Avoid removeSecurityProxy calls in browser/logintoken.py
Bug #62674 reported by
Guilherme Salgado
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Low
|
Unassigned | ||
Bug Description
In that file we have to remove the security proxy of a person object in three different places, because we have a scenario where the user is not logged in but we need to set some attributes that require the launchpad.Edit permission. Since at these points we know the user interacting with the system has access to the email address registered for the account in context, we could avoid removing the security proxy by logging in the user and then setting the attributes.
Revision history for this message
| Guilherme Salgado (salgado) wrote | #1 |
| Changed in launchpad: | |
| importance: | Undecided → Low |
| status: | Unconfirmed → Confirmed |
| tags: | added: tech-debt |
| security vulnerability: | yes → no |
| visibility: | private → public |
To post a comment you must log in.
I've tried this by calling the BaseLoginTokenV
As Bjorn pointed out, this might be because that method doesn't replace the current anonymous interaction with a new authenticated one.