Launchpad itself

Use the restricted librarian for diffs for private branches

Bug #328271 reported by Tim Penhey
18
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Aaron Bentley
Launchpad itself 10.02

Bug Description

Not much more to say.

Related branches

lp:~abentley/launchpad/restricted-diffs
Tim Penhey (community): Approve
Diff: 109 lines (+36/-6)
4 files modified
lib/lp/code/browser/configure.zcml (+6/-0)
lib/lp/code/browser/diff.py (+12/-4)
lib/lp/code/browser/tests/test_tales.py (+12/-1)
lib/lp/testing/factory.py (+6/-1)
Revision history for this message
Jonathan Lange (jml) wrote :

Setting to High since this *is* a security bug.

Changed in launchpad-bazaar:
importance: Undecided → High
status: New → Triaged
Revision history for this message
Aaron Bentley (abentley) wrote :

Perhaps we should use the private librarian for all diffs, since public branches may become private after the diff is generated.

Revision history for this message
Martin Pool (mbp) wrote : Re: [Bug 328271] Re: Use the restricted librarian for diffs for private branches

2009/7/3 Aaron Bentley <email address hidden>:
> Perhaps we should use the private librarian for all diffs, since public
> branches may become private after the diff is generated.

It's nice that one can drag the diff url from a mp page into eg a
shell window or irc client, and then use it from an http client that
may not have a Launchpad login. It seems like your proposal may break
that.

I think if we've previously published a diff it's reasonable that it
should stay public, as long as in emergencies a LOSA can intervene to
delete it.

--
Martin <http://launchpad.net/~mbp/>

Revision history for this message
Stuart Bishop (stub) wrote :

On Fri, Jul 3, 2009 at 6:09 AM, Martin Pool<email address hidden> wrote:
> 2009/7/3 Aaron Bentley <email address hidden>:
>> Perhaps we should use the private librarian for all diffs, since public
>> branches may become private after the diff is generated.
>
> It's nice that one can drag the diff url from a mp page into eg a
> shell window or irc client, and then use it from an http client that
> may not have a Launchpad login.  It seems like your proposal may break
> that.

The proposal doesn't have to break that. Launchpad proxies files from
the private Librarian. If the branches are public, it can serve the
diffs to unauthenticated users if it wants.

--
Stuart Bishop <email address hidden>
http://www.stuartbishop.net/

Curtis Hovey (sinzui)
tags: added: tech-debt
Aaron Bentley (abentley)
Changed in launchpad-code:
assignee: nobody → Aaron Bentley (abentley)
Tim Penhey (thumper)
Changed in launchpad-code:
status: Triaged → Fix Committed
milestone: none → 10.02
Aaron Bentley (abentley)
Changed in launchpad-code:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui)
visibility: private → public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.