Merge lp:~wallyworld/launchpad/delete-bugtask-ui-878909 into lp:launchpad

Hi Ian.

I have a few concerns about the safety and maintainability of of two changes. I have some suggestions and questions too.

> === modified file 'lib/lp/bugs/browser/bugtask.py'
> --- lib/lp/bugs/browser/bugtask.py 2011-10-19 14:54:07 +0000
> +++ lib/lp/bugs/browser/bugtask.py 2011-10-25 08:17:26 +0000
> @@ -1757,6 +1758,38 @@
> self.updateContextFromData(data)
>
>
> +class BugTaskDeletionView(LaunchpadFormView):
> + """Used to delete a bugtask."""
> +
> + schema = IBugTask
> + field_names = []
> +
> + label = 'Remove bug task'
> + page_title = label
> +
> + @property
> + def confirmation_message(self):
> + return ('<p>You are about to mark bug %s<br>'
> + 'as no longer affecting %s.</p>'
> + '<p>This operation will be permanent and cannot be '
> + 'undone.</p>'
> + % (self.context.bug.title,
> + self.context.target.bugtargetdisplayname))

This is dangerous. Both title and displayname may *always* contain
markup. We use structured() to build safe interpolated messages.

Would direct language be more effective at conveying the consequences of the
action:
    Deletion is permanent, it cannot be undone.

...

> @@ -3552,6 +3585,8 @@
> row_css_class='highlight' if is_primary else None,
> target_link=canonical_url(self.context.target),
> target_link_title=self.target_link_title,
> + user_can_delete=self.user_can_delete_bugtask,
> + delete_link=link + '/+delete',

While I am certain this link will work, but it is a crafted link we need to
maintain with extra testing.
    canonical_url(self.context.target, view_name='+delete')
will raise an exception if the named view is unregistered.

> === modified file 'lib/lp/bugs/browser/tests/test_bugtask.py'
> --- lib/lp/bugs/browser/tests/test_bugtask.py 2011-10-05 18:02:45 +0000
> +++ lib/lp/bugs/browser/tests/test_bugtask.py 2011-10-25 08:17:26 +0000
> @@ -606,6 +614,99 @@
> self.assertIn(series.product.displayname, content)
>
>
> +class TestBugTaskDeleteLinks(TestCaseWithFactory):
> + """ Test that the delete icons/links for each relevant bug task are
> + correctly rendered.
> +
> + Bug task deletion is protected by a feature flag.
> + """

The first line may not wrap according to PEP 256.

+ layer = DatabaseFunctionalLayer
+
+ def test_cannot_delete_only_bugtask(self):
+ # The last bugtask cannot be deleted.
+ bug = self.factory.makeBug()
+ login_person(bug.owner)
+ view = create_initialized_view(
+ bug, name='+bugtasks-and-nominations-table')
+ row_view = view._getTableRowView(bug.default_bugtask, False, False)
+ self.assertFalse(row_view.user_can_delete_bugtask)
+ del get_property_cache(row_view).user_can_delete_bugtask
+ with FeatureFixture(DELETE_BUGTASK_ENABLED):
+ self.assertFalse(row_view.user_can_delete_bugtask)
+
+ def test_can_delete_bugtask_if_authorised(self):
+ # The bugtask can be deleted if the user if authorised.
+ bug = self.factory.makeBug()
+ bugtask = self.fac...

Hi

Thanks for the excellent review.

>
> This is dangerous. Both title and displayname may *always* contain
> markup. We use structured() to build safe interpolated messages.
>

I originally tried using structured() but the legit html in the message
got escaped. I suspect I may have messed up using the api and had meant
to come back to look at it again but forgot. I'll take another look.

> Would direct language be more effective at conveying the consequences of the
> action:
> Deletion is permanent, it cannot be undone.
>

Sure.

>> + user_can_delete=self.user_can_delete_bugtask,
>> + delete_link=link + '/+delete',
>
> While I am certain this link will work, but it is a crafted link we need to
> maintain with extra testing.
> canonical_url(self.context.target, view_name='+delete')
> will raise an exception if the named view is unregistered.
>

Yes, much better, thanks.

>>
>> +class TestBugTaskDeleteLinks(TestCaseWithFactory):
>> + """ Test that the delete icons/links for each relevant bug task are
>> + correctly rendered.
>> +
>> + Bug task deletion is protected by a feature flag.
>> + """
>
> The first line may not wrap according to PEP 256.
>

Yeah, sometimes it is hard to limit the text to only one line and still
have it make sense. I'll truncate.

>
> The TestBrowser is an indirect means to test rendering. The view does that.
> you can render any view (that had the principal argument passed) by calling
> it; view(). Launchpad views add striping rules so __call__ calls render().
> You can render a view's templates using view() or view.render(). It is much
> faster than TestBrowser.
>

I only resorted to using TestBrowser because I could get view.render()
to work for this case. It failed with various errors (eg None broken the
chain etc) depending on what I tried. I see you suggest:

 > view = create_initialized_view(
 > bug, name='+bugtasks-and-nominations-table'
 > principal=bugtask.owner)

I tried things like eg:

  view = create_initialized_view(bugtask, name='+index',
     rootsite='bugs', principal=bugtask.owner)

  view = create_initialized_view(bug, name='+index',
     rootsite='bugs', principal=bugtask.owner)

I'd like to understand why view.render() failed.

>
> And I see you did you view.render() here. I do not care for exact testing
> of user text because it tends to change often and get tested more than once.
> I put ids on the text fragment, id="deletion-waring-message", and just test
> for the presence. This permits non technical users to make trivial changes
> to the text while the code ensures that the intent of the message is still
> in the content.
>

Yes, good idea. I had doubts how far we needed to go here, hence the use
of the regex to test the gist of the message.

>
> This code is repeating the mistakes of Bugs past. The code embeds roles
> and celebrities into model code. This is the primary reason bug permissions
> are fucked up. I believe this logic belongs in lp.bugs.security, where I
> think this came from. userCanDelete() could do this:
> def userCanDelete(self):
> return check_permi...

37 + @property
38 + def confirmation_message(self):
39 + return ('<p>You are about to mark bug %s<br>'
40 + 'as no longer affecting %s.</p>'
41 + '<p>This operation will be permanent and cannot be '
42 + 'undone.</p>'
43 + % (self.context.bug.title,
44 + self.context.target.bugtargetdisplayname))

As Curtis says, this is a security hole. Why is this not done in the template? Also, the operation is not permanent -- it can be undone, by readding the task.

On 26/10/11 08:36, William Grant wrote:
> 37 + @property
> 38 + def confirmation_message(self):
> 39 + return ('<p>You are about to mark bug %s<br>'
> 40 + 'as no longer affecting %s.</p>'
> 41 + '<p>This operation will be permanent and cannot be '
> 42 + 'undone.</p>'
> 43 + % (self.context.bug.title,
> 44 + self.context.target.bugtargetdisplayname))
>
> As Curtis says, this is a security hole. Why is this not done in the template? Also, the operation is not permanent -- it can be undone, by readding the task.

I'm fixing the hole.
The message is worded as per the bug report. I think the indent is that
in general, deletion is a serious decision and the user must be sure.

Hi

I've addressed the issues raised. Reverting the security check code to
how it was makes the diff much shorter.

>> @@ -3552,6 +3585,8 @@
>> row_css_class='highlight' if is_primary else None,
>> target_link=canonical_url(self.context.target),
>> target_link_title=self.target_link_title,
>> + user_can_delete=self.user_can_delete_bugtask,
>> + delete_link=link + '/+delete',
>
> While I am certain this link will work, but it is a crafted link we need to
> maintain with extra testing.
> canonical_url(self.context.target, view_name='+delete')
> will raise an exception if the named view is unregistered.
>

I copied what was done in the test for the +editstatus link. I've fixed
that one too.

>
> The TestBrowser is an indirect means to test rendering. The view does that.
> you can render any view (that had the principal argument passed) by calling
> it; view(). Launchpad views add striping rules so __call__ calls render().
> You can render a view's templates using view() or view.render(). It is much
> faster than TestBrowser.
>
> def test_bugtask_delete_icon(self):
> # The bugtask delete icon is rendered correctly for those tasks the
> # user is allowed to delete.
> bug = self.factory.makeBug()
> bugtask = self.factory.makeBugTask(bug=bug)
> with FeatureFixture(DELETE_BUGTASK_ENABLED):
> login_person(bugtask.owner)
> view = create_initialized_view(
> bug, name='+bugtasks-and-nominations-table'
> principal=bugtask.owner)
> content = view.render()
> # bugtask can be deleted because the user owns it.
> delete_icon = find_tag_by_id(
> content, 'bugtask-delete-task%d' % bugtask.id)
> self.assertEqual(url + '/+delete', delete_icon['href'])
> # default_bugtask cannot be deleted.
> delete_icon = find_tag_by_id(
> content, 'bugtask-delete-task%d' % bug.default_bugtask.id)
> self.assertIsNone(delete_icon)
>

I double checked my original work. I tried again using
 > view = create_initialized_view(
 > bug, name='+bugtasks-and-nominations-table'
 > principal=bugtask.ow

and it wouldn't render. I also tried other variations. So I think
TestBrowser is required for this test sadly.

I figured out how to avoid using TestBrowser. One key step was to shove
the default bugtask into LaunchBag. Then the view for each table row had
to be constructed and rendered separately. Obvious!

>
> The TestBrowser is an indirect means to test rendering. The view does that.
> you can render any view (that had the principal argument passed) by calling
> it; view(). Launchpad views add striping rules so __call__ calls render().
> You can render a view's templates using view() or view.render(). It is much
> faster than TestBrowser.

<new stuff>
             login_person(bugtask.owner)
             getUtility(ILaunchBag).add(bug.default_bugtask)
             view = create_initialized_view(
                 bug, name='+bugtasks-and-nominations-table',
                 principal=bugtask.owner)
             # We render the bug task table rows - there are 2 bug tasks.
             subviews = view.getBugTaskAndNominationViews()
             self.assertEqual(2, len(subviews))
             default_bugtask_contents = subviews[0]()
             bugtask_contents = subviews[1]()
</new stuff>
             # bugtask can be deleted because the user owns it.
             delete_icon = find_tag_by_id(
                 bugtask_contents, 'bugtask-delete-task%d' % bugtask.id)
             delete_url = canonical_url(
                 bugtask, rootsite='bugs', view_name='+delete')
             self.assertEqual(delete_url, delete_icon['href'])
             # default_bugtask cannot be deleted.
             delete_icon = find_tag_by_id(
                 default_bugtask_contents,
                 'bugtask-delete-task%d' % bug.default_bugtask.id)
             self.assertIsNone(delete_icon)

Thank you for fixing this Ian. I wish I remembered to my troubled writing tests for bug nominations where I too discovered the misdirection with the LaunchpadBag. While LaunchpadView, and most proper Zope views requires a context (bugtask) and a request passed on __init__, the very old bug and bugtask views did not use that. We might be able to remove the LaunchpadBag hacks if all the views are LaunchpadViews.

This looks good to land.