Merge lp:~jml/launchpad/validate-ppa-owner into lp:launchpad
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Curtis Hovey | ||||
Approved revision: | no longer in the source branch. | ||||
Merged at revision: | 15390 | ||||
Proposed branch: | lp:~jml/launchpad/validate-ppa-owner | ||||
Merge into: | lp:launchpad | ||||
Prerequisite: | lp:~jml/launchpad/validate-ppa-function | ||||
Diff against target: |
345 lines (+84/-56) 10 files modified
lib/lp/_schema_circular_imports.py (+2/-1) lib/lp/code/browser/tests/test_sourcepackagerecipe.py (+6/-1) lib/lp/registry/browser/tests/test_team.py (+2/-1) lib/lp/registry/interfaces/person.py (+28/-27) lib/lp/registry/model/person.py (+0/-5) lib/lp/registry/tests/test_team.py (+2/-1) lib/lp/soyuz/browser/archive.py (+1/-0) lib/lp/soyuz/model/archive.py (+16/-8) lib/lp/soyuz/tests/test_archive.py (+14/-9) lib/lp/soyuz/tests/test_person_createppa.py (+13/-3) |
||||
To merge this branch: | bzr merge lp:~jml/launchpad/validate-ppa-owner | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Curtis Hovey (community) | code | Approve | |
Launchpad code reviewers | Pending | ||
Review via email: mp+109529@code.launchpad.net |
Commit message
Restrict IPerson.createPPA to those with launchpad.Edit permissions.
Description of the change
I noticed that createPPA can be called by anyone on anyone, since it's only got ViewRestricted permissions. I don't think this is a major vulnerability, since it doesn't grant upload permissions to that created PPA. Thus, I'm submitting this in the clear. I hope that's OK.
This branch changes createPPA to be on IPersonEditRest
Curtis was concerned that this might break behaviour for key users: CA, OEM, OpenStack. He suggested that we do an audit first. However, this was when we believed that only team members could create PPAs via API, rather than the more restrictive web UI, which only allows team admins. Now that our understanding has changed, I think this patch should be landed now.
It also changes the web UI code to also use createPPA. This leaves Launchpad with one consistent way to create PPAs, which certainly makes it easier for *me* to understand.
This add 24 lines to the code base, including the one added by the dependent branch. I'm fairly sure that the CA PPA arc is in credit. Will get exact numbers soon.
Thank's jml. You discovered and fixed a disclosure feature mistake (and we might think of the LOC point to also be in the disclosure domain.). This is good to land.