Merge lp:~wallyworld/launchpad/no-private-bug-rss into lp:launchpad
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Ian Booth | ||||
Approved revision: | no longer in the source branch. | ||||
Merged at revision: | 13110 | ||||
Proposed branch: | lp:~wallyworld/launchpad/no-private-bug-rss | ||||
Merge into: | lp:launchpad | ||||
Diff against target: |
306 lines (+119/-45) 6 files modified
lib/canonical/launchpad/browser/feeds.py (+29/-2) lib/canonical/launchpad/pagetests/feeds/xx-authentication.txt (+0/-26) lib/canonical/launchpad/pagetests/feeds/xx-links.txt (+49/-0) lib/canonical/launchpad/pagetests/feeds/xx-security.txt (+3/-10) lib/lp/bugs/feed/bug.py (+16/-4) lib/lp/code/feed/branch.py (+22/-3) |
||||
To merge this branch: | bzr merge lp:~wallyworld/launchpad/no-private-bug-rss | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Jeroen T. Vermeulen (community) | code | Approve | |
Review via email: mp+61718@code.launchpad.net |
This proposal supersedes a proposal from 2011-05-19.
Commit message
[r=jtv][bug=302097] Do not allow private rss feeds and provide a better error message
Description of the change
I was going to land this branch in two parts -
1. prevent the rss feed from being enabled when a private bug/branch pages is loaded
2. handle the case where inline ajax editing is used to change the bug/branch status
Part one was already put up as a mp and approved.
However, turns out you can't disable the rss icon dynamically so I've updated the original branch with some code to better handle the case where a user url hacks or attempts to get to the feed page for a private bug/branch.
== Implementation ==
There was already code in BugFeed and BranchFeed to raise an Unauthorised exception if an attempt was made to get to the feed page for a private bug/branch. This lead the user to a login page and it all went south from there as described in the bug report.
The new implementation doesn't raise an exception - it simply adds an error notification to the request response and redirects back to the page for the bug/branch. In the case of branches, the user may not have permission to see the branch so the lp code index page is used instead. For bugs, users who cannot see the bug are directed to the lp bugs index page with the error notification. So they are taken somewhere sensible and given an error message. This last bit is more of an edge case.
== Demo ==
Try and enter an rss feed url directly for a private bug or branch eg
http://
or
Log in as a user (eg daf) and navigate to bug 14. The rss feed icon in the browser should be disabled.
== Tests ==
I added extra lines to the existing xx-links.txt doc test to check the two items listed at the beginning of this mp.
== Lint ==
Checking for conflicts and issues in changed files.
Linting changed files:
lib/canonical
lib/canonical
lib/lp/
lib/lp/
./lib/canonical
1: narrative uses a moin header.
9: narrative uses a moin header.
33: narrative uses a moin header.
77: narrative uses a moin header.
107: narrative uses a moin header.
141: narrative uses a moin header.
168: want exceeds 78 characters.
171: want exceeds 78 characters.
174: want exceeds 78 characters.
177: want exceeds 78 characters.
179: narrative uses a moin header.
227: narrative uses a moin header.
254: narrative uses a moin header.
267: narrative uses a moin header.
280: narrative uses a moin header.
289: want exceeds 78 characters.
293: narrative uses a moin header.
309: narrative uses a moin header.
325: narrative uses a moin header.
341: narrative uses a moin header.
351: want exceeds 78 characters.
352: want exceeds 78 characters.
369: source exceeds 78 characters.
./lib/lp/
80: E251 no spaces around keyword / parameter equals
Hi Ian,
It generally looks good but as always I have some notes. And while I'm here, thanks for the little drive-by cleanups!
=== modified file 'lib/canonical/ launchpad/ browser/ feeds.py' launchpad/ browser/ feeds.py 2010-11-08 12:52:43 +0000 launchpad/ browser/ feeds.py 2011-05-20 09:01:26 +0000
" Context %r does not provide interface %r"
--- lib/canonical/
+++ lib/canonical/
@@ -177,6 +177,14 @@
% (context, self.usedfor))
+ @classmethod
+ def feed_allowed(cls, context):
+ """Return True if a feed is allowed for the given context.
We normally use dromedaryCase for methods, where the first word is expected to be a verb. Skimming over this change at first I thought it was a property!
The "verb" part has a corollary: "feed allowed" can be misread as "feed those that are allowed." It's not hard to figure out that that's not what you mean, but it's a small distraction that can help slow down and confuse the reader.
@@ -346,4 +368,5 @@ self.context)
for feed_type in self.feed_types usedfor. providedBy( self.context) ] usedfor. providedBy( self.context) and feed_allowed( self.context) ]
def feed_links(self):
return [feed_type(
- if feed_type.
+ if feed_type.
+ feed_type.
The indentation of that last clause threw me off a bit. Is there some more legible way to write this?
=== modified file 'lib/canonical/ launchpad/ pagetests/ feeds/xx- links.txt' launchpad/ pagetests/ feeds/xx- links.txt 2011-05-05 05:46:41 +0000 launchpad/ pagetests/ feeds/xx- links.txt 2011-05-20 09:01:26 +0000 feeds.launchpad .dev/bugs/ 1/bug.atom"
--- lib/canonical/
+++ lib/canonical/
@@ -42,6 +42,37 @@
href="http://
title="Bug 1 Feed" />]
+But if the bug is private, there should be no link. launchpad. testing. pages import setupBrowserForUser interfaces. person import IPersonSet IPersonSet) .getByEmail( '<email address hidden>') User(user, 'daf') bugs.launchpad. dev/jokosher/ +bug/14') auth_browser. contents) findAll( 'link', type='applicati on/atom+ xml')
+
+ >>> from canonical.
+ >>> from zope.component import getUtility
+ >>> from lp.registry.
+ >>> login(ANONYMOUS)
+ >>> user = getUtility(
+ >>> logout()
+ >>> auth_browser = setupBrowserFor
+ >>> auth_browser.open('http://
+ >>> soup = BeautifulSoup(
+ >>> soup.head.
+ []
What exactly is auth_browser for? If you merely need a brower for a logged-in user, there's no need to construct one; use user_browser which is set up implicitly for this usage.
+But if they somehow manage to hack the url or use inline ajax editing of the
+bug status and attempt to subscribe, they are redirected to the bug page:
You're "But"-ing your own "But"!
+ >>> def print_notificat ions(browser) :
+ ... tags = find_tags_by_class(
+ ... browser.contents, 'error message')
+ ... if len(tags) == 0:
+ ... print 'No messages.'
+ ... else:
+ ... for tag in tags:
+ ... print extract_text(tag)
We have a helper for this: get_feedback_ messages.
@@ -319,3 +350,24 @@ on/atom+ xml" feeds.launch...
[<link rel="alternate" type="applicati
href="http://