launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] lp:~wgrant/launchpad/bug-1083709-again into lp:launchpad

To: William Grant <me@xxxxxxxxxxxxxxxxxx>
From: William Grant <me@xxxxxxxxxxxxxxxxxx>
Date: Sun, 02 Oct 2016 06:47:54 -0000
In-reply-to: <20160920004038.21262.10020.launchpad@ackee.canonical.com>
Reply-to: mp+306167@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx


Diff comments:

> 
> === modified file 'lib/lp/security.py'
> --- lib/lp/security.py	2016-08-23 08:05:44 +0000
> +++ lib/lp/security.py	2016-09-20 00:39:35 +0000
> @@ -1710,9 +1710,8 @@
>      usedfor = IProductRelease
>  
>      def checkAuthenticated(self, user):
> -        if (user.inTeam(self.obj.productseries.owner) or
> -            user.inTeam(self.obj.productseries.product.owner) or
> -            user.inTeam(self.obj.productseries.driver)):
> +        if (user.isOwner(self.obj.productseries.product) or

The omission was deliberate -- the existing code is in fact somewhat of a security vulnerability. ProductSeries.owner seems to be intended more as a registrant, except that it's mutable through the API. It's not displayed or configurable in the UI, and used only by this security adapter and as the uploader for bzr Translations uploads.

DistroSeries.owner is more sensible, directly delegating to Distribution.owner. One day ProductSeries.owner might join it.

> +            user.isDriver(self.obj.productseries)):
>              # The user is an owner or a release manager.
>              return True
>          return EditByOwnersOrAdmins.checkAuthenticated(


-- 
https://code.launchpad.net/~wgrant/launchpad/bug-1083709-again/+merge/306167
Your team Launchpad code reviewers is subscribed to branch lp:launchpad.

References

[Merge] lp:~wgrant/launchpad/bug-1083709-again into lp:launchpad
From: William Grant, 2016-09-20