Launchpad itself

Merge lp:~jcsackett/launchpad/404-not-403-for-private-blueprints into lp:launchpad

  1. 404-not-403-for-private-blueprints
  2. Merge into devel
Proposed by j.c.sackett
Status: Merged
Approved by: Francesco Banconi
Approved revision: no longer in the source branch.
Merged at revision: 16318
Proposed branch: lp:~jcsackett/launchpad/404-not-403-for-private-blueprints
Merge into: lp:launchpad
Diff against target: 40 lines (+18/-1)
2 files modified
lib/lp/blueprints/browser/tests/test_specification.py (+14/-0)
lib/lp/registry/browser/product.py (+4/-1)
To merge this branch: bzr merge lp:~jcsackett/launchpad/404-not-403-for-private-blueprints
Reviewer Review Type Date Requested Status
Francesco Banconi (community) Approve
Review via email: mp+136442@code.launchpad.net

Commit message

Checks permissions on specs before returning them in traversal so private specs can 404 instead of 403.

Description of the change

Summary
=======
Private specifications right now return 403 when someone without permissions
tries to access them. Per our usual rules, they should 404 to not leak the
fact of their existence.

Bugs, branches, and other private artifacts cause a 404 by checking for
permissions on the view context before returning it and returning None to
traversal if the user doesn't have the required permissions. Specs should use
the same mechanism.

Preimp
======
Spoke with Rick Harding about earlier decisions around necessary permissions
on blueprints.

Implementation
==============
In the stepthrough traversal for +spec on products, check for LimitedView on
the spec. If the permission is not available, return None.

Tests
=====
bin/test -vvct test_private_specification_without_authorization

QA
==
Attempt, without the permissions to do so, to view a proprietary blueprint on
a public product that allows proprietary blueprints. It should 404.

LoC
===
Part of private projects.

Lint
====

Checking for conflicts and issues in changed files.

Linting changed files:
  lib/lp/registry/browser/product.py
  lib/lp/blueprints/browser/tests/test_specification.py

To post a comment you must log in.
Revision history for this message
Francesco Banconi (frankban) wrote :

This branch looks good and the tests pass, thank you.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/blueprints/browser/tests/test_specification.py'
2--- lib/lp/blueprints/browser/tests/test_specification.py 2012-11-26 13:48:45 +0000
3+++ lib/lp/blueprints/browser/tests/test_specification.py 2012-11-27 15:18:25 +0000
4@@ -184,6 +184,20 @@
5 extract_text(html), DocTestMatches(
6 "... Registered by Some Person ... ago ..."))
7
8+ def test_private_specification_without_authorization(self):
9+ # Users without access get a 404 when trying to view private
10+ # specifications.
11+ owner = self.factory.makePerson()
12+ policy = SpecificationSharingPolicy.PROPRIETARY
13+ product = self.factory.makeProduct(owner=owner,
14+ specification_sharing_policy=policy)
15+ with person_logged_in(owner):
16+ spec = self.factory.makeSpecification(
17+ product=product, owner=owner,
18+ information_type=InformationType.PROPRIETARY)
19+ url = canonical_url(spec)
20+ self.assertRaises(NotFound, self.getUserBrowser, url=url, user=None)
21+
22 def test_view_for_subscriber_with_artifact_grant(self):
23 # Users with an artifact grant for a specification related to a
24 # private product can view the specification page.
25
26=== modified file 'lib/lp/registry/browser/product.py'
27--- lib/lp/registry/browser/product.py 2012-11-23 21:06:56 +0000
28+++ lib/lp/registry/browser/product.py 2012-11-27 15:18:25 +0000
29@@ -229,7 +229,10 @@
30
31 @stepthrough('+spec')
32 def traverse_spec(self, name):
33- return self.context.getSpecification(name)
34+ spec = self.context.getSpecification(name)
35+ if not check_permission('launchpad.LimitedView', spec):
36+ return None
37+ return spec
38
39 @stepthrough('+milestone')
40 def traverse_milestone(self, name):