Launchpad itself

bug supervisors have more power than maintainers and admins

Bug #885692 reported by Curtis Hovey
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Steve Kowalik

Bug Description

I am sure this bug overlaps with several issues already reported. This bug is about a bad pattern in lp.bugs that might be fixable in one branch to address a lot of permission contradictions in Lp Bugs UI/API. Browser and model code frequently do something like
    user.inTeam(bug_supervisor)
which is not a permission check, but a role check. The code should be asking if the user has .edit, .moderate, or .admin on the object or property to determine what to do, such as
    check_permission('launchpad.Edit', bugtask)
which would invoke the proper security check in lp.bugs.security.

The proper check would know that the order of precedence is:
    admins, pillar.owner, pillar.drivers, pillar.bug_supervisors
^ admins can do everything. owners delegate planning and bug responsibilities to drivers and bug supervisors. Drivers work with release planing, which encompasses bugs and specs, Bug supervisors can work bugs.

Related branches

lp:~stevenk/launchpad/less-powerful-bug-supervisors
Ian Booth (community): Approve (code)
Diff: 497 lines (+140/-100)
10 files modified
lib/lp/bugs/browser/bugtarget.py (+4/-1)
lib/lp/bugs/browser/bugtask.py (+28/-42)
lib/lp/bugs/browser/tests/test_bugtask.py (+1/-1)
lib/lp/bugs/configure.zcml (+1/-2)
lib/lp/bugs/interfaces/bugtask.py (+5/-4)
lib/lp/bugs/model/bugtask.py (+30/-42)
lib/lp/bugs/model/tests/test_bugtask.py (+65/-0)
lib/lp/bugs/stories/bugtask-management/xx-bugtask-edit-forms.txt (+2/-4)
lib/lp/bugs/templates/bugtask-edit-form.pt (+2/-2)
lib/lp/bugs/templates/bugtask-tasks-and-nominations-table-row.pt (+2/-2)
lp:~stevenk/launchpad/use-userHasPriviledges
William Grant: Approve (code)
Diff: 379 lines (+115/-42)
12 files modified
lib/lp/bugs/browser/bugtarget.py (+14/-17)
lib/lp/bugs/browser/tests/bugtarget-filebug-views.txt (+16/-11)
lib/lp/bugs/model/bugtask.py (+12/-8)
lib/lp/bugs/model/tests/test_bugtask.py (+32/-2)
lib/lp/bugs/stories/bug-release-management/xx-bug-release-management.txt (+1/-1)
lib/lp/registry/configure.zcml (+1/-0)
lib/lp/registry/interfaces/distributionsourcepackage.py (+4/-1)
lib/lp/registry/interfaces/sourcepackage.py (+6/-1)
lib/lp/registry/model/distributionsourcepackage.py (+8/-1)
lib/lp/registry/model/sourcepackage.py (+5/-0)
lib/lp/registry/tests/test_distributionsourcepackage.py (+8/-0)
lib/lp/registry/tests/test_sourcepackage.py (+8/-0)
Revision history for this message
Robert Collins (lifeless) wrote : Re: [Bug 885692] Re: bug supervisors have more power than maintainers and admins

Perhaps it would be better to have owners etc just be members of bug
supervisors, this keeps the checks very simple, which is good for
performance, and allows both hands off delegation and inclusive
delegation.

Revision history for this message
Curtis Hovey (sinzui) wrote :

We do not want the owner or driver to also be in the bug supervisor role to edit bugs properly, nor do we want to require user to assign the role to make permissions work.This is essentially the problem now. Users must nest teams to and fill all the roles to get permission, though this also leads to unwanted emails. Fixing this bug is a half step to not requiring maintainers to also be the bug supervisor...then the maintainer can truly delegate a responsibility and not set a /dev/null email address to stop Launchpad from spamming.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r14341 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/14341) is part of this bug's fix.

Changed in launchpad:
assignee: nobody → Steve Kowalik (stevenk)
tags: added: qa-needstesting
Changed in launchpad:
status: Triaged → In Progress
Steve Kowalik (stevenk)
tags: added: qa-untestable
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r14378 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/14378>.

tags: added: qa-needstesting
removed: qa-untestable
Changed in launchpad:
status: In Progress → Fix Committed
Steve Kowalik (stevenk)
tags: added: qa-ok
removed: qa-needstesting
Aaron Bentley (abentley)
Changed in launchpad:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui)
tags: added: hardening
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.