Code review comment for lp:~edwin-grubbs/launchpad/bug-297833-invite-private-team

Hi Edwin.

Thanks for providing a fix for this situation. Brad and I discussed the issue of allowing true private teams to be members today. It is still a security nightmare. There is no easy fix, and the Launchpad team is not investing in fixing this in the next 6 months. I think your approach is correct, but I have a concern about the test on line 37--If I am not a member of the private team, I am not allowed to know it exists. This helpful warning will allow me to guess the existence of team names by trying to make them members.

Launchpad shows a 404 for teams that you cannot know. In this situation, the correct error is to say the team/person does not exist. If I am a member of the private team, then I may know that the relationship is forbidden.