Merge lp:~jcsackett/launchpad/404-not-403-for-private-blueprints into lp:launchpad
Status: | Merged |
---|---|
Approved by: | Francesco Banconi |
Approved revision: | no longer in the source branch. |
Merged at revision: | 16318 |
Proposed branch: | lp:~jcsackett/launchpad/404-not-403-for-private-blueprints |
Merge into: | lp:launchpad |
Diff against target: |
40 lines (+18/-1) 2 files modified
lib/lp/blueprints/browser/tests/test_specification.py (+14/-0) lib/lp/registry/browser/product.py (+4/-1) |
To merge this branch: | bzr merge lp:~jcsackett/launchpad/404-not-403-for-private-blueprints |
Related bugs: | |
Related blueprints: |
drag and drop
(Undefined)
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Francesco Banconi (community) | Approve | ||
Review via email: mp+136442@code.launchpad.net |
Commit message
Checks permissions on specs before returning them in traversal so private specs can 404 instead of 403.
Description of the change
Summary
=======
Private specifications right now return 403 when someone without permissions
tries to access them. Per our usual rules, they should 404 to not leak the
fact of their existence.
Bugs, branches, and other private artifacts cause a 404 by checking for
permissions on the view context before returning it and returning None to
traversal if the user doesn't have the required permissions. Specs should use
the same mechanism.
Preimp
======
Spoke with Rick Harding about earlier decisions around necessary permissions
on blueprints.
Implementation
==============
In the stepthrough traversal for +spec on products, check for LimitedView on
the spec. If the permission is not available, return None.
Tests
=====
bin/test -vvct test_private_
QA
==
Attempt, without the permissions to do so, to view a proprietary blueprint on
a public product that allows proprietary blueprints. It should 404.
LoC
===
Part of private projects.
Lint
====
Checking for conflicts and issues in changed files.
Linting changed files:
lib/lp/
lib/lp/
This branch looks good and the tests pass, thank you.