Anyone can call createPPA on anyone else
Bug #1011609 reported by
Jonathan Lange
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Jonathan Lange |
Bug Description
Currently, anyone who is logged in can call createPPA on anyone else. Instead, only team admins should be able to create PPAs on teams, and only the person themselves should be able to create PPAs on individuals. i.e. createPPA should require launchpad.Edit.
Related branches
lp:~jml/launchpad/validate-ppa-owner
- Curtis Hovey (community): Approve (code)
- Launchpad code reviewers: Pending requested
-
Diff: 345 lines (+84/-56)10 files modifiedlib/lp/_schema_circular_imports.py (+2/-1)
lib/lp/code/browser/tests/test_sourcepackagerecipe.py (+6/-1)
lib/lp/registry/browser/tests/test_team.py (+2/-1)
lib/lp/registry/interfaces/person.py (+28/-27)
lib/lp/registry/model/person.py (+0/-5)
lib/lp/registry/tests/test_team.py (+2/-1)
lib/lp/soyuz/browser/archive.py (+1/-0)
lib/lp/soyuz/model/archive.py (+16/-8)
lib/lp/soyuz/tests/test_archive.py (+14/-9)
lib/lp/soyuz/tests/test_person_createppa.py (+13/-3)
security vulnerability: | no → yes |
visibility: | public → private |
tags: | added: disclosure ppa |
Changed in launchpad: | |
assignee: | nobody → Jonathan Lange (jml) |
status: | New → Triaged |
importance: | Undecided → Critical |
tags: | added: regression |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
tags: | added: hardening |
To post a comment you must log in.
Fixed in stable r15390 <http:// bazaar. launchpad. net/~launchpad- pqm/launchpad/ stable/ revision/ 15390>.