Launchpad itself

Person:+participation is Forbidden if the person participates in a visible team via an invisible one

Bug #1409680 reported by Colin Watson on 2015-01-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Critical	Colin Watson

Bug Description

When I visit https://launchpad.net/~bzoltan/+participation, I get a Forbidden error. The traceback ends with:

     Module zope.traversing.adapters, line 42, in traverse
    attr = getattr(subject, name, _marker)
    __traceback_info__: (<zope.browserpage.metaconfigure.SimpleViewClass from /srv/launchpad.net/production/launchpad-rev-17298/lib/lp/registry/browser/../templates/person-participation.pt object at 0x2b1a63d06fd0>, 'has_participations', [])
    Module lp.services.propertycache, line 116, in __get__
    value = self.populate(instance)
    Module lp.registry.browser.person, line 2036, in has_participations
    return len(self.active_participations) > 0
    Module lp.services.propertycache, line 116, in __get__
    value = self.populate(instance)
    Module lp.registry.browser.person, line 2031, in active_participations
    team=indirect_team))
    Module lp.registry.browser.person, line 1974, in _asParticipation
    [via_team.displayname for via_team in via[1:-1]])

Unauthorized: (<Person at (redacted)>, 'displayname', 'launchpad.LimitedView')<br />

(I've redacted the team name to avoid mentioning a private team in a public bug.)

I would argue that inaccessible private teams should either be omitted entirely from Person:+participation (my preference, I think) or explicitly shown as redacted, but in either case shouldn't make it impossible to see the other teams of which that person is a member.

Tags:

Related branches

lp:~cjwatson/launchpad/transitive-participation-visibility

Merged into lp:launchpad at revision 17479

William Grant (community): Approve (code) on 2015-05-05

Revision history for this message

William Grant (wgrant) wrote on 2015-01-12:

It's not that simple. It occurs when a user is a participant of a team you can see via a team that you can't.

Changed in launchpad:
importance:	Undecided → Critical
status:	New → Triaged
tags:	added: 403 privacy

William Grant (wgrant) on 2015-02-15

summary:	- Person:+participation is Forbidden if the person is a member of any - inaccessible private team + Person:+participation is Forbidden if the person is a participates in a + visible team via an invisible one
summary:	- Person:+participation is Forbidden if the person is a participates in a + Person:+participation is Forbidden if the person participates in a visible team via an invisible one

Colin Watson (cjwatson) on 2015-05-06

Changed in launchpad:
assignee:	nobody → Colin Watson (cjwatson)
status:	Triaged → In Progress

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2015-05-06:

Fixed in stable r17479 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/17479>.

tags:	added: qa-needstesting
Changed in launchpad:
status:	In Progress → Fix Committed

Colin Watson (cjwatson) on 2015-05-06

tags:

added: qa-ok
removed: qa-needstesting

Colin Watson (cjwatson) on 2015-05-11

Changed in launchpad:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.