Person.inTeam treats team owners as members but other code does not

Reported by Francis J. Lacoste on 2008-05-06
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Robert Collins

Bug Description

Like described in bug 196981, there is a discrepancy between participation checking done using IPerson.inTeam() and by joining the TeamParticipation table.

One consequence of this is that in the case where the owner isn't a member of the team, a team owner wouldn't see a team-owned private branch in a listing (filtered using TeamParticipation) but would still be able to see the branch by navigating to it (checked using inTeam()).

(This is not really a security issue, because the owner could always have access by adding himself to the team which he's entitled to do.)

Instead of forcing owners to have a membership record, it's cleaner to simply remove the special case in inTeam() and modify security adapters that need to also grant access to the team owner explicitely.

solutions
=========

* Make owner really distinct from membership and remove the special casing. This will permit delegation (e.g. a CEO can delegate a security team) without any blurring of the lines or confusing behaviour.

Related branches

Francis J. Lacoste (flacoste) wrote :

Setting to low, since this is really a corner case, and results in a little confusion in the worst case.

Changed in launchpad:
importance: Undecided → Low
status: New → Triaged
Guilherme Salgado (salgado) wrote :

There is at least one other place in which we consider the owner to be a team admin even when there's no teamparticipation for the owner on that team: IPerson.getAdministratedTeams().

I guess we'll want to fix that and look for other places which need fixing too.

Guilherme Salgado (salgado) wrote :

IPerson.getDirectAdministrators() is another one which will need fixing.

Curtis Hovey (sinzui) on 2009-10-21
affects: launchpad-foundations → launchpad-registry
Curtis Hovey (sinzui) on 2010-03-02
visibility: private → public
Curtis Hovey (sinzui) on 2010-09-28
tags: added: disclosure
summary: - Do not special case the owner in IPerson.inTeam()
+ Person.inTeam treats team owners as members but other code does not
description: updated
Changed in launchpad:
importance: Low → High
Robert Collins (lifeless) wrote :

I'm going to exclude the admin angle for now - owners will want to rename teams and change descriptions. So changing the admin rules would simply lead to having to split out any actions which a member-admin should be able to do that an owner-admin should not be able to do. I can't think of any such actions today, so splitting it out would not be interesting.

Launchpad QA Bot (lpqabot) wrote :
Changed in launchpad:
assignee: nobody → Robert Collins (lifeless)
tags: added: qa-needstesting
Changed in launchpad:
status: Triaged → Fix Committed
Robert Collins (lifeless) wrote :

Tested by being owner of a team that owns another team. I correctly could not edit the second team unless I was actually listed as a member of the first team.

tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant) on 2011-06-01
Changed in launchpad:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui) on 2012-06-26
tags: added: hardening
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers