Merge lp:~sinzui/launchpad/delete-team-4 into lp:launchpad
Status: | Merged |
---|---|
Merged at revision: | 12052 |
Proposed branch: | lp:~sinzui/launchpad/delete-team-4 |
Merge into: | lp:launchpad |
Diff against target: |
103 lines (+26/-9) 2 files modified
lib/lp/registry/browser/peoplemerge.py (+12/-7) lib/lp/registry/browser/tests/test_peoplemerge.py (+14/-2) |
To merge this branch: | bzr merge lp:~sinzui/launchpad/delete-team-4 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Henning Eggers (community) | code | Approve | |
Review via email: mp+43403@code.launchpad.net |
Description of the change
Allow registry admin to delete teams with super teams.
Launchpad bug: https:/
Pre-
Test command: ./bin/test -vv -t TestAdminTeamMe
The recent change to remove super teams before starting a merge breaks team
deletions by the registry admins. The team does not have permission to call
retractTeamMemb
symptom.
The loop is iterating over all teams participated in, not the direct
membership. retractTeamMemb
the user has permission. Even when the user has permission to call the
method on the direct team, there is a failure on the indirect team.
As with view code that prepares an object for deletion or merge, the case
requires super privileges to complete the cleanup. Either Registry admins
should have launchpad.Edit on the team, or gets special privileges on the
method, or the view removed the security proxy to complete the task.
-------
RULES
* Person does not provide a method to get direct super teams, but that
can be derived in an extra db call to get the indirect teams.
* Use removeSecurityP
the implicit tasks implied by the delete action. This is already
done when working with the team email addresses. It can be done
when calling retractTeamMemb
QA
* As a registry admin, delete these teams:
https:/
LINT
lib/
lib/
IMPLEMENTATION
The set solution to get the direct team membership is easy, but I think it
odd that my search of the code did not find other cases where these teams
are needed. I decided not to create a method on IPerson since there would
be only one call site. Added a test that duplicated what I experienced in
production, then shut my eye and imported removeSecurityP
lib/
lib/
I think adding a method would be better for several reasons: ership calls should be in model code anyway.
- it would allow using APIs to manage teams (e.g. for
sysadmins/registry experts)
- the retractTeamMemb