Attachments in private Bugs can be accessed when the link to the attachment is known
Bug #41835 reported by
Martin Bergner
This bug report is a duplicate of:
Bug #39674: Attachments of private bugreports are public.
Edit
Remove
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
An example is bug 39298, it has been opened in public, an attachment has been added, and after that, the visibility has been changed because the attachment is private. I don't have access to the bug because I'm not in the subscriber list. However, gnome-desktop-bugs was subscribed (by default), and I therefore know the link to the attachment. Since I don't have access to the bug, I should not have access to the attachment, but in fact, if I know the link, I can still download the attachment.
The link is:
http://
If a check can be done to check if I can access the bug, the same check should be applied to the attachment. I suspect they work independently, but I still think it's bad the way it is.
Revision history for this message
| Björn Tillenius (bjornt) wrote | #1 |
| Changed in launchpad: | |
| status: | Unconfirmed → Confirmed |
| visibility: | private → public |
To post a comment you must log in.
Yes, the attachments are stored in an external system, which makes it harder to restrict access to the bug's subscribers.
This is a valid problem, though, and it should be fixed.