Attachments in private Bugs can be accessed when the link to the attachment is known
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Medium
|
Unassigned |
Bug Description
An example is bug 39298, it has been opened in public, an attachment has been added, and after that, the visibility has been changed because the attachment is private. I don't have access to the bug because I'm not in the subscriber list. However, gnome-desktop-bugs was subscribed (by default), and I therefore know the link to the attachment. Since I don't have access to the bug, I should not have access to the attachment, but in fact, if I know the link, I can still download the attachment.
The link is:
http://
If a check can be done to check if I can access the bug, the same check should be applied to the attachment. I suspect they work independently, but I still think it's bad the way it is.
visibility: | private → public |
Yes, the attachments are stored in an external system, which makes it harder to restrict access to the bug's subscribers.
This is a valid problem, though, and it should be fixed.