launchpad-reviewers team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

Colin Watson has proposed merging lp:~cjwatson/launchpad/crvr-anonymous into lp:launchpad.

Commit message:
Allow anonymous launchpad.View on ICodeReviewVoteReference for public merge proposals.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #1786474 in Launchpad itself: "Cannot view code_review_vote_reference collection contents when logged in anonymously"
  https://bugs.launchpad.net/launchpad/+bug/1786474

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/crvr-anonymous/+merge/354991
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/crvr-anonymous into lp:launchpad.

=== modified file 'lib/lp/code/model/tests/test_codereviewvote.py'
--- lib/lp/code/model/tests/test_codereviewvote.py	2017-10-04 01:53:48 +0000
+++ lib/lp/code/model/tests/test_codereviewvote.py	2018-09-15 19:23:00 +0000
@@ -1,10 +1,11 @@
-# Copyright 2009-2017 Canonical Ltd.  This software is licensed under the
+# Copyright 2009-2018 Canonical Ltd.  This software is licensed under the
 # GNU Affero General Public License version 3 (see the file LICENSE).
 
 from __future__ import absolute_import, print_function, unicode_literals
 
 from zope.security.interfaces import Unauthorized
 
+from lp.app.enums import InformationType
 from lp.code.enums import CodeReviewVote
 from lp.code.errors import (
     ClaimReviewFailed,
@@ -14,7 +15,10 @@
 from lp.code.interfaces.codereviewvote import ICodeReviewVoteReference
 from lp.code.tests.helpers import make_merge_proposal_without_reviewers
 from lp.services.database.constants import UTC_NOW
+from lp.services.webapp.authorization import check_permission
 from lp.testing import (
+    ANONYMOUS,
+    login,
     login_person,
     TestCaseWithFactory,
     )
@@ -40,6 +44,29 @@
             vote, 'date_created', UTC_NOW)
         self.assertProvides(vote, ICodeReviewVoteReference)
 
+    def test_anonymous_public(self):
+        """Anonymous users can see votes on public merge proposals."""
+        merge_proposal = make_merge_proposal_without_reviewers(self.factory)
+        reviewer = self.factory.makePerson()
+        login_person(merge_proposal.registrant)
+        vote = merge_proposal.nominateReviewer(
+            reviewer, merge_proposal.registrant)
+        login(ANONYMOUS)
+        self.assertTrue(check_permission('launchpad.View', vote))
+
+    def test_anonymous_private(self):
+        """Anonymous users cannot see votes on private merge proposals."""
+        owner = self.factory.makePerson()
+        login_person(owner)
+        target_branch = self.factory.makeBranch(
+            owner=owner, information_type=InformationType.USERDATA)
+        merge_proposal = make_merge_proposal_without_reviewers(
+            self.factory, target_branch=target_branch, registrant=owner)
+        reviewer = self.factory.makePerson()
+        vote = merge_proposal.nominateReviewer(reviewer, owner)
+        login(ANONYMOUS)
+        self.assertFalse(check_permission('launchpad.View', vote))
+
 
 class TestCodeReviewVoteReferenceClaimReview(TestCaseWithFactory):
     """Tests for CodeReviewVoteReference.claimReview."""

=== modified file 'lib/lp/security.py'
--- lib/lp/security.py	2018-06-15 13:21:14 +0000
+++ lib/lp/security.py	2018-09-15 19:23:00 +0000
@@ -2436,6 +2436,15 @@
         super(PreviewDiffView, self).__init__(obj, obj.branch_merge_proposal)
 
 
+class CodeReviewVoteReferenceView(DelegatedAuthorization):
+    permission = 'launchpad.View'
+    usedfor = ICodeReviewVoteReference
+
+    def __init__(self, obj):
+        super(CodeReviewVoteReferenceView, self).__init__(
+            obj, obj.branch_merge_proposal)
+
+
 class CodeReviewVoteReferenceEdit(DelegatedAuthorization):
     permission = 'launchpad.Edit'
     usedfor = ICodeReviewVoteReference