Launchpad itself

Merge lp:~sinzui/launchpad/merge-db-permissions into lp:launchpad

  1. merge-db-permissions
  2. Merge into devel
Proposed by Curtis Hovey on 2012-11-01
Status: Merged
Approved by: j.c.sackett on 2012-11-01
Approved revision: no longer in the source branch.
Merged at revision: 16231
Proposed branch: lp:~sinzui/launchpad/merge-db-permissions
Merge into: lp:launchpad
Prerequisite: lp:~abentley/launchpad/releasefinder-perms
Diff against target: 139 lines (+27/-22)
2 files modified
database/schema/security.cfg (+5/-21)
lib/lp/registry/tests/test_personset.py (+22/-1)
To merge this branch: bzr merge lp:~sinzui/launchpad/merge-db-permissions
Reviewer Review Type Date Requested Status
j.c.sackett (community) 2012-11-01 Approve on 2012-11-01
Review via email: mp+132615@code.launchpad.net

Commit Message

Give all scripts SELECT on access* tables; person merge triggers can complete.

Description of the Change

Person merge failed because DB triggers require SELECT on accessartifact.

--------------------------------------------------------------------

RULES

    Pre-implementation: Sort of wgrant and flacoste
    * Add SELECT on accessartifact to person-merge-job
    * Oh, I discussed adding safe permissions to groups instead of users
      with William and Francis. Giving SELECT to all the access* tables
      will let every script read the data needed for permission checking
      * give SELECT on the access* tables for the script user.
      * Remove the duplicate grants

    ADDENDUM
    * I see Aaron just added SELECT to an access* table to fix the same
      problem in the PRF. I will merge his branch into mine.

QA

    * Visit https://qastaging.launchpad.net/people/+adminpeoplemerge
      and ~ailo.at into ~zequence
    * https://qastaging.launchpad.net/~ailo.at and wait for 404
    * If the page loads and does not show the merge notice, then
      merge failed.

LINT

  database/schema/security.cfg
  lib/lp/registry/tests/test_personset.py

LoC

    This is a fix for feature work.

TEST

    ./bin/test -vvc -t "(script|sharing|bugnotification|queue|processmail).*(job|script)" lp
    ./bin/test --vvc -t TestPersonSetMerge lp.registry.tests.test_personset

IMPLEMENTATION

I Added a test that reproduces the SQL error. I updated the DB permissions
to allow the test to pass. I removed the duplicate permissions...note that
I also deleted a duplicate declaration for accessartifact for one user.
  database/schema/security.cfg
  lib/lp/registry/tests/test_personset.py

To post a comment you must log in.
j.c.sackett (jcsackett) wrote :

Looks good, thanks.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'database/schema/security.cfg'
2--- database/schema/security.cfg 2012-11-01 20:04:20 +0000
3+++ database/schema/security.cfg 2012-11-01 20:04:20 +0000
4@@ -328,6 +328,11 @@
5 public.sharingjob = SELECT, INSERT, UPDATE, DELETE
6
7 [script]
8+public.accessartifact = SELECT
9+public.accessartifactgrant = SELECT
10+public.accesspolicy = SELECT
11+public.accesspolicygrant = SELECT
12+public.accesspolicygrantflat = SELECT
13 public.scriptactivity = SELECT, INSERT
14 type=group
15
16@@ -440,11 +445,7 @@
17 [productreleasefinder]
18 groups=script
19 public.accessartifact = SELECT, INSERT, DELETE
20-public.accesspolicy = SELECT
21 public.accesspolicyartifact = SELECT, INSERT, DELETE
22-public.accesspolicygrantflat = SELECT
23-public.accessartifactgrant = SELECT
24-public.accesspolicygrant = SELECT
25 public.bug = SELECT
26 public.bugtask = SELECT, UPDATE
27 public.bugtaskflat = SELECT
28@@ -571,10 +572,7 @@
29 groups=script
30 public.account = SELECT, INSERT
31 public.accessartifact = SELECT, INSERT, DELETE
32-public.accesspolicy = SELECT
33 public.accesspolicyartifact = SELECT, INSERT, DELETE
34-public.accessartifactgrant = SELECT
35-public.accesspolicygrant = SELECT
36 public.answercontact = SELECT
37 public.archive = SELECT
38 public.binarypackagebuild = SELECT
39@@ -860,9 +858,7 @@
40 groups=write,script
41 public.accessartifact = SELECT, INSERT, DELETE
42 public.accessartifactgrant = SELECT, INSERT
43-public.accesspolicy = SELECT
44 public.accesspolicyartifact = SELECT, INSERT, DELETE
45-public.accesspolicygrant = SELECT
46 public.answercontact = SELECT
47 public.archive = SELECT, UPDATE
48 public.archivearch = SELECT
49@@ -1409,10 +1405,7 @@
50 [queued]
51 groups=script
52 public.accessartifact = SELECT, INSERT, DELETE
53-public.accesspolicy = SELECT
54 public.accesspolicyartifact = SELECT, INSERT, DELETE
55-public.accessartifactgrant = SELECT
56-public.accesspolicygrant = SELECT
57 public.account = SELECT, INSERT
58 public.answercontact = SELECT
59 public.archive = SELECT, UPDATE
60@@ -1530,10 +1523,7 @@
61 [bugnotification]
62 groups=script
63 public.accessartifact = SELECT, INSERT, DELETE
64-public.accessartifactgrant = SELECT
65-public.accesspolicy = SELECT
66 public.accesspolicyartifact = SELECT, INSERT, DELETE
67-public.accesspolicygrant = SELECT
68 public.account = SELECT
69 public.answercontact = SELECT
70 public.archive = SELECT
71@@ -1707,10 +1697,7 @@
72 groups=script
73 public.accessartifact = SELECT, INSERT, DELETE
74 public.accessartifactgrant = SELECT, INSERT, DELETE
75-public.accesspolicy = SELECT
76 public.accesspolicyartifact = SELECT, INSERT, DELETE
77-public.accesspolicygrant = SELECT
78-public.accessartifact = SELECT, INSERT, DELETE
79 public.account = SELECT, INSERT
80 public.answercontact = SELECT
81 public.archive = SELECT
82@@ -1943,11 +1930,8 @@
83
84 [sharing-jobs]
85 groups=script
86-public.accessartifact = SELECT
87 public.accessartifactgrant = SELECT, UPDATE, DELETE
88-public.accesspolicy = SELECT
89 public.accesspolicygrant = SELECT, UPDATE, DELETE
90-public.accesspolicygrantflat = SELECT
91 public.account = SELECT
92 public.branch = SELECT
93 public.branchsubscription = SELECT, UPDATE, DELETE
94
95=== modified file 'lib/lp/registry/tests/test_personset.py'
96--- lib/lp/registry/tests/test_personset.py 2012-07-30 18:50:41 +0000
97+++ lib/lp/registry/tests/test_personset.py 2012-11-01 20:04:20 +0000
98@@ -16,12 +16,16 @@
99 from zope.component import getUtility
100 from zope.security.proxy import removeSecurityProxy
101
102+from lp.app.enums import InformationType
103 from lp.code.tests.helpers import remove_all_sample_data_branches
104 from lp.registry.errors import (
105 InvalidName,
106 NameAlreadyTaken,
107 )
108-from lp.registry.interfaces.accesspolicy import IAccessPolicyGrantSource
109+from lp.registry.interfaces.accesspolicy import (
110+ IAccessArtifactGrantSource,
111+ IAccessPolicyGrantSource,
112+ )
113 from lp.registry.interfaces.karma import IKarmaCacheManager
114 from lp.registry.interfaces.mailinglist import MailingListStatus
115 from lp.registry.interfaces.mailinglistsubscription import (
116@@ -618,6 +622,23 @@
117 dsp = self.factory.makeDistributionSourcePackage()
118 self.assertConflictingSubscriptionDeletes(dsp)
119
120+ def test_merge_accessartifactgrant(self):
121+ # AccessArtifactGrants are transferred; DB triggers complete.
122+ dupe = self.factory.makePerson()
123+ bug = self.factory.makeBug(
124+ information_type=InformationType.USERDATA)
125+ artifact = self.factory.makeAccessArtifact(concrete=bug)
126+ self.factory.makeAccessArtifactGrant(artifact, dupe)
127+ person = self.factory.makePerson()
128+ self._do_premerge(dupe, person)
129+ with person_logged_in(person):
130+ self._do_merge(dupe, person)
131+ source = getUtility(IAccessArtifactGrantSource)
132+ grantees = [
133+ grant.grantee for grant in source.findByArtifact([artifact])
134+ if grant.grantee == person]
135+ self.assertContentEqual([person], grantees)
136+
137 def test_merge_accesspolicygrants(self):
138 # AccessPolicyGrants are transferred from the duplicate.
139 person = self.factory.makePerson()