Launchpad itself

BugLinkTargetMixin.linkBug() and unlinkBug() should take a user parameter rather than using LaunchBag

Bug #175545 reported by Graham Binns
2
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
William Grant

Bug Description

At present, BugLinkTargetMixin.linkBug() and unlinkBug() don't take a user parameter, instead relying on the currently logged-in user when linking to bugs. This means that in tests we have to login() even when we shouldn't have to so as to avoid errors (since linking an object to a bug grants karma and you need a user to whom karma can be granted).

linkBug() and unlinkBug() should accept a user parameter and use this instead of the currently logged-in user. Also, they both call check_permission, which they shouldn't have to since the user should have been authorised before the call to [un]linkBug() is made.

Related branches

lp:~wgrant/launchpad/buglinks-user
Colin Watson (community): Approve
Diff: 470 lines (+124/-113)
14 files modified
lib/lp/answers/doc/question.txt (+0/-33)
lib/lp/answers/model/question.py (+0/-14)
lib/lp/blueprints/interfaces/specification.py (+4/-2)
lib/lp/bugs/browser/buglinktarget.py (+2/-2)
lib/lp/bugs/browser/bugtask.py (+1/-1)
lib/lp/bugs/interfaces/buglink.py (+2/-2)
lib/lp/bugs/model/buglinktarget.py (+4/-17)
lib/lp/bugs/scripts/checkwatches/tests/test_core.py (+3/-10)
lib/lp/bugs/tests/buglinktarget.txt (+8/-5)
lib/lp/coop/answersbugs/browser.py (+1/-1)
lib/lp/coop/answersbugs/configure.zcml (+16/-6)
lib/lp/coop/answersbugs/karma.py (+0/-20)
lib/lp/coop/answersbugs/subscribers.py (+26/-0)
lib/lp/coop/answersbugs/tests/test_questionbug.py (+57/-0)
Graham Binns (gmb)
Changed in malone:
status: New → Confirmed
Revision history for this message
Francis J. Lacoste (flacoste) wrote :

Right, linkBug() and unlinkBug() should accept a user parameter. The current behaviour is actually a violation of our coding policy where database code isn't supposed to use request-level context information. To that end, check_permission() is also verboten.

Unfortunately, that's not as easy to fix as you think, because linkBug() and unlinkBug() have to be protected at two places:

1) permission to access linkBug() and unlinkBug() on the target itself
2) the permission on the target object also needs to be checked.

Otherwise, a user who as access to a question can link to a private bug. Only the first permission can be assumed currently. The way to fix is described in bug #117980.

Curtis Hovey (sinzui)
tags: added: tech-debt
Curtis Hovey (sinzui)
Changed in malone:
importance: Undecided → Low
Curtis Hovey (sinzui)
visibility: private → public
Curtis Hovey (sinzui)
Changed in launchpad:
status: Confirmed → Triaged
Robert Collins (lifeless)
summary: BugLinkTargetMixin.linkBug() and unlinkBug() should take a user
- parameter
+ parameter rather than using LaunchBag
Benji York (benji)
Changed in launchpad:
assignee: nobody → Benji York (benji)
status: Triaged → In Progress
Benji York (benji)
Changed in launchpad:
assignee: Benji York (benji) → nobody
status: In Progress → Triaged
William Grant (wgrant)
Changed in launchpad:
assignee: nobody → William Grant (wgrant)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r17774 (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/17774) by a commit, but not testable.

tags: added: qa-untestable
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.