launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] lp:~abentley/launchpad/all-url-support into lp:launchpad

To: Aaron Bentley <aaron@xxxxxxxxxxxxx>
From: Aaron Bentley <aaron@xxxxxxxxxxxxx>
Date: Wed, 04 Jul 2012 01:25:25 -0000
In-reply-to: <20120703201719.18378.26730.launchpad@ackee.canonical.com>
Reply-to: mp+113294@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

I wasn't concerned about leaking because the standard Zope security ensures no branches are returned that the principal cannot see.  The sole call-site of BranchLookup.getIdAndTrailingPath was BranchRewriter._getBranchIdAndTrailingPath, so when I removed BranchLookup.getIdAndTrailingPath, I ported its privacy tests (test_branch_id_alias_transitive_private and test_branch_id_alias_transitive_private) to BranchRewriter._getBranchIdAndTrailingPath.  The actual handling of Unauthorized exceptions is at 1134-1137.

I supposed cached data could leak if the cache was accessed using two different principals, but branch-rewrite always uses UnauthenticatedPrincipal AFAICT.
-- 
https://code.launchpad.net/~abentley/launchpad/all-url-support/+merge/113294
Your team Launchpad code reviewers is subscribed to branch lp:launchpad.

References

[Merge] lp:~abentley/launchpad/all-url-support into lp:launchpad
From: Aaron Bentley, 2012-07-03