Launchpad itself

ISpecification.all_specifications returns an empty list for anonymous users of the API

Bug #683106 reported by Guilherme Salgado
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Guilherme Salgado
Launchpad itself 10.12

Bug Description

Apps accessing the API anonymously will always get an empty list from .all_specifications and .valid_specifications, even though the total_size states that there are specs available. This is weird as one can use .getSpecification(name='...') to get individual specifications anonymously.

The same happens on ISpecification.dependencies, which, like the two others mentioned above, is a scoped collection of ISpecifications.

See original description

Related branches

lp:~salgado/launchpad/bug-683106
Jelmer Vernooij (community): Approve
Diff: 141 lines (+50/-1)
5 files modified
lib/canonical/launchpad/security.py (+15/-1)
lib/lp/blueprints/interfaces/specification.py (+1/-0)
lib/lp/blueprints/tests/test_webservice.py (+16/-0)
lib/lp/testing/__init__.py (+1/-0)
lib/lp/testing/_webservice.py (+17/-0)
Guilherme Salgado (salgado)
description: updated
Revision history for this message
Guilherme Salgado (salgado) wrote :

Leonard believes this is a permission issue:
<leonardr> salgado: lazr.restful does an explicit permission check to filter items from a collection. it does not do an explicit check on the return value of a named operation--it relies on zope throwing an exception
<leonardr> we might have a situation where an explicit permission check fails but the permission is never enforced?

(that would explain why we can get specs anonymously via getSpecification() but not via all_specifications)

Revision history for this message
William Grant (wgrant) wrote :

lazr.restful is hardcoded to check for launchpad.View before returning something in a collection. But it respects the defined permissions (in this case zope.Public) when determining which attributes to return from a named operation.

Revision history for this message
Guilherme Salgado (salgado) wrote : Re: [Bug 683106] Re: ISpecification.all_specifications returns an empty list for anonymous users of the API

Ok, so I take that it is known that to expose a collection of ISomething
on the API you need to make sure there is a launchpad.View security
adapter for it?

In the case of ISpecification, I think it makes sense for that security
adapter to allow unrestricted (read-only) access given that all
blueprints are public anyway.

Guilherme Salgado (salgado)
Changed in blueprint:
assignee: nobody → Guilherme Salgado (salgado)
status: In Progress → Fix Committed
Revision history for this message
Launchpad QA Bot (lpqabot) wrote : Bug fixed by a commit

Fixed in stable r12011 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/12011>.

Changed in blueprint:
milestone: none → 10.12
tags: added: qa-needstesting
Guilherme Salgado (salgado)
tags: added: qa-ok
removed: qa-needstesting
Curtis Hovey (sinzui)
Changed in blueprint:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.