launchpad-reviewers team mailing list archive

[Richard Harding <rick.harding@xxxxxxxxxxxxx>]

Richard Harding has proposed merging lp:~rharding/launchpad/translatables into lp:launchpad.

Commit message:
Update projectgroup.translatables to take information type into account to prevent access.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~rharding/launchpad/translatables/+merge/135492

= Summary =

The .translations property and then getTranslatable methods it calls do not
take the privacy filter into account when querying.


== Pre Implementation ==

Talked with Deryck. getTranslatable is a method on both product and
projectgroup. In order to keep the api consistant we use the launchbag here as
was done in the product version of the method.


== Implementation Notes ==

Simple case of get the user and add the privacy filter to the query.


== Tests ==

lib/lp/registry/model/projectgroup.py

-- 
https://code.launchpad.net/~rharding/launchpad/translatables/+merge/135492
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~rharding/launchpad/translatables into lp:launchpad.

=== modified file 'lib/lp/registry/model/projectgroup.py'
--- lib/lp/registry/model/projectgroup.py	2012-11-20 20:52:40 +0000
+++ lib/lp/registry/model/projectgroup.py	2012-11-21 18:16:21 +0000
@@ -204,6 +204,7 @@
         Only products with IProduct.translations_usage set to
         ServiceUsage.LAUNCHPAD are considered translatable.
         """
+        user = getUtility(ILaunchBag).user
         store = Store.of(self)
         origin = [
             Product,
@@ -214,6 +215,7 @@
             Product,
             Product.project == self.id,
             Product.translations_usage == ServiceUsage.LAUNCHPAD,
+            ProductSet.getProductPrivacyFilter(user),
             ).config(distinct=True)
 
     @cachedproperty

=== modified file 'lib/lp/registry/tests/test_projectgroup.py'
--- lib/lp/registry/tests/test_projectgroup.py	2012-10-19 14:22:36 +0000
+++ lib/lp/registry/tests/test_projectgroup.py	2012-11-21 18:16:21 +0000
@@ -8,7 +8,10 @@
 from zope.security.interfaces import Unauthorized
 from zope.security.proxy import removeSecurityProxy
 
-from lp.app.enums import InformationType
+from lp.app.enums import (
+    InformationType,
+    ServiceUsage,
+    )
 from lp.registry.enums import (
     EXCLUSIVE_TEAM_POLICY,
     INCLUSIVE_TEAM_POLICY,
@@ -33,6 +36,27 @@
 
     layer = DatabaseFunctionalLayer
 
+    def _create_translatable_products(self):
+        """Generate a public and private product for translatables testing."""
+        owner = self.factory.makePerson()
+        project_group = self.factory.makeProject()
+
+        private_product = removeSecurityProxy(self.factory.makeProduct(
+            project=project_group, owner=owner,
+            information_type=InformationType.PROPRIETARY))
+        private_product.translations_usage = ServiceUsage.LAUNCHPAD
+        private_series = removeSecurityProxy(self.factory.makeProductSeries(
+            product=private_product))
+        self.factory.makePOTemplate(productseries=private_series)
+
+        public_product = removeSecurityProxy(self.factory.makeProduct(
+            project=project_group, information_type=InformationType.PUBLIC))
+        public_product.translations_usage = ServiceUsage.LAUNCHPAD
+        public_series = self.factory.makeProductSeries(product=public_product)
+        self.factory.makePOTemplate(productseries=public_series)
+
+        return private_product, public_product, project_group
+
     def test_pillar_category(self):
         # The pillar category is correct.
         pg = self.factory.makeProject()
@@ -65,6 +89,23 @@
         self.assertNotIn(product, project_group.getProducts(outsider))
         self.assertIn(product, project_group.getProducts(owner))
 
+    def test_translatables(self):
+        """Verify that the translatables for public case is correct."""
+        private, public, group = self._create_translatable_products()
+
+        public_user = self.factory.makePerson()
+        with person_logged_in(public_user):
+            self.assertIn(public, group.translatables)
+            self.assertNotIn(private, group.translatables)
+
+    def test_translatables_with_proprietary(self):
+        """Block users from seeing products they can't access."""
+        private, public, group = self._create_translatable_products()
+
+        with person_logged_in(private.owner):
+            self.assertIn(public, group.translatables)
+            self.assertIn(private, group.translatables)
+
 
 class ProjectGroupSearchTestCase(TestCaseWithFactory):