Merge ~cjwatson/launchpad:person-id-permissions-again into launchpad:master
Status: | Merged |
---|---|
Approved by: | Colin Watson |
Approved revision: | 20272627fefca0301d2866d6c7159fe8bebd1b46 |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | ~cjwatson/launchpad:person-id-permissions-again |
Merge into: | launchpad:master |
Diff against target: |
166 lines (+59/-39) 4 files modified
lib/lp/registry/browser/tests/test_person_webservice.py (+16/-2) lib/lp/registry/interfaces/person.py (+20/-17) lib/lp/registry/model/person.py (+22/-1) lib/lp/registry/security.py (+1/-19) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Guruprasad | Approve | ||
Review via email: mp+452312@code.launchpad.net |
Commit message
Allow reading Person.id using read-only API tokens
Description of the change
See https:/
This partially reverts commit 0dd8a14be7715da
Quoting my most recent comment from the ticket:
```
I see the problem: this is due to using credentials that are set to only
allow reading private data, not changing private data. To be clear,
this is completely reasonable - by principles of least privilege, we
don't want the bot to have edit access to anything. However, I'd put
the exported "id" attribute under the launchpad.Moderate permission on
Person, and that doesn't work because launchpad.Moderate is defined like
this:
<permission
id=
The access_
write permission can do anything with attributes that require that
permission, so that won't work.
```
LGTM 👍