launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #02964
[Merge] lp:~wgrant/launchpad/hide-inaccessible-bugs into lp:launchpad
William Grant has proposed merging lp:~wgrant/launchpad/hide-inaccessible-bugs into lp:launchpad with lp:~wgrant/launchpad/delete-nullbugtask as a prerequisite.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
Related bugs:
Bug #735353 in Launchpad itself: "Inaccessible bugs should not be able to be traversed to"
https://bugs.launchpad.net/launchpad/+bug/735353
For more details, see:
https://code.launchpad.net/~wgrant/launchpad/hide-inaccessible-bugs/+merge/53529
This branch brings private bugs inline with private teams, denying their existence for users who cannot see them. A few tests needed to be updated.
I also dropped xx-cve-link-to-modified-target.txt, as it is rendered obsolete by a prereq -- there is no chance of an OOPS any more, as the form submission redirects to the new location, avoiding a NullBugTask.
--
https://code.launchpad.net/~wgrant/launchpad/hide-inaccessible-bugs/+merge/53529
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wgrant/launchpad/hide-inaccessible-bugs into lp:launchpad.
=== modified file 'lib/canonical/launchpad/browser/launchpad.py'
--- lib/canonical/launchpad/browser/launchpad.py 2011-03-08 21:03:55 +0000
+++ lib/canonical/launchpad/browser/launchpad.py 2011-03-15 22:16:37 +0000
@@ -707,7 +707,7 @@
except NotFoundError:
raise NotFound(self.context, bug_number)
if not check_permission("launchpad.View", bug):
- raise Unauthorized("Bug %s is private" % bug_number)
+ return None
# Empty the traversal stack, since we're redirecting.
self.request.setTraversalStack([])
# And perform a temporary redirect.
=== modified file 'lib/canonical/launchpad/pagetests/basics/notfound-traversals.txt'
--- lib/canonical/launchpad/pagetests/basics/notfound-traversals.txt 2011-01-12 23:07:40 +0000
+++ lib/canonical/launchpad/pagetests/basics/notfound-traversals.txt 2011-03-15 22:16:37 +0000
@@ -288,8 +288,8 @@
traversed we will get a 404. For paths using the old attachments/<id>
form, a 404 will be issued immediately; no redirect will be sent.
->>> check_not_found("/firefox/+bug/2/attachments/1")
->>> check_not_found("/firefox/+bug/2/+attachment/1")
+>>> check_not_found("/tomcat/+bug/2/attachments/1")
+>>> check_not_found("/tomcat/+bug/2/+attachment/1")
>>> check_not_found("/bugs/2/attachments/1")
>>> check_not_found("/bugs/2/+attachment/1")
=== modified file 'lib/canonical/launchpad/pagetests/webservice/security.txt'
--- lib/canonical/launchpad/pagetests/webservice/security.txt 2011-02-13 22:10:04 +0000
+++ lib/canonical/launchpad/pagetests/webservice/security.txt 2011-03-15 22:16:37 +0000
@@ -21,9 +21,8 @@
But the 'no-priv' user can't see bug number 14, which is private.
>>> print user_webservice.get("/bugs/14")
- HTTP/1.1 401 Unauthorized
+ HTTP/1.1 404 Not Found
...
- Bug 14 is private
>>> nopriv_output = user_webservice.get(
... "/bugs?ws.size=100").jsonBody()
@@ -37,9 +36,8 @@
operating on public data.
>>> print public_webservice.get("/bugs/14")
- HTTP/1.1 401 Unauthorized
+ HTTP/1.1 404 Not Found
...
- Bug 14 is private
>>> public_output = public_webservice.get(
... "/bugs?ws.size=50").jsonBody()
=== modified file 'lib/lp/bugs/browser/bugtask.py'
--- lib/lp/bugs/browser/bugtask.py 2011-03-15 22:16:35 +0000
+++ lib/lp/bugs/browser/bugtask.py 2011-03-15 22:16:37 +0000
@@ -491,17 +491,19 @@
If the bug has been reported, but not in this specific context, a
redirect to the default context will be returned.
- Raises NotFoundError if no bug with the given name is found.
-
- If the context type does provide IProduct, IDistribution,
- IDistroSeries, ISourcePackage or IDistributionSourcePackage
- a TypeError is raised.
+ Returns None if no bug with the given name is found, or the
+ bug is not accessible to the current user.
"""
context = self.context
# Raises NotFoundError if no bug is found
bug = getUtility(IBugSet).getByNameOrID(name)
+ # Get out now if the user cannot view the bug. Continuing may
+ # reveal information about its context
+ if not check_permission('launchpad.View', bug):
+ return None
+
# Loop through this bug's tasks to try and find the appropriate task
# for this context. We always want to return a task, whether or not
# the user has the permission to see it so that, for example, an
=== modified file 'lib/lp/bugs/browser/malone.py'
--- lib/lp/bugs/browser/malone.py 2010-08-20 20:31:18 +0000
+++ lib/lp/bugs/browser/malone.py 2011-03-15 22:16:37 +0000
@@ -67,7 +67,7 @@
# /malone/$bug.id Just Work
bug = getUtility(IBugSet).getByNameOrID(name)
if not check_permission("launchpad.View", bug):
- raise Unauthorized("Bug %s is private" % name)
+ return None
return bug
=== modified file 'lib/lp/bugs/browser/tests/test_bugattachment_file_access.py'
--- lib/lp/bugs/browser/tests/test_bugattachment_file_access.py 2011-01-19 13:28:16 +0000
+++ lib/lp/bugs/browser/tests/test_bugattachment_file_access.py 2011-03-15 22:16:37 +0000
@@ -33,7 +33,7 @@
AppServerLayer,
LaunchpadFunctionalLayer,
)
-from lazr.restfulclient.errors import Unauthorized as RestfulUnauthorized
+from lazr.restfulclient.errors import NotFound as RestfulNotFound
from lp.bugs.browser.bugattachment import BugAttachmentFileNavigation
import lp.services.features
from lp.services.features.flags import NullFeatureController
@@ -226,9 +226,9 @@
self.assertEqual(['token'], params.keys())
# If a user which cannot access the private bug itself tries to
- # to access the attachment, an Unauthorized error is raised.
+ # to access the attachment, an NotFound error is raised.
other_launchpad = launchpadlib_for(
'test_unauthenticated', other_user, version='devel')
self.assertRaises(
- RestfulUnauthorized, other_launchpad._browser.get,
+ RestfulNotFound, other_launchpad._browser.get,
ws_bugattachment.data._wadl_resource._url)
=== modified file 'lib/lp/bugs/stories/bug-privacy/20-private-distro-bug-not-visible-to-anonymous.txt'
--- lib/lp/bugs/stories/bug-privacy/20-private-distro-bug-not-visible-to-anonymous.txt 2009-06-12 16:36:02 +0000
+++ lib/lp/bugs/stories/bug-privacy/20-private-distro-bug-not-visible-to-anonymous.txt 2011-03-15 22:16:37 +0000
@@ -5,7 +5,7 @@
>>> anon_browser.open("http://launchpad.dev/bugs/14";)
Traceback (most recent call last):
...
- Unauthorized: ...
+ NotFound: ...
And not in bug listings.
=== modified file 'lib/lp/bugs/stories/bug-privacy/30-private-distro-bug-not-visible-to-nonsubscriber-user.txt'
--- lib/lp/bugs/stories/bug-privacy/30-private-distro-bug-not-visible-to-nonsubscriber-user.txt 2009-06-12 16:36:02 +0000
+++ lib/lp/bugs/stories/bug-privacy/30-private-distro-bug-not-visible-to-nonsubscriber-user.txt 2011-03-15 22:16:37 +0000
@@ -6,7 +6,7 @@
>>> browser.open("http://launchpad.dev/bugs/14";)
Traceback (most recent call last):
...
- Unauthorized: ...
+ NotFound: ...
Nor in a search listing.
=== modified file 'lib/lp/bugs/stories/bug-privacy/xx-presenting-private-bugs.txt'
--- lib/lp/bugs/stories/bug-privacy/xx-presenting-private-bugs.txt 2010-12-18 14:47:17 +0000
+++ lib/lp/bugs/stories/bug-privacy/xx-presenting-private-bugs.txt 2011-03-15 22:16:37 +0000
@@ -65,10 +65,10 @@
>>> browser.open('http://bugs.launchpad.dev/bugs/4')
Traceback (most recent call last):
...
- Unauthorized: Bug 4 is private
+ NotFound: ...
>>> anon_browser.open('http://bugs.launchpad.dev/bugs/4')
Traceback (most recent call last):
...
- Unauthorized: Bug 4 is private
+ NotFound: ...
=== modified file 'lib/lp/bugs/stories/bugtracker/xx-bugtracker-remote-bug.txt'
--- lib/lp/bugs/stories/bugtracker/xx-bugtracker-remote-bug.txt 2010-05-19 05:47:50 +0000
+++ lib/lp/bugs/stories/bugtracker/xx-bugtracker-remote-bug.txt 2011-03-15 22:16:37 +0000
@@ -99,7 +99,7 @@
... 'http://bugs.launchpad.dev/bugs/bugtrackers/mozilla.org/2000')
Traceback (most recent call last):
...
- Unauthorized:...
+ NotFound:...
Set the bug back to public:
=== removed file 'lib/lp/bugs/stories/cve/xx-cve-link-to-modified-target.txt'
--- lib/lp/bugs/stories/cve/xx-cve-link-to-modified-target.txt 2009-06-12 16:36:02 +0000
+++ lib/lp/bugs/stories/cve/xx-cve-link-to-modified-target.txt 1970-01-01 00:00:00 +0000
@@ -1,39 +0,0 @@
-= Linking a CVE to a Bug With a Modified Target =
-
-We shouldn't get an OOPS when linking a CVE report to a bug that's been
-modified.
-
- >>> import transaction
- >>> user_browser.open(
- ... 'http://bugs.launchpad.dev/firefox/+bug/4/+linkcve')
- >>> admin_browser.open(
- ... 'http://bugs.launchpad.dev/firefox/+bug/4/')
- >>> admin_browser.getControl('Project').value = "jokosher"
- >>> admin_browser.getControl(name='firefox.actions.save').click()
-
- >>> user_browser.getControl('CVE Sequence Number').value = '2005-2737'
- >>> user_browser.getControl('Continue').click()
-
- >>> for tag in find_tags_by_class(user_browser.contents, 'cve'):
- ... print extract_text(tag)
- 2005-2737
-
-Similarly, unlinking the CVE from the bug shouldn't cause an OOPS when
-the bugtask has been retargeted.
-
- >>> user_browser.getLink('Remove CVE link').click()
- >>> user_browser.url
- 'http://bugs.launchpad.dev/jokosher/+bug/4/+unlinkcve'
-
- >>> admin_browser.getControl('Project').value = "firefox"
- >>> admin_browser.getControl(name='jokosher.actions.save').click()
-
- >>> user_browser.getControl('CVE Sequence Number').value = '2005-2737'
- >>> user_browser.getControl('Continue').click()
-
-There should now be no CVE links on the bugtask page:
-
- >>> len(find_tags_by_class(user_browser.contents, 'cve'))
- 0
-
- >>> transaction.abort()
=== modified file 'lib/lp/bugs/stories/upstream-bugprivacy/10-file-private-upstream-bug.txt'
--- lib/lp/bugs/stories/upstream-bugprivacy/10-file-private-upstream-bug.txt 2010-10-09 16:36:22 +0000
+++ lib/lp/bugs/stories/upstream-bugprivacy/10-file-private-upstream-bug.txt 2011-03-15 22:16:37 +0000
@@ -106,14 +106,14 @@
== Checking basic access to the private bug pages ==
Trying to access the task edit page of a task on a private bug
-redirects the anonymous user to the login page.
+fails, because we pretend that inaccessible private bugs do not exist.
>>> browser = setupBrowser()
>>> browser.open(
... "http://launchpad.dev/firefox/+bug/%s/+editstatus"; % bug_id)
Traceback (most recent call last):
...
- Unauthorized:...
+ NotFound:...
The no-privs user cannot access bug #10, because it's filed on a private bug on
which the no-privs is not an explicit subscriber.
@@ -123,7 +123,7 @@
... "http://launchpad.dev/firefox/+bug/%s/+editstatus"; % bug_id)
Traceback (most recent call last):
...
- Unauthorized:...
+ NotFound:...
Sample Person accesses the bug page of a private bug. He is allowed to
view the page because he is an explicit subscriber on the bug.
=== modified file 'lib/lp/bugs/stories/upstream-bugprivacy/30-private-upstream-bug-not-accessible-to-anonymous.txt'
--- lib/lp/bugs/stories/upstream-bugprivacy/30-private-upstream-bug-not-accessible-to-anonymous.txt 2009-06-12 16:36:02 +0000
+++ lib/lp/bugs/stories/upstream-bugprivacy/30-private-upstream-bug-not-accessible-to-anonymous.txt 2011-03-15 22:16:37 +0000
@@ -1,5 +1,5 @@
Trying to access a private upstream bug as an anonymous user results
-in being redirecting to the login page.
+in a page not found error.
>>> print http(r"""
... GET /firefox/+bug/6 HTTP/1.1
@@ -7,15 +7,8 @@
HTTP/1.1 200 Ok
...
-
-XXX: Brad Bollenbach, 2005-09-30: The redirect URL below is unexpected. See
-https://launchpad.net/launchpad/+bug/2730
-
>>> print http(r"""
... GET /firefox/+bug/14 HTTP/1.1
... """)
- HTTP/1.1 303 See Other
- ...
- Location: http://localhost/firefox/+bug/14/+index/+login
- ...
- <BLANKLINE>
+ HTTP/1.1 404 Not Found
+ ...
=== modified file 'lib/lp/bugs/stories/upstream-bugprivacy/50-private-upstream-bug-not-accessible-to-nonsubscriber-user.txt'
--- lib/lp/bugs/stories/upstream-bugprivacy/50-private-upstream-bug-not-accessible-to-nonsubscriber-user.txt 2009-09-09 23:16:08 +0000
+++ lib/lp/bugs/stories/upstream-bugprivacy/50-private-upstream-bug-not-accessible-to-nonsubscriber-user.txt 2011-03-15 22:16:37 +0000
@@ -15,9 +15,7 @@
... GET /firefox/+bug/14 HTTP/1.1
... Authorization: Basic bm8tcHJpdkBjYW5vbmljYWwuY29tOnRlc3Q=
... """)
- HTTP/1.1 403 Forbidden
- ...
- <title>Error: Launchpad system error</title>
+ HTTP/1.1 404 Not Found
...
This is also true if no-privs tries to access the bug from another
@@ -27,7 +25,5 @@
... GET /tomcat/+bug/14 HTTP/1.1
... Authorization: Basic bm8tcHJpdkBjYW5vbmljYWwuY29tOnRlc3Q=
... """)
- HTTP/1.1 403 Forbidden
- ...
- <title>Error: Launchpad system error</title>
+ HTTP/1.1 404 Not Found
...
