launchpad-reviewers team mailing list archive

Thread
Date

Re: lp:~adeuring/launchpad/authentication-for-private-products into lp:launchpad

To: Abel Deuring <abel.deuring@xxxxxxxxxxxxx>
From: Curtis Hovey <curtis.hovey@xxxxxxxxxxxxx>
Date: Wed, 10 Oct 2012 19:34:27 -0000
In-reply-to: <20121010182620.7424.82262.launchpad@ackee.canonical.com>
Reply-to: mp+129014@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Review: Needs Fixing code

The comment format is
XXX: Abel Deuring 2012-10-10 bug=1065162

There is still something wrong and we think are missing tests. non-registry users and anonymous users get 403 on pages that that are working with deactivated projects.
1. Start an Lp instance
2. As admin, https://bugs.launchpad.dev/redfish/+bug/15
   and verify redfish and thunderbird are in the affected table.
3. Visit https://launchpad.dev/ and verify that thunderbird is listed
4. Visit https://launchpad.dev/thunderbird/+admin
   and deactivate thunderbird
5. Visit https://launchpad.dev/
   and verify thunderbird is listed.
6. Follow the link to https://launchpad.dev/thunderbird
   and verify it says it is deactivated
7. Visit https://bugs.launchpad.dev/redfish/+bug/15
   and verify that only redfish is shown in the tasks table.

8. As no-priv, visit https://launchpad.dev/thunderbird
   and verify the page is a 404.
9. Visit https://bugs.launchpad.dev/redfish/+bug/15
   and verify  that only redfish is shown in the tasks table.
   BAD: the user gets a 403!
   OH, this loads after a while...we have a async issue?

Module lp.bugs.model.structuralsubscription, line 275, in __init__
self.target_parent = target.project
Unauthorized: (<Product at 0x2b15b8d98410>, 'project', 'launchpad.View'

10. Visit https://launchpad.dev/
    and verify thunderbird is listed.
    BAD: the user gets a 403!

if IHasIcon.providedBy(context) and context.icon is not None:
Unauthorized: (<Product at 0x2b15bca1fd10>, 'icon', 'launchpad.View')

11. As anonymous, visit https://launchpad.dev/thunderbird
    and verify the page is a 404.
12. Visit https://bugs.launchpad.dev/redfish/+bug/15
    and verify  that only redfish is shown in the tasks table.
    BAD: the user gets a 403!
    OH, this loads after a while...we have a async issue?

Module lp.bugs.model.structuralsubscription, line 275, in __init__
self.target_parent = target.project
Unauthorized: (<Product at 0x2b15b8d98410>, 'project', 'launchpad.View'

13. Visit https://launchpad.dev/
    ...I cannot. Lp requires me to login to see a page intended for bots and anonymous users.

This kind of error can be seen elsewhere where deactivated projects can appear in Lp. In qastaging for example we can deactivate a project listed on Lp's front page ans the page still displays for anonymous and non-registry users, but devel breaks with your branch.

I think we want to make the security checker smarter so we can land this branch to maintain the current behaviour. We can revise the checker and the interfaces in future branches. Maybe both checkAuthenticated() and checkUnauthenticated() can return true if the project is active and public. They can return true if the project is inactive and public and the user is in A, CA, R, otherwise if the project is private and user in A, CA return true
-- 
https://code.launchpad.net/~adeuring/launchpad/authentication-for-private-products/+merge/129014
Your team Launchpad code reviewers is subscribed to branch lp:launchpad.

References

[Merge] lp:~adeuring/launchpad/authentication-for-private-products into lp:launchpad
From: Abel Deuring, 2012-10-10