← Back to team overview

launchpad-reviewers team mailing list archive

Re: [Merge] lp:~wgrant/launchpad/bug-1083709-again into lp:launchpad

 


Diff comments:

> 
> === modified file 'lib/lp/security.py'
> --- lib/lp/security.py	2016-08-23 08:05:44 +0000
> +++ lib/lp/security.py	2016-09-20 00:39:35 +0000
> @@ -1710,9 +1710,8 @@
>      usedfor = IProductRelease
>  
>      def checkAuthenticated(self, user):
> -        if (user.inTeam(self.obj.productseries.owner) or
> -            user.inTeam(self.obj.productseries.product.owner) or
> -            user.inTeam(self.obj.productseries.driver)):
> +        if (user.isOwner(self.obj.productseries.product) or

The omission was deliberate -- the existing code is in fact somewhat of a security vulnerability. ProductSeries.owner seems to be intended more as a registrant, except that it's mutable through the API. It's not displayed or configurable in the UI, and used only by this security adapter and as the uploader for bzr Translations uploads.

DistroSeries.owner is more sensible, directly delegating to Distribution.owner. One day ProductSeries.owner might join it.

> +            user.isDriver(self.obj.productseries)):
>              # The user is an owner or a release manager.
>              return True
>          return EditByOwnersOrAdmins.checkAuthenticated(


-- 
https://code.launchpad.net/~wgrant/launchpad/bug-1083709-again/+merge/306167
Your team Launchpad code reviewers is subscribed to branch lp:launchpad.


References