Comment 0 for bug 227494
Revision history for this message
| Francis J. Lacoste (flacoste) wrote Do not special case the owner in IPerson.inTeam() | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Like described in bug 196981, there is a discrepancy between participation checking done using IPerson.inTeam() and by joining the TeamParticipation table.
One consequence of this is that in the case where the owner isn't a member of the team, a team owner wouldn't see a team-owned private branch in a listing (filtered using TeamParticipation) but would still be able to see the branch by navigating to it (checked using inTeam()).
(This is not really a security issue, because the owner could always have access by adding himself to the team which he's entitled to do.)
Instead of forcing owners to have a membership record, it's cleaner to simply remove the special case in inTeam() and modify security adapters that need to also grant access to the team owner explicitely.