Merge lp:~adeuring/launchpad/productseries-sec-adapter into lp:launchpad
Status: | Merged |
---|---|
Approved by: | j.c.sackett |
Approved revision: | no longer in the source branch. |
Merged at revision: | 16174 |
Proposed branch: | lp:~adeuring/launchpad/productseries-sec-adapter |
Merge into: | lp:launchpad |
Diff against target: |
735 lines (+462/-30) (has conflicts) 12 files modified
lib/lp/code/browser/tests/test_branchlisting.py (+2/-1) lib/lp/registry/browser/tests/test_productseries_views.py (+51/-0) lib/lp/registry/browser/tests/test_sourcepackage_views.py (+2/-1) lib/lp/registry/configure.zcml (+12/-5) lib/lp/registry/interfaces/productseries.py (+11/-5) lib/lp/registry/model/packaging.py (+4/-0) lib/lp/registry/model/productseries.py (+5/-0) lib/lp/registry/tests/test_packaging.py (+18/-10) lib/lp/registry/tests/test_productseries.py (+326/-1) lib/lp/registry/tests/test_sourcepackage.py (+8/-3) lib/lp/security.py (+21/-3) lib/lp/translations/stories/webservice/xx-potemplate.txt (+2/-1) Text conflict in lib/lp/registry/browser/tests/test_productseries_views.py Text conflict in lib/lp/registry/tests/test_productseries.py |
To merge this branch: | bzr merge lp:~adeuring/launchpad/productseries-sec-adapter |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Deryck Hodge (community) | Approve | ||
j.c.sackett (community) | Approve | ||
Review via email: mp+130305@code.launchpad.net |
Commit message
privacy aware security adapter for IProductSeries
Description of the change
This branch adds a "sharing aware" security adapter for IProductSeries.
Serieses of private products are now only shown to persons
with policy grants for the product; the only exception are some
attributes that do not leak any "real" information: the database ID,
and the method userCanView().
Details of the change:
lp/registry/
Access to most attributes and to "partial" interfaces that were public
now requires the permission launchpad.View; the permission
launchpad.AnyPerson is replaced with launchapd.
(lp.services.
has a "shortcut" for the permission launchpad.
dedicated security adapters are looked up for this permission,
so the new rule "data for serieses of private products should only
be visible for persons having a policy grant" cannot be implemented
with this permission.)
lp/security.py:
The existing class ViewProductSeries derived AnonymousAuthor
This does not make sense anymore, instead the class now derives
AuthorizationBase and calls the new method ProductSeries,
for real authorization check.
The new class ChangeProductSeries does the authorization check for
the permission launchpad.
lp/registry/
The existing interface IProductSeriesP
and the method userCanView(), all other attributes are defined in
the new class IProductSeriesView.
lp/registry/
The new method userCanView(). The actual permission check is done
by IProduct.
lp/registry/
Tests for the permissions.
The test class properties expected_
expected_
are acutally used for IProductSeries.
test:
./bin/test registry -vvt lp.registry.
no lint
Update:
I'm running an EC2 test for this branch; several failures are
fixed in r 10250.
The tests lp.registry.
and lp.registry.
failed in lp.registry.
productseries.
the interfaces IInformationType to IProduct.
The other failures were either Unauthorized execption, or, in browser
tests, "AttributeError: 'thread._local' object has no attribute 'interaction'".
WHen a borwser instance is created, an existing interaction in terminated,
so that thread.
a browser call -- but the current user is stored as an attribute of
interaction, and the new security tests require a check if this user has
access rights. The most easy fix is to access some required attribute
the broswer object is created.
additional tests:
lp.registry.
lp.code.
lp.registry.
lp.registry.
lp.registry.
lp.registry.
Looks alright. Thanks Abel.