project-registry.txt test using wrong permissions
Bug #569189 reported by
Brad Crittenden
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Invalid
|
High
|
Unassigned | ||
Bug Description
Even when using an authenticated user who should have permission, attributes that are protected cannot be seen. Write access is denied for all attributes.
The following should work but instead gives the 'redacted' message:
>>> lp_mark = launchpadlib_for(
... 'launchpadlib test', 'mark', 'READ_PRIVATE')
>>> print lp_mark.me.name
mark
>>> firefox = lp_mark.
>>> print firefox.
False
The test lp/registry/
| Changed in launchpad-foundations: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| milestone: | none → 10.05 |
Revision history for this message
| Leonard Richardson (leonardr) wrote | #1 |
Revision history for this message
| Leonard Richardson (leonardr) wrote | #2 |
Revision history for this message
| Gary Poster (gary) wrote | #3 |
| Changed in launchpad-foundations: | |
| status: | Triaged → Invalid |
Revision history for this message
| Tim Penhey (thumper) wrote | #4 |
| affects: | launchpad-code → launchpad-registry |
| summary: |
- Authenticated users in launchpadlib tests have no permissions + project-registry.txt test using wrong permissions |
| Changed in launchpad-registry: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| milestone: | none → 10.05 |
| Changed in launchpad-registry: | |
| milestone: | 10.05 → series-future |
| Changed in launchpad-registry: | |
| importance: | High → Low |
| milestone: | series-future → none |
| tags: | added: tech-debt |
To post a comment you must log in.
The permission necessary for viewing the 'license_reviewed' field is ProjectReview. This permission is not available to an OAuth token with READ_PRIVATE access, because having it also gives you the ability to review projects.
So, the problem is with the Launchpad permissions, not with launchpadlib or the test setup. license_reviewed should have separate read and write permissions--maybe View for read and ProjectReview for write? Or do we really want to hide the review status from people who don't have review permission? In which case the current behavior is correct--the lack of write access will also prohibit certain reads.
There are probably a lot of these problems, but we haven't been doing a whole lot of work with launchpadlib clients that have limited access, so we just started noticing them.