launchpad-dev team mailing list archive

[Curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>]

Hi rocket scientists.
Hi former members of the bug team.

I am working on
<https://bugs.launchpad.net/launchpad/+bug/157606>
[IntegrityError with unknown milestone when changing bug's project]

non-privileged users can retartget a bug to a different project, but
they do not have permission to change the milestone or importance. The
view/model does not do this for the user, so we see an Integrity error.
This could be an very simple fix to close an oops but...

I am aware of 
<https://bugs.launchpad.net/launchpad/+bug/196331>
[Possible to subvert Importance permissions using retargeting]
Where a non-privileged user can retarget a bugtask to set the
importance. I see from the oopses that most, bug tasks were not
retargeted. This integrity error is acting as a guard that might be
better expressed as policy:
      * Do not allow non-privileged users to retarget a bug if
              * The milestone is set
              * The importance is set to HMLW
              * The status is Triaged or higher

However, this and many retargeting issues could be solved by
<https://bugs.launchpad.net/launchpad/+bug/1342>
[Can't delete spurious "Affects" lines (bugtasks) from bug reports]
Remove retargeting, instead create the correct bugtask and delete the
spurious one. bug supervisors, owner, drivers, could delete bug tasks.
They will not retarget bug tasks that carry information that they are
not privileged to set in the affected project.

I favour addressing the second issue to solve the oops reported by the
first issue. I think deleting bugtasks would be great, but it is hard to
justify with 250+ critical bugs. I believe the rules are more complex
than I stated.

What do you think?

-- 
__Curtis C. Hovey_________
http://launchpad.net/

Attachment: signature.asc
Description: This is a digitally signed message part