Launchpad itself

Merge ~ines-almeida/launchpad:prevent-bug-reporter-from-accessing-bug-in-disabled-product into launchpad:master

  1. Git
  2. lp:~ines-almeida/launchpad
  3. prevent-bug-reporter-from-accessing-bug-in-disabled-product
  4. Merge into master
Proposed by Ines Almeida
Status: Merged
Approved by: Ines Almeida
Approved revision: 6ded68ea2ba83fd80d587dd8a95637efefbcef3d
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: ~ines-almeida/launchpad:prevent-bug-reporter-from-accessing-bug-in-disabled-product
Merge into: launchpad:master
Diff against target: 138 lines (+82/-3)
2 files modified
lib/lp/bugs/model/bugtasksearch.py (+27/-3)
lib/lp/registry/tests/test_private_team_visibility.py (+55/-0)
Reviewer Review Type Date Requested Status
Colin Watson (community) Approve
Review via email: mp+440317@code.launchpad.net

Commit message

Exclude bugs from inactive product series in queries

Update query to exclude BugTasks from inactive product series from a user's reported bugs list

LP: #1321055

Description of the change

Update a query and introduced 2 unit tests that verify the change:
 - one that ensures the user can't see the bug they reported on an inactive product (which passed before and after the change)
 - one that ensures the user can't see the bug they reported on an inactive product *series* (which failed before the change)

To post a comment you must log in.
Revision history for this message
Colin Watson (cjwatson) :
review: Needs Information
~ines-almeida/launchpad:prevent-bug-reporter-from-accessing-bug-in-disabled-product updated
2e0e488... by Ines Almeida

Update bug query constructor to ensure non-product bugs are not excluded

Revision history for this message
Ines Almeida (ines-almeida) wrote :

I believe there aren't any tests that particularly test bug visibility for a private bug that is not part of a product/productseries. I'll have a look at adding something to test that.

Regardless, I updated the query since the change makes sense

~ines-almeida/launchpad:prevent-bug-reporter-from-accessing-bug-in-disabled-product updated
6ded68e... by Ines Almeida

Add unit test to check bug visibility

Check that if a bug has no product or product series, bug will still show up in the queries

Revision history for this message
Ines Almeida (ines-almeida) wrote :

Added a unit test that indeed failed without the change mentioned by @cjwatson, and now passes

Revision history for this message
Colin Watson (cjwatson) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/lib/lp/bugs/model/bugtasksearch.py b/lib/lp/bugs/model/bugtasksearch.py
2index 19598bc..b34f433 100644
3--- a/lib/lp/bugs/model/bugtasksearch.py
4+++ b/lib/lp/bugs/model/bugtasksearch.py
5@@ -72,7 +72,7 @@ from lp.registry.model.distribution import Distribution
6 from lp.registry.model.milestone import Milestone
7 from lp.registry.model.milestonetag import MilestoneTag
8 from lp.registry.model.person import Person
9-from lp.registry.model.product import Product, ProductSet
10+from lp.registry.model.product import Product, ProductSeries, ProductSet
11 from lp.registry.model.teammembership import TeamParticipation
12 from lp.services.database.bulk import load
13 from lp.services.database.decoratedresultset import DecoratedResultSet
14@@ -84,6 +84,7 @@ from lp.services.database.sqlbase import (
15 from lp.services.database.stormexpr import (
16 ArrayAgg,
17 ArrayIntersects,
18+ IsTrue,
19 Unnest,
20 WithMaterialized,
21 fti_search,
22@@ -610,14 +611,37 @@ def _build_query(params):
23 and params.distroseries is None
24 ):
25 extra_clauses.append(
26- Or(BugTaskFlat.product == None, Product.active == True)
27+ Or(
28+ And(
29+ BugTaskFlat.product == None,
30+ BugTaskFlat.productseries == None,
31+ ),
32+ IsTrue(Product.active),
33+ )
34 )
35+
36+ join_tables.append(
37+ (
38+ ProductSeries,
39+ LeftJoin(
40+ ProductSeries,
41+ BugTaskFlat.productseries_id == ProductSeries.id,
42+ ),
43+ )
44+ )
45+
46 join_tables.append(
47 (
48 Product,
49 LeftJoin(
50 Product,
51- And(BugTaskFlat.product_id == Product.id, Product.active),
52+ And(
53+ Or(
54+ BugTaskFlat.product_id == Product.id,
55+ ProductSeries.productID == Product.id,
56+ ),
57+ Product.active,
58+ ),
59 ),
60 )
61 )
62diff --git a/lib/lp/registry/tests/test_private_team_visibility.py b/lib/lp/registry/tests/test_private_team_visibility.py
63index 6f68e2f..8a4102f 100644
64--- a/lib/lp/registry/tests/test_private_team_visibility.py
65+++ b/lib/lp/registry/tests/test_private_team_visibility.py
66@@ -24,6 +24,7 @@ from lp.registry.interfaces.teammembership import (
67 ITeamMembershipSet,
68 TeamMembershipStatus,
69 )
70+from lp.services.propertycache import clear_property_cache
71 from lp.services.webapp.authorization import (
72 check_permission,
73 clear_cache,
74@@ -33,6 +34,7 @@ from lp.services.webapp.interaction import ANONYMOUS
75 from lp.services.webapp.servers import LaunchpadTestRequest
76 from lp.testing import (
77 TestCaseWithFactory,
78+ admin_logged_in,
79 login,
80 login_celebrity,
81 login_person,
82@@ -412,3 +414,56 @@ class TestPrivateTeamVisibility(TestCaseWithFactory):
83
84 def test_team_assigned_to_private_bug(self):
85 self._test_team_assigned_to_bug()
86+
87+ def test_user_cant_see_bug_disabled_product(self, product_series=False):
88+ """A user that reports a bug in a private project, can't see the bug
89+ once the project is deactivated
90+ """
91+ private_product = self.factory.makeProduct(
92+ owner=self.priv_team,
93+ information_type=InformationType.PROPRIETARY,
94+ registrant=self.priv_owner,
95+ )
96+ if product_series:
97+ private_series = self.factory.makeProductSeries(
98+ product=private_product
99+ )
100+ # Report a bug within the private product
101+ login_person(self.priv_member)
102+ bug = self.factory.makeBug(
103+ owner=self.priv_member, target=private_product
104+ )
105+
106+ # Change target to the product series
107+ if product_series:
108+ nomination = bug.addNomination(
109+ target=private_series, owner=self.priv_member
110+ )
111+ nomination.approve(self.priv_owner)
112+
113+ # Bug reporter user should be able to see the bug initially
114+ self.assertTrue(bug.userCanView(self.priv_member))
115+
116+ # Remove bug reporter from the team
117+ with admin_logged_in():
118+ private_product.active = False
119+ clear_property_cache(bug)
120+ # Bug reporter user should no longer have access to the bug
121+ self.assertFalse(bug.userCanView(self.priv_member))
122+
123+ def test_user_cant_see_bug_disabled_product_series(self):
124+ """A user that reports a bug in a private project series, can't see
125+ the bug once the series's project is deactivated
126+ """
127+ self.test_user_cant_see_bug_disabled_product(product_series=True)
128+
129+ def test_user_can_see_bug_without_product(self):
130+ """A user that reports a bug withough targetting a product or
131+ productseries, can see the bug
132+ """
133+ # Report a bug within a distribution and set it to private
134+ distribution = self.factory.makeDistribution()
135+ login_person(self.priv_member)
136+ bug = self.factory.makeBug(owner=self.priv_member, target=distribution)
137+ bug.setPrivate(True, self.priv_member)
138+ self.assertTrue(bug.userCanView(self.priv_member))

Subscribers

People subscribed via source and target branches

to status/vote changes: