Person.inTeam treats team owners as members but other code does not
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Robert Collins |
Bug Description
Like described in bug 196981, there is a discrepancy between participation checking done using IPerson.inTeam() and by joining the TeamParticipation table.
One consequence of this is that in the case where the owner isn't a member of the team, a team owner wouldn't see a team-owned private branch in a listing (filtered using TeamParticipation) but would still be able to see the branch by navigating to it (checked using inTeam()).
(This is not really a security issue, because the owner could always have access by adding himself to the team which he's entitled to do.)
Instead of forcing owners to have a membership record, it's cleaner to simply remove the special case in inTeam() and modify security adapters that need to also grant access to the team owner explicitely.
solutions
=========
* Make owner really distinct from membership and remove the special casing. This will permit delegation (e.g. a CEO can delegate a security team) without any blurring of the lines or confusing behaviour.
Related branches
- William Grant: Approve (code)
-
Diff: 99 lines (+25/-18)4 files modifiedlib/lp/registry/doc/teammembership-email-notification.txt (+5/-2)
lib/lp/registry/doc/teammembership.txt (+18/-3)
lib/lp/registry/interfaces/person.py (+1/-1)
lib/lp/registry/model/person.py (+1/-12)
affects: | launchpad-foundations → launchpad-registry |
visibility: | private → public |
tags: | added: disclosure |
summary: |
- Do not special case the owner in IPerson.inTeam() + Person.inTeam treats team owners as members but other code does not |
description: | updated |
Changed in launchpad: | |
importance: | Low → High |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
tags: | added: hardening |
Setting to low, since this is really a corner case, and results in a little confusion in the worst case.