Launchpad itself

Merge lp:~adeuring/launchpad/lp-view-for-timelneproductseries into lp:launchpad

  1. lp-view-for-timelneproductseries
  2. Merge into devel
Proposed by Abel Deuring on 2012-11-27
Status: Merged
Approved by: Abel Deuring on 2012-11-27
Approved revision: no longer in the source branch.
Merged at revision: 16319
Proposed branch: lp:~adeuring/launchpad/lp-view-for-timelneproductseries
Merge into: lp:launchpad
Diff against target: 107 lines (+73/-3)
3 files modified
lib/lp/registry/configure.zcml (+2/-1)
lib/lp/registry/tests/test_productseries.py (+62/-0)
lib/lp/security.py (+9/-2)
To merge this branch: bzr merge lp:~adeuring/launchpad/lp-view-for-timelneproductseries
Reviewer Review Type Date Requested Status
Richard Harding (community) 2012-11-27 Approve on 2012-11-27
Review via email: mp+136374@code.launchpad.net

Commit Message

require the permission launchpad.View to access ITimelineProductSeries instances.

Description of the Change

This branch changes the security configuration for ITimelineProductSeries.

ITimelineProductSeries instances contain some data from products, product serieses and milestones; access to instacnes related to proprietary products should be restricted like the access IProduct or IProductSeries instances themselves.

This is just a "boilerplate change": lib/lp/registry/configure.zcml now requires the permission lp.View for ITimelineProductSeries; lib/lp/security.py has a new security adapter.

test: ./bin/test registry -vvt test_access_to_timeline

no lint

To post a comment you must log in.
Richard Harding (rharding) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/registry/configure.zcml'
2--- lib/lp/registry/configure.zcml 2012-11-26 19:48:32 +0000
3+++ lib/lp/registry/configure.zcml 2012-11-27 11:35:37 +0000
4@@ -1624,7 +1624,8 @@
5
6 <class
7 class="lp.registry.model.productseries.TimelineProductSeries">
8- <allow
9+ <require
10+ permission="launchpad.View"
11 interface="lp.registry.interfaces.productseries.ITimelineProductSeries"/>
12 </class>
13
14
15=== modified file 'lib/lp/registry/tests/test_productseries.py'
16--- lib/lp/registry/tests/test_productseries.py 2012-11-26 08:33:03 +0000
17+++ lib/lp/registry/tests/test_productseries.py 2012-11-27 11:35:37 +0000
18@@ -864,3 +864,65 @@
19 for permission, names in self.expected_set_permissions.items():
20 self.assertChangeAuthorized(names, self.public_series)
21 self.assertChangeAuthorized(names, self.proprietary_series)
22+
23+
24+class TestTimelineProductSeries(TestCaseWithFactory):
25+ """Tests for TimelineProductSeries."""
26+
27+ layer = DatabaseFunctionalLayer
28+
29+ def test_access_to_timeline_of_public_product(self):
30+ # ITestTimelineProductSeries instances related to public
31+ # products are publicly visible.
32+ series = self.factory.makeProductSeries()
33+ timeline = series.getTimeline()
34+ with person_logged_in(ANONYMOUS):
35+ for name in (
36+ 'name', 'status', 'is_development_focus', 'uri', 'landmarks',
37+ 'product'):
38+ # No exception is raised when attributes of timeline
39+ # are accessed.
40+ getattr(timeline, name)
41+ with person_logged_in(self.factory.makePerson()):
42+ for name in (
43+ 'name', 'status', 'is_development_focus', 'uri', 'landmarks',
44+ 'product'):
45+ # No exception is raised when attributes of timeline
46+ # are accessed.
47+ getattr(timeline, name)
48+
49+ def test_access_to_timeline_of_proprietary_product(self):
50+ # ITestTimelineProductSeries instances related to proprietary
51+ # products are visible only for person with a policy grant for
52+ # the product.
53+ owner = self.factory.makePerson()
54+ user_with_policy_grant = self.factory.makePerson()
55+ product = self.factory.makeProduct(
56+ owner=owner, information_type=InformationType.PROPRIETARY)
57+ series = self.factory.makeProductSeries(product=product)
58+ with person_logged_in(owner):
59+ timeline = series.getTimeline()
60+ getUtility(IService, 'sharing').sharePillarInformation(
61+ product, user_with_policy_grant, owner,
62+ {InformationType.PROPRIETARY: SharingPermission.ALL})
63+
64+ # Anonymous users do not have access.
65+ with person_logged_in(ANONYMOUS):
66+ for name in (
67+ 'name', 'status', 'is_development_focus', 'uri', 'landmarks',
68+ 'product'):
69+ self.assertRaises(Unauthorized, getattr, timeline, name)
70+ # Ordinary users do not have access.
71+ with person_logged_in(self.factory.makePerson()):
72+ for name in (
73+ 'name', 'status', 'is_development_focus', 'uri', 'landmarks',
74+ 'product'):
75+ self.assertRaises(Unauthorized, getattr, timeline, name)
76+ # Users with a policy grant have access.
77+ with person_logged_in(user_with_policy_grant):
78+ for name in (
79+ 'name', 'status', 'is_development_focus', 'uri', 'landmarks',
80+ 'product'):
81+ # No exception is raised when attributes of timeline
82+ # are accessed.
83+ getattr(timeline, name)
84
85=== modified file 'lib/lp/security.py'
86--- lib/lp/security.py 2012-11-26 08:33:03 +0000
87+++ lib/lp/security.py 2012-11-27 11:35:37 +0000
88@@ -490,10 +490,17 @@
89 user)
90
91
92-class ViewTimelineProductSeries(AnonymousAuthorization):
93- """Anyone can view an ITimelineProductSeries."""
94+class ViewTimelineProductSeries(DelegatedAuthorization):
95+ """Anyone who can view the related product can also view an
96+ ITimelineProductSeries.
97+ """
98+ permission = 'launchpad.View'
99 usedfor = ITimelineProductSeries
100
101+ def __init__(self, obj):
102+ super(ViewTimelineProductSeries, self).__init__(
103+ obj, obj.product, 'launchpad.View')
104+
105
106 class ViewProductReleaseFile(AnonymousAuthorization):
107 """Anyone can view an IProductReleaseFile."""