Person.canWrite(), Person.canAccess() should not only work for the current user

Bug #767293 reported by Abel Deuring on 2011-04-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Low
Unassigned

Bug Description

For two reasons, a user can call the methods Person.canWrite() and Person.canAccess() only for himself:

1. These methods use the functions canWrite(), canAccess() from zope.security.checker, and these functions check the permissions of the user of the current interaction.
2. Calling these methods for other persons than the current user might leak sensitve information. We should probably allow these methods only for LP admins, or perhaps for teams where the current user is a member.

Abel Deuring (adeuring) on 2011-04-20
Changed in launchpad:
importance: Undecided → Low
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers