Answer contacts for packages cannot create/edit FAQs
Bug #682135 reported by
Curtis Hovey
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Curtis Hovey |
Bug Description
Answer contacts for Ubuntu packages cannot create FAQs. There are cases where the link is shown but the user gets an error when creating the FAQ.
Module lp.answers.
faq = self.faq_
Unauthorized: (<Distribution 'Ubuntu' (ubuntu)>, 'newFAQ', 'launchpad.Append')
The fix for this may require changing the security checker or distro or faqtarget mixin to get answer contacts differently. For questions, Lp wants the smallest set, but for faqs, Lp wants the largest set.
This is a regression cause to a refactoring to create simple permission types for registry admins.
Related branches
lp:~sinzui/launchpad/faq-mailing-list-permissions-0
- Graham Binns (community): Approve (code)
-
Diff: 251 lines (+195/-11)4 files modifiedlib/canonical/launchpad/security.py (+17/-4)
lib/lp/answers/doc/faq.txt (+1/-7)
lib/lp/answers/tests/test_faq.py (+77/-0)
lib/lp/answers/tests/test_faqtarget.py (+100/-0)
Changed in launchpad-answers: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: regression |
affects: | launchpad-answers → launchpad-registry |
Changed in launchpad-registry: | |
milestone: | none → 10.12 |
Changed in launchpad-registry: | |
assignee: | nobody → Curtis Hovey (sinzui) |
status: | Triaged → In Progress |
summary: |
- Conflicting launchpad.Append rules for IDistribution and IFaqTarget + Answer contacts for packages cannot create/edit FAQs |
affects: | launchpad-registry → launchpad-answers |
Changed in launchpad-answers: | |
assignee: | Curtis Hovey (sinzui) → nobody |
milestone: | 10.12 → none |
description: | updated |
tags: |
added: 403 removed: regression |
tags: | added: answer-contacts |
tags: | added: faqs |
Changed in launchpad-answers: | |
assignee: | nobody → Curtis Hovey (sinzui) |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Changed in launchpad: | |
milestone: | none → 11.01 |
To post a comment you must log in.
This has been broken for several years. The problem is in the security checker. The checker is based on the question checker (answer_contacts), but the set of permitted user is larger. Distribution users who can edit an FAQ are comprised of distro answer_contacts + the answer_contacts of all the packages.
That is a lot of inTeam() checks across a lot of packages. There is an alternate way to solve this that will involve exactly two queries regardless of the number of packages and answer_contacts. The checker can get the user's direct and indirect questiontargets that the user is an answer contact for and compare them to the context.
faq_target = IFAQTarget(context)
for target in direct_targets + indirect_target:
if faq_target == IFAQTarget(target):
return True
return False