need to implement embargo protection in authorization policy

Bug #2789 reported by Steve Alexander
6
Affects Status Importance Assigned to Milestone
Launchpad itself
Medium
Unassigned

Bug Description

Currently, embargo protection is done only in the database classes' factory classmethods. It also needs to be added to the authorization policy components (security.py) to ensure that even if some code gets hold of an embargoed object, it cannot see its attributes unless the user is allowed to do so.

Dafydd Harries (daf)
Changed in launchpad:
status: Unconfirmed → Confirmed
tags: added: cct
removed: infrastructure
Revision history for this message
Robert Collins (lifeless) wrote :

Done as part of the API migration. Possibly incomplete but not worth the massive audit needed to be 100% sure. Each class we add to the API gets a mini-audit done though.

Changed in launchpad:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers