module lp.services.propertycache, line 116, in __get__
    value = self.populate(instance)
    Module lp.registry.browser.person, line 2031, in active_participations
    team=indirect_team))
    Module lp.registry.browser.person, line 1974, in _asParticipation
    [via_team.displayname for via_team in via[1:-1]])

Unauthorized: (<Person at (redacted)>, 'displayname', 'launchpad.LimitedView')<br />

(I've redacted the team name to avoid mentioning a private team in a public bug.)

I would argue that inaccessible private teams should either be omitted entirely from Person:+participation (my preference, I think) or explicitly shown as redacted, but in either case shouldn't make it impossible to see the other teams of which that person is a member.

Related branches

William Grant (wgrant) wrote :

It's not that simple. It occurs when a user is a participant of a team you can see via a team that you can't.

Changed in launchpad:
importance: Undecided → Critical
status: New → Triaged
tags: added: 403 privacy
William Grant (wgrant) on 2015-02-15
summary: - Person:+participation is Forbidden if the person is a member of any
- inaccessible private team
+ Person:+participation is Forbidden if the person is a participates in a
+ visible team via an invisible one
summary: - Person:+participation is Forbidden if the person is a participates in a
+ Person:+participation is Forbidden if the person participates in a
visible team via an invisible one
Colin Watson (cjwatson) on 2015-05-06
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → In Progress
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson) on 2015-05-06
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson) on 2015-05-11
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers