Launchpad itself

Merge lp:~cjwatson/launchpad/git-grant-limitedview into lp:launchpad

git-grant-limitedview
Merge into devel

Proposed by Colin Watson on 2018-09-25

Status:

Merged

Merged at revision:

18797

Proposed branch:

lp:~cjwatson/launchpad/git-grant-limitedview

Merge into:

lp:launchpad

Prerequisite:

lp:~cjwatson/launchpad/git-permissions-notifications

Diff against target:

122 lines (+57/-3)

4 files modified

lib/lp/code/interfaces/gitcollection.py (+7/-1)
lib/lp/code/model/gitcollection.py (+15/-1)
lib/lp/registry/tests/test_private_team_visibility.py (+28/-1)
lib/lp/security.py (+7/-0)

To merge this branch:

bzr merge lp:~cjwatson/launchpad/git-grant-limitedview

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
William Grant	code	2018-09-25	Approve on 2018-10-12
Review via email: mp+355607@code.launchpad.net

Commit message

Grant LimitedView on teams to people who own Git repositories with grants for them.

Description of the change

This means that we don't get stuck in situations where somebody can't modify the grants on a repository they own (e.g. using the proposed first-pass webservice interface where they need to supply a full replacement permission structure); and in general we want people to be able to see who can write to repositories they own, even if it was configured by another member of the owning team.

Revision history for this message

William Grant (wgrant) on 2018-10-12:

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

 === modified file 'lib/lp/code/interfaces/gitcollection.py'
 --- lib/lp/code/interfaces/gitcollection.py	2016-05-05 07:22:32 +0000
 +++ lib/lp/code/interfaces/gitcollection.py	2018-10-16 11:50:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2015-2016 Canonical Ltd.  This software is licensed under the
++# Copyright 2015-2018 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """A collection of Git repositories.
@@ -116,6 +116,12 @@
              states are returned.
          """
++    def getRuleGrantsForGrantee(grantee):
++        """Return a result set of access grants to the given grantee.
++
++        :param grantee: An `IPerson`.
++        """
++
      def getTeamsWithRepositories(person):
          """Return the teams that person is a member of that have
          repositories."""
 === modified file 'lib/lp/code/model/gitcollection.py'
 --- lib/lp/code/model/gitcollection.py	2016-10-12 23:24:24 +0000
 +++ lib/lp/code/model/gitcollection.py	2018-10-16 11:50:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2015-2016 Canonical Ltd.  This software is licensed under the
++# Copyright 2015-2018 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Implementations of `IGitCollection`."""
@@ -49,6 +49,7 @@
      get_git_repository_privacy_filter,
      GitRepository,
+     )
++from lp.code.model.gitrule import GitRuleGrant
  from lp.code.model.gitsubscription import GitSubscription
  from lp.registry.enums import EXCLUSIVE_TEAM_POLICY
  from lp.registry.model.distribution import Distribution
@@ -408,6 +409,19 @@
          proposals.order_by(Desc(CodeReviewComment.vote))
          return proposals
++    def getRuleGrantsForGrantee(self, grantee):
++        """See `IGitCollection`."""
++        expressions = [
++            GitRuleGrant.grantee == grantee,
++            GitRuleGrant.repository_id.is_in(self._getRepositorySelect()),
++            ]
++        visibility = self._getRepositoryVisibilityExpression()
++        if visibility:
++            expressions.append(
++                GitRuleGrant.repository_id.is_in(
++                    Select(GitRepository.id, visibility)))
++        return self.store.find(GitRuleGrant, *expressions)
++
      def getTeamsWithRepositories(self, person):
          """See `IGitCollection`."""
          # This method doesn't entirely fit with the intent of the
 === modified file 'lib/lp/registry/tests/test_private_team_visibility.py'
 --- lib/lp/registry/tests/test_private_team_visibility.py	2016-01-26 15:47:37 +0000
 +++ lib/lp/registry/tests/test_private_team_visibility.py	2018-10-16 11:50:42 +0000
@@ -1,4 +1,4 @@
--# Copyright 2011-2012 Canonical Ltd.  This software is licensed under the
++# Copyright 2011-2018 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Tests for visibility of private teams.
@@ -275,6 +275,33 @@
      def test_teams_with_private_branch_review_requests(self, private=True):
          self._test_teams_with_branch_review_requests()
++    def _test_git_repository_grantee(self, private):
++        # Users who own Git repositories can see private teams that have
++        # been granted some kind of write access to those repositories.
++        some_person = self.factory.makePerson()
++        self._check_permission(some_person, False)
++        login_person(some_person)
++        project = self.factory.makeProduct()
++        if private:
++            information_type = InformationType.USERDATA
++        else:
++            information_type = InformationType.PUBLIC
++        repository = self.factory.makeGitRepository(
++            owner=some_person, target=project,
++            information_type=information_type)
++        self.factory.makeGitRuleGrant(
++            repository=repository, grantee=self.priv_team)
++        # The team is now visible to the repository owner.
++        self._check_permission(some_person, True)
++        # The team is still invisible to other users.
++        self._check_permission(self.factory.makePerson(), False)
++
++    def test_public_git_repository_grantee(self):
++        self._test_git_repository_grantee(private=False)
++
++    def test_private_git_repository_grantee(self):
++        self._test_git_repository_grantee(private=True)
++
      def test_private_ppa_subscriber(self):
          # Subscribers to the team's private PPA have limited view permission.
          login_person(self.priv_owner)
 === modified file 'lib/lp/security.py'
 --- lib/lp/security.py	2018-10-15 14:44:25 +0000
 +++ lib/lp/security.py	2018-10-16 11:50:42 +0000
@@ -1054,6 +1054,13 @@
              if not team_repositories.visibleByUser(user.person).is_empty():
                  return True
++            # Grant visibility to people who own Git repositories that grant
++            # some kind of write access to the private team.
++            owned_repositories = IGitCollection(user.person)
++            grants = owned_repositories.getRuleGrantsForGrantee(self.obj)
++            if not grants.is_empty():
++                return True
++
              # Grant visibility to users in a team that has the private team as
              # a member, so that they can see the team properly in member
              # listings.