← Back to team overview

launchpad-reviewers team mailing list archive

Re: [Merge] ~lgp171188/launchpad:enforce-stricter-permission-check-when-a-bug-is-locked-down into launchpad:master

 


Diff comments:

> diff --git a/lib/lp/bugs/security.py b/lib/lp/bugs/security.py
> index b60b426..bdef636 100644
> --- a/lib/lp/bugs/security.py
> +++ b/lib/lp/bugs/security.py
> @@ -166,6 +167,21 @@ class EditBug(AuthorizationBase):
>                  user, permission='launchpad.Append'):
>              # The user cannot even see the bug.
>              return False
> +
> +        def in_allowed_roles():
> +            return (
> +                # The bug reporter can always edit their own bug.
> +                user.inTeam(self.obj.owner) or

I have updated this in the latest revision to prevent the bug reporter from editing a locked bug.

> +                # Users with relevant roles can edit the bug.
> +                user.in_admin or
> +                user.in_commercial_admin or
> +                user.in_registry_experts or
> +                _has_any_bug_role(user, self.obj.bugtasks)
> +            )
> +
> +        if self.obj.lock_status == BugLockStatus.COMMENT_ONLY:
> +            return in_allowed_roles()
> +
>          return (
>              # If the bug is private, then we don't need more elaborate
>              # checks as they must have been explicitly subscribed.


-- 
https://code.launchpad.net/~lgp171188/launchpad/+git/launchpad/+merge/414097
Your team Launchpad code reviewers is requested to review the proposed merge of ~lgp171188/launchpad:enforce-stricter-permission-check-when-a-bug-is-locked-down into launchpad:master.



References