Launchpad itself

Specifications privacy: subscribers can't see private blueprints

Bug #1056881 reported by Данило Шеган
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Abel Deuring

Bug Description

I am testing out private blueprints, and I noticed that subscribers to the private blueprints can't see them unless they are explicitely granted permissions through the "Sharing" page to proprietary data.

This is confusing since I believe bugs work in a different manner.

To reproduce:
 1. create a project with other/proprietary license
 2. go to "Sharing" and make sure specifications are marked as "proprietary"
 3. configure blueprints to live in Launchpad
 4. create a new blueprint
 5. subscribe someone else to the blueprint
 6. ask them to see if they can load the blueprint

See original description

Related branches

lp:~adeuring/launchpad/bug-1056881
Aaron Bentley (community): Approve
Diff: 395 lines (+228/-13)
6 files modified
lib/lp/blueprints/model/specification.py (+29/-0)
lib/lp/blueprints/model/specificationsubscription.py (+30/-3)
lib/lp/blueprints/model/tests/test_specification.py (+51/-3)
lib/lp/blueprints/model/tests/test_subscription.py (+61/-6)
lib/lp/blueprints/tests/test_specification.py (+56/-0)
lib/lp/blueprints/tests/test_webservice.py (+1/-1)
lp:~adeuring/launchpad/bug-1056881-2
Richard Harding (community): Approve
Diff: 166 lines (+47/-21)
4 files modified
lib/lp/blueprints/browser/tests/test_specification.py (+7/-9)
lib/lp/registry/configure.zcml (+25/-0)
lib/lp/registry/interfaces/product.py (+11/-9)
lib/lp/registry/tests/test_product.py (+4/-3)
Данило Шеган (danilo)
description: updated
Deryck Hodge (deryck)
Changed in launchpad:
status: New → Triaged
importance: Undecided → High
tags: added: privacy private-blueprints private-projects
Deryck Hodge (deryck)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Abel Deuring (adeuring)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r16303 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/16303>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Abel Deuring (adeuring)
Changed in launchpad:
status: Fix Committed → In Progress
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Данило Шеган (danilo) wrote :

I assume the missing bit is to create artifact grants for all the subscribers that might not have them now? FWIW, Linaro can work around that once this hits production by unsubscribing and subscribing people again (I assume you don't have too many private blueprint users, so it might not be worth the effort to come up with migration plan).

Will this also include assignees who are not explicitely granted permissions to view a blueprint?

Revision history for this message
Abel Deuring (adeuring) wrote : Re: [Bug 1056881] Re: Specifications privacy: subscribers can't see private blueprints

On 23.11.2012 18:17, Данило Шеган wrote:
> I assume the missing bit is to create artifact grants for all the
> subscribers that might not have them now? FWIW, Linaro can work around
> that once this hits production by unsubscribing and subscribing people
> again (I assume you don't have too many private blueprint users, so it
> might not be worth the effort to come up with migration plan).

Yes, this is an issue, and I'd appreciate your offer to do the
unsubscribe/subscribe cycle.

But my mistake is something else: Even people with an artfact grant
can't yet access blueprint pages. They'll get a 403 error when
product.getSpecifcation() is called during traversal. Nice example of
"too narrow" testing: create_inititalized_view(proprietary_blueprint)
works fine -- but this does not involve traversing to the blueprint...

> Will this also include assignees who are not explicitely granted
> permissions to view a blueprint?
>

No, I'm not addressing this right now. I see your point: Having to
explicitly subscribe an assignee is somwhat weird.

But:
  - we have the at present same problem with bugtask assignees, so for
    consistency sake both "assignment steps" should behave identically
  - we will have to discuss a few issues around the details. The most
    important one: Should we simply subscribe the assignee
    automatically, or should we issue the artifact grant independently?

Richard Harding (rharding)
Changed in launchpad:
status: In Progress → Fix Released
Abel Deuring (adeuring)
Changed in launchpad:
status: Fix Released → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r16312 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/16312>.

tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Abel Deuring (adeuring)
tags: added: qa-ok
removed: qa-needstesting
Richard Harding (rharding)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.