← Back to team overview

launchpad-reviewers team mailing list archive

  1. launchpad-reviewers team
  2. Mailing list archive
  3. Message #19652

[Merge] lp:~wgrant/launchpad/bug-1508277 into lp:launchpad

  Thread PreviousDate PreviousThread Next 
William Grant has proposed merging lp:~wgrant/launchpad/bug-1508277 into lp:launchpad.

Commit message:
Bypass normal bug linking permission checks when linking CVES from comments.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #1508277 in Launchpad itself: "Soyuz bug closures can fail in findCvesInText if changelog references a CVE and a private bug"
  https://bugs.launchpad.net/launchpad/+bug/1508277

For more details, see:
https://code.launchpad.net/~wgrant/launchpad/bug-1508277/+merge/275124

Bypass normal bug linking permission checks when linking CVES from comments.

Soyuz bug closures can fail in findCvesInText if the package changelog references a CVE and a private bug, as the comment is made by ~janitor but ~janitor can't see the bug.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wgrant/launchpad/bug-1508277 into lp:launchpad.

=== modified file 'lib/lp/bugs/doc/cve.txt'
--- lib/lp/bugs/doc/cve.txt	2015-09-28 11:13:42 +0000
+++ lib/lp/bugs/doc/cve.txt	2015-10-21 04:01:33 +0000
@@ -97,6 +97,26 @@
     True
     >>> b.unlinkCVE(cve, user=no_priv)
 
+Since users can comment on bugs that they can't see (eg. when Soyuz uses
+~janitor to close bugs from changelogs), the normal privilege checks on
+linkCVE are bypassed.
+
+    >>> login('admin@xxxxxxxxxxxxx')
+    >>> from lp.app.enums import InformationType
+    >>> private_bug = factory.makeBug(
+    ...     information_type=InformationType.USERDATA)
+    >>> private_bug.linkCVE(cve, user=no_priv)
+    Traceback (most recent call last):
+    ...
+    Unauthorized: ...
+    >>> private_bug.findCvesInText('''
+    ...     This bug is related to CVE-2004-0276
+    ... ''', user=no_priv)
+    >>> cve in private_bug.cves
+    True
+    >>> private_bug.unlinkCVE(cve, user=private_bug.owner)
+    >>> login("test@xxxxxxxxxxxxx")
+
 == 2014 CVE identification format changes =  
 
 Since 2014, CVEs can have an identifier (sequence) longer than 4-digits.

=== modified file 'lib/lp/bugs/model/bug.py'
--- lib/lp/bugs/model/bug.py	2015-10-09 15:49:14 +0000
+++ lib/lp/bugs/model/bug.py	2015-10-21 04:01:33 +0000
@@ -1407,7 +1407,7 @@
         """See `IBug`."""
         cves = getUtility(ICveSet).inText(text)
         for cve in cves:
-            self.linkCVE(cve, user)
+            self.linkCVE(cve, user, check_permissions=False)
 
     # Several other classes need to generate lists of bugs, and
     # one thing they often have to filter for is completeness. We maintain

Follow ups

  Thread PreviousDate PreviousThread Next