Launchpad itself

Code review comment for lp:~al-maisan/launchpad/bedit-347768

bedit-347768
Merge into devel

Revision history for this message

Muharem Hrnjadovic (al-maisan) wrote on 2009-10-20:

Jonathan Lange wrote:
> On Mon, Oct 19, 2009 at 3:15 PM, Muharem Hrnjadovic
> <email address hidden> wrote:
>> Jonathan Lange wrote:
>>> On Mon, Oct 19, 2009 at 12:51 PM, Muharem Hrnjadovic
>>> <email address hidden> wrote:
>>>> Jonathan Lange wrote:
>>>>> Review: Needs Fixing

[..]

>>>> thanks for looking :) What is the recommended way to test for an
>>>> officially linked branch? Test the URL?
>>>> Check for the presence of a SeriesSourcePackageBranch instance?
>>>> Use SeriesSourcePackageBranchSet.findForBranch() and take it from there?
>>>>
>>> I would use getUtility(IFindOfficialBranchLinks).findForBranch(). I
>>> would do this check instead of checking that the branch is a
>>> sourcepackage branch, and I would check for upload rights to any of
>>> the packages that are officially linked.

Right. This is what the revised can_upload_linked_package() logic now
does.

Please see the enclosed incremental diff for details.

>> Packages? Is this a one-branch-to-many-packages relationship? From
>> looking at the code it looked like a 1-to-1 relationship to me ..
>>
>
> One branch can belong to at most one package.
>
> However, a branch can be an official package branch for many
> (sourcepackage, pocket) combinations, even if the branch itself does
> not belong to a source package. This is deliberate.
>
>> Anyway, after revising the code as suggested I get security exceptions
>> (please see http://pastebin.ubuntu.com/296865/).
>> I guess the ISeriesSourcePackageBranch interface needs to be split into
>> a read-only and an edit portion respectively. As it stands all access
>> to it requires the "launchpad.Edit" permissions.
>>
>> <class
>>
>> class="lp.code.model.seriessourcepackagebranch.SeriesSourcePackageBranch">
>> <allow
>> interface="lp.code.interfaces.seriessourcepackagebranch.ISeriesSourcePackageBranch"/>
>> <require
>> permission="launchpad.Edit"
>>
>> set_schema="lp.code.interfaces.seriessourcepackagebranch.ISeriesSourcePackageBranch"/>
>> </class>
>>
>
> Something's wrong here.
>
> ISeriesSourcePackageBranch is used to determine the short names of
> package branches (e.g. lp:ubuntu/emacs-snapshot). This works
> anonymously. (bazaar_identity calls
> branch.associatedSuiteSourcePackages() which gets
> IFindOfficialBranchLinks).
>
>>From the pastebin,
> ForbiddenAttribute: ('pocket', <storm.store.ResultSet object at 0xb359a90>)
>
> This means that you cannot get pocket from a ResultSet. This makes
> sense, since result sets are storm objects and don't have pockets.
>
> File "/home/mhr/canonical/lp-branches/bedit-347768/lib/canonical/launchpad/security.py",
> line 1616, in can_upload_linked_package
> if not branch.distroseries.canUploadToPocket(sspb.pocket):
> AttributeError: 'NoneType' object has no attribute 'canUploadToPocket'
>
> This error is correct, since the condition is checking the wrong
> thing. The question is not, "can we upload to this pocket in the
> distroseries that the branch belongs to" but rather "can we upload to
> this pocket in the distroseries that the branch is official for".
>
> i.e. sspb.distroseries.canUploadToPocket(sspb.pocket)

I am both relieved (that the error is so easily fixed) and embarrassed
that I made such a blunder :P Thanks for pointing it out!

Best regards

--
Muharem Hrnjadovic <email address hidden>
Public key id : B2BBFCFC
Key fingerprint : A5A3 CC67 2B87 D641 103F 5602 219F 6B60 B2BB FCFC

Jonathan Lange wrote:
> On Mon, Oct 19, 2009 at 3:15 PM, Muharem Hrnjadovic
> <muharem@canonical.com> wrote:
>> Jonathan Lange wrote:
>>> On Mon, Oct 19, 2009 at 12:51 PM, Muharem Hrnjadovic
>>> <muharem@canonical.com> wrote:
>>>> Jonathan Lange wrote:
>>>>> Review: Needs Fixing

[..]

Right. This is what the revised can_upload_linked_package() logic now
does.

Please see the enclosed incremental diff for details.

>> Packages? Is this a one-branch-to-many-packages relationship? From
>> looking at the code it looked like a 1-to-1 relationship to me ..
>>
> 
> One branch can belong to at most one package.
> 
> However, a branch can be an official package branch for many
> (sourcepackage, pocket) combinations, even if the branch itself does
> not belong to a source package. This is deliberate.
> 
>> Anyway, after revising the code as suggested I get security exceptions
>> (please see http://pastebin.ubuntu.com/296865/).
>> I guess the ISeriesSourcePackageBranch interface needs to be split into
>> a read-only and an edit portion respectively. As it stands all access
>> to it requires the "launchpad.Edit" permissions.
>>
>>  <class
>>
>> class="lp.code.model.seriessourcepackagebranch.SeriesSourcePackageBranch">
>>    <allow
>> interface="lp.code.interfaces.seriessourcepackagebranch.ISeriesSourcePackageBranch"/>
>>    <require
>>        permission="launchpad.Edit"
>>
>> set_schema="lp.code.interfaces.seriessourcepackagebranch.ISeriesSourcePackageBranch"/>
>>  </class>
>>
> 
> Something's wrong here.
> 
> ISeriesSourcePackageBranch is used to determine the short names of
> package branches (e.g. lp:ubuntu/emacs-snapshot). This works
> anonymously. (bazaar_identity calls
> branch.associatedSuiteSourcePackages() which gets
> IFindOfficialBranchLinks).
> 
>>From the pastebin,
>   ForbiddenAttribute: ('pocket', <storm.store.ResultSet object at 0xb359a90>)
> 
> This means that you cannot get pocket from a ResultSet. This makes
> sense, since result sets are storm objects and don't have pockets.
> 
>   File "/home/mhr/canonical/lp-branches/bedit-347768/lib/canonical/launchpad/security.py",
> line 1616, in can_upload_linked_package
>     if not branch.distroseries.canUploadToPocket(sspb.pocket):
> AttributeError: 'NoneType' object has no attribute 'canUploadToPocket'
> 
> This error is correct, since the condition is checking the wrong
> thing. The question is not, "can we upload to this pocket in the
> distroseries that the branch belongs to" but rather "can we upload to
> this pocket in the distroseries that the branch is official for".
> 
> i.e. sspb.distroseries.canUploadToPocket(sspb.pocket)

I am both relieved (that the error is so easily fixed) and embarrassed
that I made such a blunder :P Thanks for pointing it out!

Best regards

-- 
Muharem Hrnjadovic <muharem@ubuntu.com>
Public key id   : B2BBFCFC
Key fingerprint : A5A3 CC67 2B87 D641 103F  5602 219F 6B60 B2BB FCFC

bedit-347768-inc.diff

« Back to merge proposal

 === modified file 'lib/canonical/launchpad/security.py'
 --- lib/canonical/launchpad/security.py	2009-10-19 10:33:14 +0000
 +++ lib/canonical/launchpad/security.py	2009-10-20 07:51:12 +0000
@@ -84,7 +84,8 @@
  from lp.registry.interfaces.productseries import IProductSeries
  from lp.registry.interfaces.project import IProject, IProjectSet
  from lp.code.interfaces.seriessourcepackagebranch import (
--    ISeriesSourcePackageBranch, IMakeOfficialBranchLinks)
++    IFindOfficialBranchLinks, IMakeOfficialBranchLinks,
++    ISeriesSourcePackageBranch)
  from lp.registry.interfaces.sourcepackage import ISourcePackage
  from lp.soyuz.interfaces.sourcepackagerelease import (
      ISourcePackageRelease)
@@ -1598,48 +1599,47 @@
  def can_upload_linked_package(person, branch):
      """True if person may upload the package linked to `branch`."""
--    def get_current_release():
++
++    def get_current_release(sspb):
          """Get current release for the source package linked to branch."""
--        ds = branch.distroseries
--        package = branch.sourcepackage
--        releases = ds.getCurrentSourceReleases([package.sourcepackagename])
++        package = sspb.sourcepackage
++        releases = sspb.distroseries.getCurrentSourceReleases(
++            [package.sourcepackagename])
          return releases.get(package, None)
--    def get_property_value(obj, property_name):
--        """Get value of requested property or None."""
--        value = None
--        try:
--            value = getattr(obj, property_name)
--        except AttributeError:
--            return None
--        return value
--
--    # Check whether we're dealing with a source package branch and
--    # whether person is authorised to upload the respective source
++    # No associated `SeriesSourcePackageBranch` data -> not an official
++    # branch.  Abort.
++    result_set = getUtility(IFindOfficialBranchLinks).findForBranch(branch)
++    if result_set.count() < 1:
++        return False
++
++    # XXX al-maisan, 2009-10-20: a branch may currently be associated with a
++    # number of (distroseries, sourcepackagename, pocket) combinations.
++    # This does not seem right. But until the database model is fixed we work
++    # around this by assuming that things are fine as long as we find at least
++    # one combination that allows us to upload the corresponding source
      # package.
--    if branch.sourcepackage is None:
--        # No package .. hmm .. this can't be a source package branch
--        # then. Abort.
--        return False
--
--    if branch.distroseries is None:
--        # No distro series? Abort.
--        return False
--
--    current_release = get_current_release()
--
--    # Do we have a pocket and, if yes, can we upload to it?
--    pocket = get_property_value(current_release, 'pocket')
--    if not (pocket is None or branch.distroseries.canUploadToPocket(pocket)):
--        return False
--
--    archive = branch.distroseries.distribution.main_archive
--    component = get_property_value(current_release, 'component')
++
++    # See whether we can upload to any of the distro series/pocket
++    # combinations.
++    sspb = None
++    for sspb in result_set:
++        # Can we upload to the respective pocket?
++        if sspb.distroseries.canUploadToPocket(sspb.pocket):
++            break
++    else:
++        # Loop terminated normally i.e. we could not upload to any of the
++        # (distroseries, pocket) combinations found.
++        return False
++
++    archive = sspb.distroseries.distribution.main_archive
++    # Find the component the linked source package was published in.
++    current_release = get_current_release(sspb)
++    component = getattr(current_release, 'component', None)
      # Is person authorised to upload the source package this branch
      # is targeting?
--    result = verify_upload(
--        person, branch.sourcepackage.sourcepackagename, archive, component)
++    result = verify_upload(person, sspb.sourcepackagename, archive, component)
      # verify_upload() indicates that person *is* allowed to upload by
      # returning None.
      return result is None
 === modified file 'lib/lp/code/tests/test_branch.py'
 --- lib/lp/code/tests/test_branch.py	2009-10-19 10:12:44 +0000
 +++ lib/lp/code/tests/test_branch.py	2009-10-20 07:39:30 +0000
@@ -17,6 +17,8 @@
      BranchSubscriptionDiffSize, BranchSubscriptionNotificationLevel,
      CodeReviewNotificationLevel)
  from lp.code.interfaces.linkedbranch import ICanHasLinkedBranch
++from lp.registry.interfaces.distroseries import DistroSeriesStatus
++from lp.registry.interfaces.pocket import PackagePublishingPocket
  from lp.soyuz.interfaces.archivepermission import IArchivePermissionSet
  from lp.testing import run_with_login, TestCaseWithFactory
@@ -232,7 +234,14 @@
      def makeOfficialPackageBranch(self):
          """Make a branch linked to the pocket of a source package."""
          branch = self.factory.makePackageBranch()
--        pocket = self.factory.getAnyPocket()
++        # Make sure the (distroseries, pocket) combination used allows us to
++        # upload to it.
++        stable_states = (
++            DistroSeriesStatus.SUPPORTED, DistroSeriesStatus.CURRENT)
++        if branch.distroseries.status in stable_states:
++            pocket = PackagePublishingPocket.BACKPORTS
++        else:
++            pocket = PackagePublishingPocket.RELEASE
          sourcepackage = branch.sourcepackage
          suite_sourcepackage = sourcepackage.getSuiteSourcePackage(pocket)
          registrant = self.factory.makePerson()