Person:+participation is Forbidden if the person participates in a visible team via an invisible one
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Colin Watson |
Bug Description
When I visit https:/
Module zope.traversing
attr = getattr(subject, name, _marker)
__traceback
Module lp.services.
value = self.populate(
Module lp.registry.
return len(self.
Module lp.services.
value = self.populate(
Module lp.registry.
team=
Module lp.registry.
[via_
Unauthorized: (<Person at (redacted)>, 'displayname', 'launchpad.
(I've redacted the team name to avoid mentioning a private team in a public bug.)
I would argue that inaccessible private teams should either be omitted entirely from Person:
Related branches
- William Grant (community): Approve (code)
-
Diff: 109 lines (+40/-8)2 files modifiedlib/lp/registry/browser/person.py (+7/-2)
lib/lp/registry/browser/tests/test_person.py (+33/-6)
summary: |
- Person:+participation is Forbidden if the person is a member of any - inaccessible private team + Person:+participation is Forbidden if the person is a participates in a + visible team via an invisible one |
summary: |
- Person:+participation is Forbidden if the person is a participates in a + Person:+participation is Forbidden if the person participates in a visible team via an invisible one |
Changed in launchpad: | |
assignee: | nobody → Colin Watson (cjwatson) |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
It's not that simple. It occurs when a user is a participant of a team you can see via a team that you can't.