launchpad-reviewers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

Colin Watson has proposed merging lp:~cjwatson/launchpad/queue-api-privacy into lp:launchpad.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/queue-api-privacy/+merge/113974

== Summary ==

There's no security on public properties of PackageUpload, which is inappropriate for uploads to private archives.

== Proposed fix ==

Delegate authorisation to the Archive.

== Pre-implementation notes ==

Discussion with wgrant.

== LOC Rationale ==

+28.  This is part of removing the queue tool, which will get me ~1000 lines of net credit.

== Tests ==

bin/test -vvct test_packageupload.TestPackageUploadPrivacy
-- 
https://code.launchpad.net/~cjwatson/launchpad/queue-api-privacy/+merge/113974
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/queue-api-privacy into lp:launchpad.

=== modified file 'lib/lp/security.py'
--- lib/lp/security.py	2012-07-04 10:36:37 +0000
+++ lib/lp/security.py	2012-07-09 13:12:25 +0000
@@ -1678,6 +1678,14 @@
         return not permissions.is_empty()
 
 
+class ViewPackageUpload(DelegatedAuthorization):
+    permission = 'launchpad.View'
+    usedfor = IPackageUpload
+
+    def __init__(self, obj):
+        super(ViewPackageUpload, self).__init__(obj, obj.archive)
+
+
 class EditPackageUpload(AdminByAdminsTeam):
     permission = 'launchpad.Edit'
     usedfor = IPackageUpload

=== modified file 'lib/lp/soyuz/configure.zcml'
--- lib/lp/soyuz/configure.zcml	2012-07-04 13:02:32 +0000
+++ lib/lp/soyuz/configure.zcml	2012-07-09 13:12:25 +0000
@@ -151,7 +151,7 @@
             attributes="
                 status"/>
         <require
-            permission="zope.Public"
+            permission="launchpad.View"
             attributes="
                 id
                 distroseries

=== modified file 'lib/lp/soyuz/tests/test_packageupload.py'
--- lib/lp/soyuz/tests/test_packageupload.py	2012-07-06 16:17:57 +0000
+++ lib/lp/soyuz/tests/test_packageupload.py	2012-07-09 13:12:25 +0000
@@ -15,6 +15,7 @@
 from testtools.matchers import Equals
 import transaction
 from zope.component import getUtility
+from zope.security.interfaces import Unauthorized as ZopeUnauthorized
 from zope.security.proxy import removeSecurityProxy
 from zope.schema import getFields
 
@@ -395,6 +396,25 @@
         self.assertEqual(spph.packageupload, upload)
 
 
+class TestPackageUploadPrivacy(TestCaseWithFactory):
+    """Test PackageUpload security."""
+
+    layer = LaunchpadFunctionalLayer
+
+    def test_private_archives_have_private_uploads(self):
+        # Only users with access to a private archive can see uploads to it.
+        owner = self.factory.makePerson()
+        archive = self.factory.makeArchive(owner=owner, private=True)
+        upload = self.factory.makePackageUpload(archive=archive)
+        # The private archive owner can see this upload.
+        with person_logged_in(owner):
+            self.assertFalse(upload.contains_source)
+        # But other users cannot.
+        with person_logged_in(self.factory.makePerson()):
+            self.assertRaises(
+                ZopeUnauthorized, getattr, upload, "contains_source")
+
+
 class TestPackageUploadWithPackageCopyJob(TestCaseWithFactory):
 
     layer = LaunchpadZopelessLayer