← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #18969

[Merge] lp:~wgrant/launchpad/bzr-translatePath-private-alias into lp:launchpad

  Thread PreviousDate PreviousThread Next 
William Grant has proposed merging lp:~wgrant/launchpad/bzr-translatePath-private-alias into lp:launchpad.

Commit message:
Don't leak an Unauthorized out of CodehostingAPI.translatePath when traversing an alias that references an inaccessible private project.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wgrant/launchpad/bzr-translatePath-private-alias/+merge/264376

Don't leak an Unauthorized out of CodehostingAPI.translatePath when traversing an alias that references an inaccessible private project.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wgrant/launchpad/bzr-translatePath-private-alias into lp:launchpad.

=== modified file 'lib/lp/code/model/branchlookup.py'
--- lib/lp/code/model/branchlookup.py	2015-07-09 12:18:51 +0000
+++ lib/lp/code/model/branchlookup.py	2015-07-10 06:00:29 +0000
@@ -100,7 +100,8 @@
         if not valid_name(name):
             raise InvalidProductName(name)
         pillar = getUtility(IPillarNameSet).getByName(name)
-        if pillar is None:
+        if (pillar is None
+                or not check_permission('launchpad.LimitedView', pillar)):
             # Actually, the pillar is no such *anything*. The user might be
             # trying to refer to a project group, a distribution or a
             # project. We raise a NoSuchProduct error since that's what we

=== modified file 'lib/lp/code/xmlrpc/tests/test_codehosting.py'
--- lib/lp/code/xmlrpc/tests/test_codehosting.py	2015-07-06 14:19:42 +0000
+++ lib/lp/code/xmlrpc/tests/test_codehosting.py	2015-07-10 06:00:29 +0000
@@ -830,6 +830,19 @@
             requester.name, removeSecurityProxy(product).name)
         self.assertNotFound(requester, path)
 
+    def test_translatePath_private_project(self):
+        requester = self.factory.makePerson()
+        product = self.factory.makeProduct(
+            information_type=InformationType.PROPRIETARY)
+        login(ANONYMOUS)
+        path = '/+branch/%s' % removeSecurityProxy(product).name
+        self.assertNotFound(requester, path)
+        login(ANONYMOUS)
+        path = '/+branch/%s/%s' % (
+            removeSecurityProxy(product).name,
+            removeSecurityProxy(product).development_focus.name)
+        self.assertNotFound(requester, path)
+
     def test_translatePath_no_such_branch(self):
         requester = self.factory.makePerson()
         product = self.factory.makeProduct()

Follow ups

  Thread PreviousDate PreviousThread Next