launchpad-reviewers team mailing list archive

[Colin Watson <mp+436198@xxxxxxxxxxxxxxxxxx>]

Colin Watson has proposed merging ~cjwatson/launchpad:branch-subscription-security into launchpad:master.

Commit message:
Fix security declarations for I{Branch,Git}Subscription

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #1445028 in Launchpad itself: "Branch subscription security declaration is nonsense"
  https://bugs.launchpad.net/launchpad/+bug/1445028

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/436198

I'm not sure whether these were actually a problem in practice since the corresponding UI views had appropriate permissions, but defence in depth is normally a good idea.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:branch-subscription-security into launchpad:master.

diff --git a/lib/lp/code/configure.zcml b/lib/lp/code/configure.zcml
index 035facb..b962de7 100644
--- a/lib/lp/code/configure.zcml
+++ b/lib/lp/code/configure.zcml
@@ -351,7 +351,7 @@
     <allow interface="lp.code.interfaces.branchsubscription.IBranchSubscription"/>
     <allow interface="lp.code.interfaces.branchtarget.IHasBranchTarget"/>
     <require
-        permission="zope.Public"
+        permission="launchpad.Edit"
         set_schema="lp.code.interfaces.branchsubscription.IBranchSubscription"/>
   </class>
 
@@ -893,7 +893,7 @@
   <class class="lp.code.model.gitsubscription.GitSubscription">
     <allow interface="lp.code.interfaces.gitsubscription.IGitSubscription"/>
     <require
-        permission="zope.Public"
+        permission="launchpad.Edit"
         set_schema="lp.code.interfaces.gitsubscription.IGitSubscription"/>
   </class>