Person.inTeam treats team owners as members but other code does not
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
High
|
Robert Collins | ||
Bug Description
Like described in bug 196981, there is a discrepancy between participation checking done using IPerson.inTeam() and by joining the TeamParticipation table.
One consequence of this is that in the case where the owner isn't a member of the team, a team owner wouldn't see a team-owned private branch in a listing (filtered using TeamParticipation) but would still be able to see the branch by navigating to it (checked using inTeam()).
(This is not really a security issue, because the owner could always have access by adding himself to the team which he's entitled to do.)
Instead of forcing owners to have a membership record, it's cleaner to simply remove the special case in inTeam() and modify security adapters that need to also grant access to the team owner explicitely.
solutions
=========
* Make owner really distinct from membership and remove the special casing. This will permit delegation (e.g. a CEO can delegate a security team) without any blurring of the lines or confusing behaviour.
Related branches
- William Grant: Approve (code)
-
Diff: 99 lines (+25/-18)4 files modifiedlib/lp/registry/doc/teammembership-email-notification.txt (+5/-2)
lib/lp/registry/doc/teammembership.txt (+18/-3)
lib/lp/registry/interfaces/person.py (+1/-1)
lib/lp/registry/model/person.py (+1/-12)
| Francis J. Lacoste (flacoste) wrote | #1 |
| Changed in launchpad: | |
| importance: | Undecided → Low |
| status: | New → Triaged |
| Guilherme Salgado (salgado) wrote | #2 |
| Guilherme Salgado (salgado) wrote | #3 |
| affects: | launchpad-foundations → launchpad-registry |
| visibility: | private → public |
| tags: | added: disclosure |
| summary: |
- Do not special case the owner in IPerson.inTeam() + Person.inTeam treats team owners as members but other code does not |
| description: | updated |
| Changed in launchpad: | |
| importance: | Low → High |
| Robert Collins (lifeless) wrote | #4 |
| Launchpad QA Bot (lpqabot) wrote | #5 |
| Changed in launchpad: | |
| assignee: | nobody → Robert Collins (lifeless) |
| tags: | added: qa-needstesting |
| Changed in launchpad: | |
| status: | Triaged → Fix Committed |
| Robert Collins (lifeless) wrote | #6 |
| tags: |
added: qa-ok removed: qa-needstesting |
| Changed in launchpad: | |
| status: | Fix Committed → Fix Released |
| tags: | added: hardening |
Setting to low, since this is really a corner case, and results in a little confusion in the worst case.