launchpad-reviewers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

Colin Watson has proposed merging lp:~cjwatson/launchpad/search-private into lp:launchpad.

Commit message:
Make /+search check visibility of pillars.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #1411647 in Launchpad itself: "Search page sometimes returns "information on this page is private""
  https://bugs.launchpad.net/launchpad/+bug/1411647

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/search-private/+merge/246704

Make /+search check visibility of pillars.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/search-private into lp:launchpad.

=== modified file 'lib/lp/app/browser/root.py'
--- lib/lp/app/browser/root.py	2013-05-23 04:24:45 +0000
+++ lib/lp/app/browser/root.py	2015-01-16 13:05:41 +0000
@@ -494,9 +494,12 @@
         vocab = vocabulary_registry.get(
             None, 'DistributionOrProductOrProjectGroup')
         try:
-            return vocab.getTermByToken(name).value
+            pillar = vocab.getTermByToken(name).value
+            if check_permission("launchpad.View", pillar):
+                return pillar
         except LookupError:
-            return None
+            pass
+        return None
 
     def searchPages(self, query_terms, start=0):
         """Return the up to 20 pages that match the query_terms, or None.

=== modified file 'lib/lp/app/browser/tests/launchpad-search-pages.txt'
--- lib/lp/app/browser/tests/launchpad-search-pages.txt	2012-09-17 15:19:10 +0000
+++ lib/lp/app/browser/tests/launchpad-search-pages.txt	2015-01-16 13:05:41 +0000
@@ -319,6 +319,29 @@
     >>> print search_view.person_or_team
     None
 
+Private pillars are not matched if the user does not have permission to see
+them. For example, Sample Person can see a private project that they created
+because they are the owner.
+
+    >>> from lp.registry.interfaces.product import License
+
+    >>> login('test@xxxxxxxxxxxxx')
+    >>> private_product = factory.makeProduct(
+    ...     owner=sample_person, information_type=InformationType.PROPRIETARY,
+    ...     licenses=[License.OTHER_PROPRIETARY])
+    >>> private_product_name = private_product.name
+
+    >>> search_view = getSearchView(form={'field.text': private_product_name})
+    >>> search_view.pillar.private
+    True
+
+But anonymous and unprivileged users cannot see the private project.
+
+    >>> login(ANONYMOUS)
+    >>> search_view = getSearchView(form={'field.text': private_product_name})
+    >>> print search_view.pillar
+    None
+
 
 Shipit CD searches
 ------------------