Launchpad itself

Merge lp:~adeuring/launchpad/bug-1067736 into lp:launchpad

bug-1067736
Merge into devel

Proposed by Abel Deuring on 2012-10-26

Status:

Merged

Approved by:

Abel Deuring on 2012-10-26

Approved revision:

no longer in the source branch.

Merged at revision:

16203

Proposed branch:

lp:~adeuring/launchpad/bug-1067736

Merge into:

lp:launchpad

Diff against target:

88 lines (+20/-24)

3 files modified

lib/lp/app/browser/tests/test_launchpad.py (+0/-3)
lib/lp/registry/model/product.py (+10/-18)
lib/lp/registry/tests/test_product.py (+10/-3)

To merge this branch:

bzr merge lp:~adeuring/launchpad/bug-1067736

Related bugs:

Bug #1061933: Product.userCanView doesn't consider team memberships	High	Fix Released
Bug #1067736: Registry experts can see all proprietary products	High	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Deryck Hodge (community)		2012-10-26	Approve on 2012-10-26
Review via email: mp+131527@code.launchpad.net

Commit Message

Product.userCanView(): don't give registry experts the permission lp.View for all private products; check for team grants for regular users

Description of the Change

This branch changes Product.userCanView() so that members of the registry experts team do not get accss to al rpivate products.

Additionally, the method now calls SharingService.checkPillarAccess() to check the permission for ordinary users. This method looks also for team grants, so I added a related assertion to test_access_launchpad_View_proprietary_product().

test:

./bin/test -vvt lp.registry.tests.test_product.TestProduct.test_access_launchpad_View_proprietary_product

no lint

Deryck Hodge (deryck) wrote on 2012-10-26:

Looks good. Thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to status/vote changes:

Tzaddi

Tzaddi Belding

 === modified file 'lib/lp/app/browser/tests/test_launchpad.py'
 --- lib/lp/app/browser/tests/test_launchpad.py	2012-10-12 16:20:51 +0000
 +++ lib/lp/app/browser/tests/test_launchpad.py	2012-10-26 10:06:25 +0000
@@ -565,9 +565,6 @@
          # products.
          with celebrity_logged_in('admin'):
              self.check_admin_access()
--        # Registry experts can access to all products.
--        with celebrity_logged_in('registry_experts'):
--            self.check_admin_access()
          # Commercial admins have access to all products.
          with celebrity_logged_in('commercial_admin'):
              self.check_admin_access()
 === modified file 'lib/lp/registry/model/product.py'
 --- lib/lp/registry/model/product.py	2012-10-24 14:54:46 +0000
 +++ lib/lp/registry/model/product.py	2012-10-26 10:06:25 +0000
@@ -90,6 +90,7 @@
      ILaunchpadUsage,
      IServiceUsage,
+     )
++from lp.app.interfaces.services import IService
  from lp.app.model.launchpad import InformationTypeMixin
  from lp.blueprints.enums import (
      SpecificationFilter,
@@ -1522,25 +1523,16 @@
              return False
          if user.id in self._known_viewers:
              return True
--        # We need the plain Storm Person object for the SQL query below
--        # but an IPersonRoles object for the team membership checks.
--        if IPersonRoles.providedBy(user):
--            plain_user = user.person
--        else:
--            plain_user = user
++        if not IPersonRoles.providedBy(user):
              user = IPersonRoles(user)
--        if (user.in_commercial_admin or user.in_admin or
--            user.in_registry_experts):
--            self._known_viewers.add(user.id)
--            return True
--        policy = getUtility(IAccessPolicySource).find(
--            [(self, self.information_type)]).one()
--        grants_for_user = getUtility(IAccessPolicyGrantSource).find(
--            [(policy, plain_user)])
--        if grants_for_user.is_empty():
--            return False
--        self._known_viewers.add(user.id)
--        return True
++        if user.in_commercial_admin or user.in_admin:
++            self._known_viewers.add(user.id)
++            return True
++        if getUtility(IService, 'sharing').checkPillarAccess(
++            [self], self.information_type, user):
++            self._known_viewers.add(user.id)
++            return True
++        return False
  def get_precached_products(products, need_licences=False, need_projects=False,
 === modified file 'lib/lp/registry/tests/test_product.py'
 --- lib/lp/registry/tests/test_product.py	2012-10-24 14:54:46 +0000
 +++ lib/lp/registry/tests/test_product.py	2012-10-26 10:06:25 +0000
@@ -735,13 +735,20 @@
          with person_logged_in(ordinary_user):
              for attribute_name in names:
                  getattr(product, attribute_name)
++        # Access can be granted to a team too.
++        other_user = self.factory.makePerson()
++        team = self.factory.makeTeam(members=[other_user])
++        with person_logged_in(owner):
++            getUtility(IService, 'sharing').sharePillarInformation(
++                product, team, owner,
++                {InformationType.PROPRIETARY: SharingPermission.ALL})
++        with person_logged_in(other_user):
++            for attribute_name in names:
++                getattr(product, attribute_name)
          # Admins can access proprietary products.
          with celebrity_logged_in('admin'):
              for attribute_name in names:
                  getattr(product, attribute_name)
--        with celebrity_logged_in('registry_experts'):
--            for attribute_name in names:
--                getattr(product, attribute_name)
          # Commercial admins have access to all products.
          with celebrity_logged_in('commercial_admin'):
              for attribute_name in names: