Launchpad itself

Merge lp:~stevenk/launchpad/bug-limitedview into lp:launchpad

  1. bug-limitedview
  2. Merge into devel
Proposed by Steve Kowalik
Status: Merged
Approved by: Steve Kowalik
Approved revision: no longer in the source branch.
Merged at revision: 14855
Proposed branch: lp:~stevenk/launchpad/bug-limitedview
Merge into: lp:launchpad
Diff against target: 82 lines (+49/-2)
2 files modified
lib/lp/bugs/security.py (+28/-1)
lib/lp/bugs/tests/test_bug.py (+21/-1)
To merge this branch: bzr merge lp:~stevenk/launchpad/bug-limitedview
Reviewer Review Type Date Requested Status
Ian Booth (community) Approve
Review via email: mp+94088@code.launchpad.net

Commit message

[r=wallyworld][bug=434733][incr] Add a security adapter for launchpad.LimitedView on IBug.

Description of the change

Add a security adapter for launchpad.LimitedView on IBug.

Write tests that check launchpad.View and launchpad.LimitedView on a variety of bugs.

Add a missing copyright header to test_bug.py.

To post a comment you must log in.
Revision history for this message
Ian Booth (wallyworld) wrote :

Look good

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/bugs/security.py'
2--- lib/lp/bugs/security.py 2012-01-01 02:58:52 +0000
3+++ lib/lp/bugs/security.py 2012-02-22 05:57:20 +0000
4@@ -1,4 +1,4 @@
5-# Copyright 2010-2011 Canonical Ltd. This software is licensed under the
6+# Copyright 2010-2012 Canonical Ltd. This software is licensed under the
7 # GNU Affero General Public License version 3 (see the file LICENSE).
8
9 """Security adapters for the bugs module."""
10@@ -256,3 +256,30 @@
11 return (
12 self.obj.structural_subscription is None or
13 user.inTeam(self.obj.structural_subscription.subscriber))
14+
15+
16+class PublicOrPrivateBugExistence(AuthorizationBase):
17+ """Restrict knowing about the existence of bugs.
18+
19+ Knowing the existence of a private bug allow traversing to its URL and
20+ displaying the bug number.
21+ """
22+ permission = 'launchpad.LimitedView'
23+ usedfor = IBug
24+
25+ def checkUnauthenticated(self):
26+ """Unauthenticated users can only view public bugs."""
27+ return not self.obj.private
28+
29+ def checkAuthenticated(self, user):
30+ """By default, we simply perform a View permission check.
31+
32+ We also grant limited viewability to users who are subscribed via
33+ a duplicate bug.
34+ """
35+ if self.forwardCheckAuthenticated(
36+ user, self.obj, 'launchpad.View'):
37+ return True
38+
39+ return not self.obj.private or self.obj.isSubscribedToDupes(
40+ user.person)
41
42=== modified file 'lib/lp/bugs/tests/test_bug.py'
43--- lib/lp/bugs/tests/test_bug.py 2012-02-15 08:13:51 +0000
44+++ lib/lp/bugs/tests/test_bug.py 2012-02-22 05:57:20 +0000
45@@ -1,4 +1,4 @@
46-
47+# Copyright 2009-2012 Canonical Ltd. This software is licensed under the
48 # GNU Affero General Public License version 3 (see the file LICENSE).
49
50 """Tests for lp.bugs.model.Bug."""
51@@ -22,7 +22,9 @@
52 UserCannotEditBugTaskImportance,
53 UserCannotEditBugTaskMilestone,
54 )
55+from lp.services.webapp.authorization import check_permission
56 from lp.testing import (
57+ celebrity_logged_in,
58 person_logged_in,
59 StormStatementRecorder,
60 TestCaseWithFactory,
61@@ -297,3 +299,21 @@
62 params.setBugTarget(product=target)
63 bug = getUtility(IBugSet).createBug(params)
64 self.assertEqual([cve], [cve_link.cve for cve_link in bug.cve_links])
65+
66+
67+class TestLimitedViewBugSecurityAdapter(TestCaseWithFactory):
68+ layer = DatabaseFunctionalLayer
69+
70+ def test_user_private_bug_subscribed_to_public_dup(self):
71+ # A user has limited visibility of a private bug if they are
72+ # subscribed to a duplicate.
73+ bug = self.factory.makeBug(private=True)
74+ person = self.factory.makePerson()
75+ dup = self.factory.makeBug()
76+ with person_logged_in(dup.owner):
77+ dup.subscribe(person, dup.owner)
78+ with celebrity_logged_in('admin'):
79+ dup.markAsDuplicate(bug)
80+ with person_logged_in(person):
81+ self.assertFalse(check_permission('launchpad.View', bug))
82+ self.assertTrue(check_permission('launchpad.LimitedView', bug))