Launchpad itself

ISpecification.all_specifications returns an empty list for anonymous users of the API

Bug #683106 reported by Guilherme Salgado on 2010-11-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Guilherme Salgado
Launchpad itself 10.12
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Apps accessing the API anonymously will always get an empty list from .all_specifications and .valid_specifications, even though the total_size states that there are specs available. This is weird as one can use .getSpecification(name='...') to get individual specifications anonymously.

The same happens on ISpecification.dependencies, which, like the two others mentioned above, is a scoped collection of ISpecifications.

See original description

Related branches

lp:~salgado/launchpad/bug-683106
Jelmer Vernooij (community): Approve on 2010-12-01
Diff: 141 lines (+50/-1)
5 files modified
lib/canonical/launchpad/security.py (+15/-1)
lib/lp/blueprints/interfaces/specification.py (+1/-0)
lib/lp/blueprints/tests/test_webservice.py (+16/-0)
lib/lp/testing/__init__.py (+1/-0)
lib/lp/testing/_webservice.py (+17/-0)
Guilherme Salgado (salgado) on 2010-11-30
description: updated
Guilherme Salgado (salgado) wrote :

Leonard believes this is a permission issue:
<leonardr> salgado: lazr.restful does an explicit permission check to filter items from a collection. it does not do an explicit check on the return value of a named operation--it relies on zope throwing an exception
<leonardr> we might have a situation where an explicit permission check fails but the permission is never enforced?

(that would explain why we can get specs anonymously via getSpecification() but not via all_specifications)

William Grant (wgrant) wrote :

lazr.restful is hardcoded to check for launchpad.View before returning something in a collection. But it respects the defined permissions (in this case zope.Public) when determining which attributes to return from a named operation.

Guilherme Salgado (salgado) wrote : Re: [Bug 683106] Re: ISpecification.all_specifications returns an empty list for anonymous users of the API

Ok, so I take that it is known that to expose a collection of ISomething
on the API you need to make sure there is a launchpad.View security
adapter for it?

In the case of ISpecification, I think it makes sense for that security
adapter to allow unrestricted (read-only) access given that all
blueprints are public anyway.

Guilherme Salgado (salgado) on 2010-12-01
Changed in blueprint:
assignee: nobody → Guilherme Salgado (salgado)
status: In Progress → Fix Committed
Launchpad QA Bot (lpqabot) wrote : Bug fixed by a commit

Fixed in stable r12011 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/12011>.

Changed in blueprint:
milestone: none → 10.12
tags: added: qa-needstesting
Guilherme Salgado (salgado) on 2010-12-03
tags: added: qa-ok
removed: qa-needstesting
Curtis Hovey (sinzui) on 2010-12-08
Changed in blueprint:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers