ISpecification.all_specifications returns an empty list for anonymous users of the API

Bug #683106 reported by Guilherme Salgado on 2010-11-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Guilherme Salgado

Bug Description

Apps accessing the API anonymously will always get an empty list from .all_specifications and .valid_specifications, even though the total_size states that there are specs available. This is weird as one can use .getSpecification(name='...') to get individual specifications anonymously.

The same happens on ISpecification.dependencies, which, like the two others mentioned above, is a scoped collection of ISpecifications.

Related branches

description: updated
Guilherme Salgado (salgado) wrote :

Leonard believes this is a permission issue:
<leonardr> salgado: lazr.restful does an explicit permission check to filter items from a collection. it does not do an explicit check on the return value of a named operation--it relies on zope throwing an exception
<leonardr> we might have a situation where an explicit permission check fails but the permission is never enforced?

(that would explain why we can get specs anonymously via getSpecification() but not via all_specifications)

William Grant (wgrant) wrote :

lazr.restful is hardcoded to check for launchpad.View before returning something in a collection. But it respects the defined permissions (in this case zope.Public) when determining which attributes to return from a named operation.

Ok, so I take that it is known that to expose a collection of ISomething
on the API you need to make sure there is a launchpad.View security
adapter for it?

In the case of ISpecification, I think it makes sense for that security
adapter to allow unrestricted (read-only) access given that all
blueprints are public anyway.

Changed in blueprint:
assignee: nobody → Guilherme Salgado (salgado)
status: In Progress → Fix Committed
Changed in blueprint:
milestone: none → 10.12
tags: added: qa-needstesting
tags: added: qa-ok
removed: qa-needstesting
Curtis Hovey (sinzui) on 2010-12-08
Changed in blueprint:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers