launchpad-reviewers team mailing list archive
-
launchpad-reviewers team
-
Mailing list archive
-
Message #32213
Re: [Merge] ~ruinedyourlife/launchpad:sourcecraft-private-builds into launchpad:master
Diff comments:
> diff --git a/lib/lp/crafts/model/craftrecipe.py b/lib/lp/crafts/model/craftrecipe.py
> index 9f2071f..3500de0 100644
> --- a/lib/lp/crafts/model/craftrecipe.py
> +++ b/lib/lp/crafts/model/craftrecipe.py
> @@ -1088,10 +1095,32 @@ class CraftRecipeBuildRequest:
>
> def get_craft_recipe_privacy_filter(user):
> """Return a Storm query filter to find craft recipes visible to `user`."""
> + from storm.expr import And, Exists, Or, Select
> +
> public_filter = CraftRecipe.information_type.is_in(
> PUBLIC_INFORMATION_TYPES
> )
>
> - # XXX ruinedyourlife 2024-10-02: Flesh this out once we have more privacy
> - # infrastructure.
> - return [public_filter]
> + if user is None:
> + return [public_filter]
> +
> + # Users can see private recipes they own or are part of the owning team
> + private_filter = And(
I wonder if the permission checks here need to be more nuanced and allow read access to the entities to which the target ref belongs to and edit access to the users returned by the query.
> + CraftRecipe.information_type.is_in(PRIVATE_INFORMATION_TYPES),
> + Or(
> + CraftRecipe.owner == user,
> + CraftRecipe.registrant == user,
> + # If the user is in the owning team
> + Exists(
> + Select(
> + (TeamParticipation.team_id,),
> + And(
> + TeamParticipation.person == user.id,
> + TeamParticipation.team == CraftRecipe.owner_id,
> + ),
> + )
> + ),
> + ),
> + )
> +
> + return [Or(public_filter, private_filter)]
--
https://code.launchpad.net/~ruinedyourlife/launchpad/+git/launchpad/+merge/481029
Your team Launchpad code reviewers is requested to review the proposed merge of ~ruinedyourlife/launchpad:sourcecraft-private-builds into launchpad:master.
References
