Launchpad itself

lib/lp/registry/browser/pillar.py (+1/-1)
lib/lp/registry/interfaces/accesspolicy.py (+1/-0)
lib/lp/registry/interfaces/sharingservice.py (+19/-6)
lib/lp/registry/model/accesspolicy.py (+16/-8)
lib/lp/registry/services/sharingservice.py (+42/-13)
lib/lp/registry/services/tests/test_sharingservice.py (+1/-1)
lib/lp/snappy/interfaces/snap.py (+9/-0)
lib/lp/snappy/model/snap.py (+82/-27)
lib/lp/snappy/tests/test_snap.py (+34/-0)

High

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Colin Watson (community)		2021-02-08	Approve on 2021-03-02
Review via email: mp+397692@code.launchpad.net

Commit message

Adding Snap as an artifact for sharing services

Description of the change

Depends on https://code.launchpad.net/~pappacena/launchpad/+git/launchpad/+merge/397459

Revision history for this message

Colin Watson (cjwatson) on 2021-02-19:

review: Approve

Revision history for this message

Thiago F. Pappacena (pappacena) wrote on 2021-02-22:

Pushed the requested changes.

Revision history for this message

Colin Watson (cjwatson) on 2021-03-02:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Launchpad Engineering

Christina A Reitbauer

Cristian Gonzalez

Edson_g2020_ubuntuone Gomes

Jordan

Kevin bush

Launchpad code reviewers

Maximiliano Bertacchini

Thiago F. Pappacena

noômen

to status/vote changes:

asimbol83

 diff --git a/lib/lp/registry/browser/pillar.py b/lib/lp/registry/browser/pillar.py
 index dd83648..52b1554 100644
 --- a/lib/lp/registry/browser/pillar.py
 +++ b/lib/lp/registry/browser/pillar.py
@@ -439,7 +439,7 @@ class PillarPersonSharingView(LaunchpadView):
      def _loadSharedArtifacts(self):
          # As a concrete can by linked via more than one policy, we use sets to
          # filter out dupes.
--        (self.bugtasks, self.branches, self.gitrepositories,
++        (self.bugtasks, self.branches, self.gitrepositories, self.snaps,
           self.specifications) = (
              self.sharing_service.getSharedArtifacts(
                  self.pillar, self.person, self.user))
 diff --git a/lib/lp/registry/interfaces/accesspolicy.py b/lib/lp/registry/interfaces/accesspolicy.py
 index 2c454a7..0e2c8c8 100644
 --- a/lib/lp/registry/interfaces/accesspolicy.py
 +++ b/lib/lp/registry/interfaces/accesspolicy.py
@@ -36,6 +36,7 @@ class IAccessArtifact(Interface):
      bug_id = Attribute("bug_id")
      branch_id = Attribute("branch_id")
      gitrepository_id = Attribute("gitrepository_id")
++    snap_id = Attribute("snap_id")
      specification_id = Attribute("specification_id")
 diff --git a/lib/lp/registry/interfaces/sharingservice.py b/lib/lp/registry/interfaces/sharingservice.py
 index 386fef4..f6c39fb 100644
 --- a/lib/lp/registry/interfaces/sharingservice.py
 +++ b/lib/lp/registry/interfaces/sharingservice.py
@@ -1,4 +1,4 @@
--# Copyright 2012-2015 Canonical Ltd.  This software is licensed under the
++# Copyright 2012-2021 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Interfaces for sharing service."""
@@ -45,7 +45,7 @@ from lp.registry.interfaces.distribution import IDistribution
  from lp.registry.interfaces.person import IPerson
  from lp.registry.interfaces.pillar import IPillar
  from lp.registry.interfaces.product import IProduct
--
++from lp.snappy.interfaces.snap import ISnap
  # XXX 2012-02-24 wallyworld bug 939910
  # Need to export for version 'beta' even though we only want to use it in
@@ -177,7 +177,8 @@ class ISharingService(IService):
          """
      def getVisibleArtifacts(person, bugs=None, branches=None,
--                            gitrepositories=None, specifications=None):
++                            gitrepositories=None, snaps=None,
++                            specifications=None):
          """Return the artifacts shared with person.
          Given lists of artifacts, return those a person has access to either
@@ -188,6 +189,7 @@ class ISharingService(IService):
          :param branches: the branches to check for which a person has access.
          :param gitrepositories: the Git repositories to check for which a
              person has access.
++        :param snaps: the snap recipes to check for which a person has access.
          :param specifications: the specifications to check for which a
              person has access.
          :return: a collection of artifacts the person can see.
@@ -328,12 +330,16 @@ class ISharingService(IService):
          gitrepositories=List(
              Reference(schema=IGitRepository),
              title=_('Git repositories'), required=False),
++        snaps=List(
++            Reference(schema=ISnap),
++            title=_('Snap recipes'), required=False),
          specifications=List(
              Reference(schema=ISpecification), title=_('Specifications'),
              required=False))
      @operation_for_version('devel')
      def revokeAccessGrants(pillar, grantee, user, bugs=None, branches=None,
--                           gitrepositories=None, specifications=None):
++                           gitrepositories=None, snaps=None,
++                           specifications=None):
          """Remove a grantee's access to the specified artifacts.
          :param pillar: the pillar from which to remove access
@@ -342,6 +348,7 @@ class ISharingService(IService):
          :param bugs: the bugs for which to revoke access
          :param branches: the branches for which to revoke access
          :param gitrepositories: the Git repositories for which to revoke access
++        :param snaps: The snap recipes for which to revoke access
          :param specifications: the specifications for which to revoke access
          """
@@ -357,10 +364,15 @@ class ISharingService(IService):
              Reference(schema=IBranch), title=_('Branches'), required=False),
          gitrepositories=List(
              Reference(schema=IGitRepository),
--            title=_('Git repositories'), required=False))
++            title=_('Git repositories'), required=False),
++        snaps=List(
++            Reference(schema=ISnap),
++            title=_('Snap recipes'), required=False)
++    )
      @operation_for_version('devel')
      def ensureAccessGrants(grantees, user, bugs=None, branches=None,
--                           gitrepositories=None, specifications=None):
++                           gitrepositories=None, snaps=None,
++                           specifications=None):
          """Ensure a grantee has an access grant to the specified artifacts.
          :param grantees: the people or teams for whom to grant access
@@ -368,6 +380,7 @@ class ISharingService(IService):
          :param bugs: the bugs for which to grant access
          :param branches: the branches for which to grant access
          :param gitrepositories: the Git repositories for which to grant access
++        :param snaps: the snap recipes for which to grant access
          :param specifications: the specifications for which to grant access
          """
 diff --git a/lib/lp/registry/model/accesspolicy.py b/lib/lp/registry/model/accesspolicy.py
 index 2e8fddf..7bb5e9f 100644
 --- a/lib/lp/registry/model/accesspolicy.py
 +++ b/lib/lp/registry/model/accesspolicy.py
@@ -1,4 +1,4 @@
--# Copyright 2011-2015 Canonical Ltd.  This software is licensed under the
++# Copyright 2011-2021 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Model classes for pillar and artifact access policies."""
@@ -98,6 +98,8 @@ class AccessArtifact(StormBase):
      branch = Reference(branch_id, 'Branch.id')
      gitrepository_id = Int(name='gitrepository')
      gitrepository = Reference(gitrepository_id, 'GitRepository.id')
++    snap_id = Int(name="snap")
++    snap = Reference(snap_id, 'Snap.id')
      specification_id = Int(name='specification')
      specification = Reference(specification_id, 'Specification.id')
@@ -114,12 +116,15 @@ class AccessArtifact(StormBase):
          from lp.bugs.interfaces.bug import IBug
          from lp.code.interfaces.branch import IBranch
          from lp.code.interfaces.gitrepository import IGitRepository
++        from lp.snappy.interfaces.snap import ISnap
          if IBug.providedBy(concrete_artifact):
              col = cls.bug
          elif IBranch.providedBy(concrete_artifact):
              col = cls.branch
          elif IGitRepository.providedBy(concrete_artifact):
              col = cls.gitrepository
++        elif ISnap.providedBy(concrete_artifact):
++            col = cls.snap
          elif ISpecification.providedBy(concrete_artifact):
              col = cls.specification
          else:
@@ -143,6 +148,7 @@ class AccessArtifact(StormBase):
          from lp.bugs.interfaces.bug import IBug
          from lp.code.interfaces.branch import IBranch
          from lp.code.interfaces.gitrepository import IGitRepository
++        from lp.snappy.interfaces.snap import ISnap
          existing = list(cls.find(concrete_artifacts))
          if len(existing) == len(concrete_artifacts):
@@ -156,18 +162,20 @@ class AccessArtifact(StormBase):
          insert_values = []
          for concrete in needed:
              if IBug.providedBy(concrete):
--                insert_values.append((concrete, None, None, None))
++                insert_values.append((concrete, None, None, None, None))
              elif IBranch.providedBy(concrete):
--                insert_values.append((None, concrete, None, None))
++                insert_values.append((None, concrete, None, None, None))
              elif IGitRepository.providedBy(concrete):
--                insert_values.append((None, None, concrete, None))
++                insert_values.append((None, None, concrete, None, None))
++            elif ISnap.providedBy(concrete):
++                insert_values.append((None, None, None, concrete, None))
              elif ISpecification.providedBy(concrete):
--                insert_values.append((None, None, None, concrete))
++                insert_values.append((None, None, None, None, concrete))
              else:
                  raise ValueError("%r is not a supported artifact" % concrete)
--        new = create(
--            (cls.bug, cls.branch, cls.gitrepository, cls.specification),
--            insert_values, get_objects=True)
++        columns = (cls.bug, cls.branch, cls.gitrepository, cls.snap,
++                   cls.specification)
++        new = create(columns, insert_values, get_objects=True)
          return list(existing) + new
      @classmethod
 diff --git a/lib/lp/registry/services/sharingservice.py b/lib/lp/registry/services/sharingservice.py
 index 09744ee..01e90da 100644
 --- a/lib/lp/registry/services/sharingservice.py
 +++ b/lib/lp/registry/services/sharingservice.py
@@ -1,4 +1,4 @@
--# Copyright 2012-2015 Canonical Ltd.  This software is licensed under the
++# Copyright 2012-2021 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
  """Classes for pillar and artifact sharing service."""
@@ -81,6 +81,10 @@ from lp.services.webapp.authorization import (
      available_with_permission,
      check_permission,
+     )
++from lp.snappy.interfaces.snap import (
++    ISnap,
++    ISnapSet,
++    )
  @implementer(ISharingService)
@@ -197,11 +201,12 @@ class SharingService:
      @available_with_permission('launchpad.Driver', 'pillar')
      def getSharedArtifacts(self, pillar, person, user, include_bugs=True,
                             include_branches=True, include_gitrepositories=True,
--                           include_specifications=True):
++                           include_snaps=True, include_specifications=True):
          """See `ISharingService`."""
          bug_ids = set()
          branch_ids = set()
          gitrepository_ids = set()
++        snap_ids = set()
          specification_ids = set()
          for artifact in self.getArtifactGrantsForPersonOnPillar(
              pillar, person):
@@ -211,6 +216,8 @@ class SharingService:
                  branch_ids.add(artifact.branch_id)
              elif artifact.gitrepository_id and include_gitrepositories:
                  gitrepository_ids.add(artifact.gitrepository_id)
++            elif artifact.snap_id and include_snaps:
++                snap_ids.add(artifact.snap_id)
              elif artifact.specification_id and include_specifications:
                  specification_ids.add(artifact.specification_id)
@@ -234,16 +241,20 @@ class SharingService:
              wanted_gitrepositories = all_gitrepositories.visibleByUser(
                  user).withIds(*gitrepository_ids)
              gitrepositories = list(wanted_gitrepositories.getRepositories())
++        snaps = []
++        if snap_ids:
++            all_snaps = getUtility(ISnapSet)
++            snaps = all_snaps.findByIds(snap_ids)
          specifications = []
          if specification_ids:
              specifications = load(Specification, specification_ids)
--        return bugtasks, branches, gitrepositories, specifications
++        return bugtasks, branches, gitrepositories, snaps, specifications
      @available_with_permission('launchpad.Driver', 'pillar')
      def getSharedBugs(self, pillar, person, user):
          """See `ISharingService`."""
--        bugtasks, _, _, _ = self.getSharedArtifacts(
++        bugtasks, _, _, _, _ = self.getSharedArtifacts(
              pillar, person, user, include_branches=False,
              include_gitrepositories=False, include_specifications=False)
          return bugtasks
@@ -251,7 +262,7 @@ class SharingService:
      @available_with_permission('launchpad.Driver', 'pillar')
      def getSharedBranches(self, pillar, person, user):
          """See `ISharingService`."""
--        _, branches, _, _ = self.getSharedArtifacts(
++        _, branches, _, _, _ = self.getSharedArtifacts(
              pillar, person, user, include_bugs=False,
              include_gitrepositories=False, include_specifications=False)
          return branches
@@ -259,15 +270,23 @@ class SharingService:
      @available_with_permission('launchpad.Driver', 'pillar')
      def getSharedGitRepositories(self, pillar, person, user):
          """See `ISharingService`."""
--        _, _, gitrepositories, _ = self.getSharedArtifacts(
++        _, _, gitrepositories, _, _ = self.getSharedArtifacts(
              pillar, person, user, include_bugs=False, include_branches=False,
              include_specifications=False)
          return gitrepositories
      @available_with_permission('launchpad.Driver', 'pillar')
++    def getSharedSnaps(self, pillar, person, user):
++        """See `ISharingService`."""
++        _, _, _, snaps, _ = self.getSharedArtifacts(
++            pillar, person, user, include_bugs=False, include_branches=False,
++            include_gitrepositories=False)
++        return snaps
++
++    @available_with_permission('launchpad.Driver', 'pillar')
      def getSharedSpecifications(self, pillar, person, user):
          """See `ISharingService`."""
--        _, _, _, specifications = self.getSharedArtifacts(
++        _, _, _, _, specifications = self.getSharedArtifacts(
              pillar, person, user, include_bugs=False, include_branches=False,
              include_gitrepositories=False)
          return specifications
@@ -307,8 +326,8 @@ class SharingService:
              In(Specification.id, spec_ids)))
      def getVisibleArtifacts(self, person, bugs=None, branches=None,
--                            gitrepositories=None, specifications=None,
--                            ignore_permissions=False):
++                            gitrepositories=None, snaps=None,
++                            specifications=None, ignore_permissions=False):
          """See `ISharingService`."""
          bug_ids = []
          branch_ids = []
@@ -752,11 +771,11 @@ class SharingService:
      @available_with_permission('launchpad.Edit', 'pillar')
      def revokeAccessGrants(self, pillar, grantee, user, bugs=None,
--                           branches=None, gitrepositories=None,
++                           branches=None, gitrepositories=None, snaps=None,
                             specifications=None):
          """See `ISharingService`."""
--        if (not bugs and not branches and not gitrepositories and
++        if (not bugs and not branches and not gitrepositories and not snaps and
              not specifications):
              raise ValueError(
                  "Either bugs, branches, gitrepositories, or specifications "
@@ -769,6 +788,8 @@ class SharingService:
              artifacts.extend(branches)
          if gitrepositories:
              artifacts.extend(gitrepositories)
++        if snaps:
++            artifacts.extend(snaps)
          if specifications:
              artifacts.extend(specifications)
          # Find the access artifacts associated with the bugs, branches, Git
@@ -779,14 +800,20 @@ class SharingService:
          getUtility(IAccessArtifactGrantSource).revokeByArtifact(
              artifacts_to_delete, [grantee])
++        # XXX: Pappacena 2021-02-05: snaps should not trigger this job,
++        # since we do not have a "SnapSubscription" yet.
++        artifacts = [i for i in artifacts if not ISnap.providedBy(i)]
++        if not artifacts:
++            return
++
          # Create a job to remove subscriptions for artifacts the grantee can no
          # longer see.
          return getUtility(IRemoveArtifactSubscriptionsJobSource).create(
              user, artifacts, grantee=grantee, pillar=pillar)
      def ensureAccessGrants(self, grantees, user, bugs=None, branches=None,
--                           gitrepositories=None, specifications=None,
--                           ignore_permissions=False):
++                           gitrepositories=None, snaps=None,
++                           specifications=None, ignore_permissions=False):
          """See `ISharingService`."""
          artifacts = []
@@ -796,6 +823,8 @@ class SharingService:
              artifacts.extend(branches)
          if gitrepositories:
              artifacts.extend(gitrepositories)
++        if snaps:
++            artifacts.extend(snaps)
          if specifications:
              artifacts.extend(specifications)
          if not ignore_permissions:
 diff --git a/lib/lp/registry/services/tests/test_sharingservice.py b/lib/lp/registry/services/tests/test_sharingservice.py
 index 50ce8c6..9d0e07c 100644
 --- a/lib/lp/registry/services/tests/test_sharingservice.py
 +++ b/lib/lp/registry/services/tests/test_sharingservice.py
@@ -1459,7 +1459,7 @@ class TestSharingService(TestCaseWithFactory):
          # Check the results.
          (shared_bugtasks, shared_branches, shared_gitrepositories,
--         shared_specs) = (
++         shared_snaps, shared_specs) = (
              self.service.getSharedArtifacts(product, grantee, user))
          self.assertContentEqual(bug_tasks[:9], shared_bugtasks)
          self.assertContentEqual(branches[:9], shared_branches)
 diff --git a/lib/lp/snappy/interfaces/snap.py b/lib/lp/snappy/interfaces/snap.py
 index 8ac5838..df95533 100644
 --- a/lib/lp/snappy/interfaces/snap.py
 +++ b/lib/lp/snappy/interfaces/snap.py
@@ -874,6 +874,12 @@ class ISnapAdminAttributes(Interface):
              "Allow access to external network resources via a proxy.  "
              "Resources hosted on Launchpad itself are always allowed.")))
++    def subscribe(person, subscribed_by):
++        """Subscribe a person to this snap recipe."""
++
++    def unsubscribe(person, unsubscribed_by):
++        """Unsubscribe a person to this snap recipe."""
++
  # XXX cjwatson 2015-07-17 bug=760849: "beta" is a lie to get WADL
  # generation working.  Individual attributes must set their version to
@@ -919,6 +925,9 @@ class ISnapSet(Interface):
      def getSnapSuggestedPrivacy(owner, branch=None, git_ref=None):
          """Which privacy a Snap should have based on its creation params."""
++    def findByIds(snap_ids):
++        """Return all snap packages with the given ids."""
++
      def isValidInformationType(
              information_type, owner, branch=None, git_ref=None):
          """Whether or not the information type context is valid."""
 diff --git a/lib/lp/snappy/model/snap.py b/lib/lp/snappy/model/snap.py
 index b66bb75..2d06276 100644
 --- a/lib/lp/snappy/model/snap.py
 +++ b/lib/lp/snappy/model/snap.py
@@ -24,7 +24,9 @@ import six
  from six.moves.urllib.parse import urlsplit
  from storm.expr import (
      And,
++    Coalesce,
      Desc,
++    Join,
      LeftJoin,
      Not,
      Or,
@@ -67,6 +69,7 @@ from lp.app.enums import (
+     )
  from lp.app.errors import IncompatibleArguments
  from lp.app.interfaces.security import IAuthorization
++from lp.app.interfaces.services import IService
  from lp.buildmaster.enums import BuildStatus
  from lp.buildmaster.interfaces.buildqueue import IBuildQueueSet
  from lp.buildmaster.model.builder import Builder
@@ -106,6 +109,7 @@ from lp.code.model.branchnamespace import (
  from lp.code.model.gitcollection import GenericGitCollection
  from lp.code.model.gitrepository import GitRepository
  from lp.registry.errors import PrivatePersonLinkageError
++from lp.registry.interfaces.accesspolicy import IAccessArtifactSource
  from lp.registry.interfaces.person import (
      IPerson,
      IPersonSet,
@@ -117,6 +121,7 @@ from lp.registry.interfaces.role import (
      IHasOwner,
      IPersonRoles,
+     )
++from lp.registry.model.accesspolicy import AccessPolicyGrant
  from lp.registry.model.distroseries import DistroSeries
  from lp.registry.model.series import ACTIVE_STATUSES
  from lp.registry.model.teammembership import TeamParticipation
@@ -135,6 +140,9 @@ from lp.services.database.interfaces import (
      IStore,
+     )
  from lp.services.database.stormexpr import (
++    Array,
++    ArrayAgg,
++    ArrayIntersects,
      Greatest,
      IsDistinctFrom,
      NullsLast,
@@ -1113,6 +1121,25 @@ class Snap(Storm, WebhookTargetMixin):
          order_by = Desc(SnapBuild.id)
          return self._getBuilds(filter_term, order_by)
++    def subscribe(self, person, subscribed_by, ignore_permissions=False):
++        """See `ISnap`."""
++        # XXX pappacena 2021-02-05: We may need a "SnapSubscription" here.
++        service = getUtility(IService, "sharing")
++        service.ensureAccessGrants(
++            [person], subscribed_by, snaps=[self],
++            ignore_permissions=ignore_permissions)
++
++    def unsubscribe(self, person, unsubscribed_by):
++        """See `ISnap`."""
++        service = getUtility(IService, "sharing")
++        service.revokeAccessGrants(
++            self.pillar, person, unsubscribed_by, snaps=[self])
++        IStore(self).flush()
++
++    def _deleteAccessGrants(self):
++        """Delete access grants for this snap recipe prior to deleting it."""
++        getUtility(IAccessArtifactSource).delete([self])
++
      def destroySelf(self):
          """See `ISnap`."""
          store = IStore(Snap)
@@ -1149,6 +1176,7 @@ class Snap(Storm, WebhookTargetMixin):
              [SnapJob.job_id], And(SnapJob.job == Job.id, SnapJob.snap == self))
          store.find(Job, Job.id.is_in(affected_jobs)).remove()
          getUtility(IWebhookSet).delete(self.webhooks)
++        self._deleteAccessGrants()
          store.remove(self)
          store.find(
              BuildFarmJob, BuildFarmJob.id.is_in(build_farm_job_ids)).remove()
@@ -1236,6 +1264,9 @@ class SnapSet:
              store_channels=store_channels, project=project)
          store.add(snap)
++        # Automatically subscribe the owner to the Snap.
++        snap.subscribe(snap.owner, registrant, ignore_permissions=True)
++
          if processors is None:
              processors = [
                  p for p in snap.available_processors if p.build_by_default]
@@ -1303,6 +1334,10 @@ class SnapSet:
              expressions.append(Snap.owner == owner)
          return IStore(Snap).find(Snap, *expressions)
++    def findByIds(self, snap_ids):
++        """See `ISnapSet`."""
++        return IStore(ISnap).find(Snap, Snap.id.is_in(snap_ids))
++
      def findByOwner(self, owner):
          """See `ISnapSet`."""
          return IStore(Snap).find(Snap, Snap.owner == owner)
@@ -1372,36 +1407,12 @@ class SnapSet:
              snaps.order_by(Desc(Snap.date_last_modified))
          return snaps
--    def _findSnapVisibilityClause(self, visible_by_user):
--        # XXX cjwatson 2016-11-25: This is in principle a poor query, but we
--        # don't yet have the access grant infrastructure to do better, and
--        # in any case the numbers involved should be very small.
--        # XXX pappacena 2021-02-12: Once we do the migration to back fill
--        # information_type, we should be able to change this.
--        private_snap = SQL(
--            "CASE information_type"
--            "    WHEN NULL THEN private"
--            "    ELSE information_type NOT IN ?"
--            "END", params=[tuple(i.value for i in PUBLIC_INFORMATION_TYPES)])
--        if visible_by_user is None:
--            return private_snap == False
--        else:
--            roles = IPersonRoles(visible_by_user)
--            if roles.in_admin or roles.in_commercial_admin:
--                return True
--            else:
--                return Or(
--                    private_snap == False,
--                    Snap.owner_id.is_in(Select(
--                        TeamParticipation.teamID,
--                        TeamParticipation.person == visible_by_user)))
--
      def findByURL(self, url, owner=None, visible_by_user=None):
          """See `ISnapSet`."""
          clauses = [Snap.git_repository_url == url]
          if owner is not None:
              clauses.append(Snap.owner == owner)
--        clauses.append(self._findSnapVisibilityClause(visible_by_user))
++        clauses.append(get_snap_privacy_filter(visible_by_user))
          return IStore(Snap).find(Snap, *clauses)
      def findByURLPrefix(self, url_prefix, owner=None, visible_by_user=None):
@@ -1418,7 +1429,7 @@ class SnapSet:
          clauses = [Or(*prefix_clauses)]
          if owner is not None:
              clauses.append(Snap.owner == owner)
--        clauses.append(self._findSnapVisibilityClause(visible_by_user))
++        clauses.append(get_snap_privacy_filter(visible_by_user))
          return IStore(Snap).find(Snap, *clauses)
      def findByStoreName(self, store_name, owner=None, visible_by_user=None):
@@ -1426,7 +1437,7 @@ class SnapSet:
          clauses = [Snap.store_name == store_name]
          if owner is not None:
              clauses.append(Snap.owner == owner)
--        clauses.append(self._findSnapVisibilityClause(visible_by_user))
++        clauses.append(get_snap_privacy_filter(visible_by_user))
          return IStore(Snap).find(Snap, *clauses)
      def preloadDataForSnaps(self, snaps, user=None):
@@ -1591,3 +1602,47 @@ class SnapStoreSecretsEncryptedContainer(NaClEncryptedContainerBase):
                  config.snappy.store_secrets_private_key.encode("UTF-8"))
          else:
              return None
++
++
++def get_snap_privacy_filter(user):
++    """Returns the filter for all private Snaps that the given user is
++    subscribed to (that is, has access without being directly an owner).
++
++    :return: A storm condition.
++    """
++    # XXX pappacena 2021-02-12: Once we do the migration to back fill
++    # information_type, we should be able to change this.
++    private_snap = SQL(
++        "CASE information_type"
++        "    WHEN NULL THEN private"
++        "    ELSE information_type NOT IN ?"
++        "END", params=[tuple(i.value for i in PUBLIC_INFORMATION_TYPES)])
++    if user is None:
++        return private_snap == False
++
++    roles = IPersonRoles(user)
++    if roles.in_admin or roles.in_commercial_admin:
++        return True
++
++    artifact_grant_query = Coalesce(
++        ArrayIntersects(
++            SQL("%s.access_grants" % Snap.__storm_table__),
++            Select(
++                ArrayAgg(TeamParticipation.teamID),
++                tables=TeamParticipation,
++                where=(TeamParticipation.person == user)
++            )), False)
++
++    policy_grant_query = Coalesce(
++        ArrayIntersects(
++            Array(SQL("%s.access_policy" % Snap.__storm_table__)),
++            Select(
++                ArrayAgg(AccessPolicyGrant.policy_id),
++                tables=(AccessPolicyGrant,
++                        Join(TeamParticipation,
++                             TeamParticipation.teamID ==
++                             AccessPolicyGrant.grantee_id)),
++                where=(TeamParticipation.person == user)
++            )), False)
++
++    return Or(private_snap == False, artifact_grant_query, policy_grant_query)
 diff --git a/lib/lp/snappy/tests/test_snap.py b/lib/lp/snappy/tests/test_snap.py
 index 58a2a95..d8956db 100644
 --- a/lib/lp/snappy/tests/test_snap.py
 +++ b/lib/lp/snappy/tests/test_snap.py
@@ -120,6 +120,7 @@ from lp.snappy.interfaces.snapbuildjob import ISnapStoreUploadJobSource
  from lp.snappy.interfaces.snapjob import ISnapRequestBuildsJobSource
  from lp.snappy.interfaces.snapstoreclient import ISnapStoreClient
  from lp.snappy.model.snap import (
++    get_snap_privacy_filter,
      Snap,
      SnapSet,
+     )
@@ -1535,6 +1536,39 @@ class TestSnapSet(TestCaseWithFactory):
          self.assertContentEqual(snaps[:3], snap_set.findByPerson(owners[0]))
          self.assertContentEqual(snaps[3:], snap_set.findByPerson(owners[1]))
++    def test_get_snap_privacy_filter_includes_grants(self):
++        grantee, creator = [self.factory.makePerson() for i in range(2)]
++        # All snaps are owned by "creator", and "grantee" will later have
++        # access granted using sharing service.
++        snap_data = dict(registrant=creator, owner=creator, private=True)
++        private_snaps = [self.factory.makeSnap(**snap_data) for _ in range(2)]
++        shared_snaps = [self.factory.makeSnap(**snap_data) for _ in range(2)]
++        snap_data["private"] = False
++        public_snaps = [self.factory.makeSnap(**snap_data) for _ in range(3)]
++
++        with admin_logged_in():
++            for snap in shared_snaps:
++                snap.subscribe(grantee, creator)
++
++        def all_snaps_visible_by(person):
++            return IStore(Snap).find(
++                Snap, get_snap_privacy_filter(person))
++
++        # Creator should get all snaps.
++        self.assertContentEqual(
++            public_snaps + private_snaps + shared_snaps,
++            all_snaps_visible_by(creator))
++
++        # Grantee should get public and shared snaps.
++        self.assertContentEqual(
++            public_snaps + shared_snaps, all_snaps_visible_by(grantee))
++
++        with admin_logged_in():
++            # After revoking, Grantee should have no access to the shared ones.
++            for snap in shared_snaps:
++                snap.unsubscribe(grantee, creator)
++        self.assertContentEqual(public_snaps, all_snaps_visible_by(grantee))
++
      def test_findByProject(self):
          # ISnapSet.findByProject returns all Snaps based on branches or
          # repositories for the given project.