Launchpad itself

Person.addLanguage and Person.removeLanguage permissions are far too open

Bug #1944599 reported by Colin Watson
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Ioana Lasc

Bug Description

If you can see a person at all, then you can edit their language preferences:

  $ curl -s https://api.launchpad.net/devel/~ubuntu-archive-robot/languages | jq '.entries[].code'
  $ curl -d ws.op=addLanguage -d language=/%2Blanguages/de https://api.launchpad.net/devel/~ubuntu-archive-robot; echo
  null
  $ curl -s https://api.launchpad.net/devel/~ubuntu-archive-robot/languages | jq '.entries[].code'
  "de"
  $ curl -d ws.op=removeLanguage -d language=/%2Blanguages/de https://api.launchpad.net/devel/~ubuntu-archive-robot; echo
  null
  $ curl -s https://api.launchpad.net/devel/~ubuntu-archive-robot/languages | jq '.entries[].code'

These operations should surely be in `IPersonEditRestricted`, not `IPersonViewRestricted`.

Colin Watson (cjwatson)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Ioana Lasc (ilasc)
Ioana Lasc (ilasc)
Changed in launchpad:
status: In Progress → Fix Released
Colin Watson (cjwatson)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.