Merge lp:~adeuring/launchpad/bug-39674-update-retricted-flag-of-private-bugattachments into lp:launchpad/db-devel
Proposed by
Abel Deuring
Status: | Merged |
---|---|
Merged at revision: | 9617 |
Proposed branch: | lp:~adeuring/launchpad/bug-39674-update-retricted-flag-of-private-bugattachments |
Merge into: | lp:launchpad/db-devel |
Diff against target: |
18 lines (+14/-0) 1 file modified
database/schema/patch-2207-79-0.sql (+14/-0) |
To merge this branch: | bzr merge lp:~adeuring/launchpad/bug-39674-update-retricted-flag-of-private-bugattachments |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Stuart Bishop (community) | db | Approve | |
Robert Collins (community) | Needs Fixing | ||
Review via email: mp+31563@code.launchpad.net |
Description of the change
This branch adds a schema patch to update the "restricted" flag of LibraryFileAlias records belonging to bug attachments of private bugs.
A related branch, lp:~adeuring/launchpad/bug-39674-flip-lfa-restricted-flag , will land soon which will set LFA.restricted when a bug attachment is added to a private bug or when Bug.setPrivate() is called. We should also set LFA.restricted for existing data once this branch is merged.
To post a comment you must log in.
So, we have a problem here - making user content visible in the launchpad.net domain is a huge security hole - we can't do it at all safely - we need to either: disposition: attachment
- set content-
- serve the content from a different domain (I have a proof of concept branch working on this).
So, while this is slightly the wrong venue, we need to ensure that one of the two above things happens *before* any private bug attachments are served.