Launchpad itself

Merge lp:~rockstar/launchpad/fix-cancel-rescore-permissions into lp:launchpad/db-devel

  1. fix-cancel-rescore-permissions
  2. Merge into db-devel
Proposed by Paul Hummer
Status: Merged
Approved by: Aaron Bentley
Approved revision: no longer in the source branch.
Merged at revision: 9642
Proposed branch: lp:~rockstar/launchpad/fix-cancel-rescore-permissions
Merge into: lp:launchpad/db-devel
Diff against target: 119 lines (+35/-6)
4 files modified
lib/canonical/launchpad/security.py (+6/-3)
lib/lp/code/browser/configure.zcml (+3/-3)
lib/lp/code/browser/tests/test_sourcepackagerecipe.py (+17/-0)
lib/lp/code/browser/tests/test_sourcepackagerecipebuild.py (+9/-0)
To merge this branch: bzr merge lp:~rockstar/launchpad/fix-cancel-rescore-permissions
Reviewer Review Type Date Requested Status
Julian Edwards (community) rc Approve
Aaron Bentley (community) Approve
Review via email: mp+32126@code.launchpad.net

Description of the change

This branch fixes bug #615144 - It changes the access permissions on some views to make sure they can't be accessed except by people that could see the links to those pages in the first place. They also put some tests in place to make sure that it is the way it's described. I'm not sure we really have much (but some) precedent for testing that you DON'T have access, but the tests are there now anyway. I also swapped permissions from requiring admin or bazaar experts to cancel the build to buildd-admin and bazaar experts to cancel the build, per bigjools' comment #6 in the bug.

To post a comment you must log in.
Revision history for this message
Aaron Bentley (abentley) wrote :

We should change the name of the launchpad.Edit permission on SourcePackageRecipeBuild to launchpad.Admin in the future.

review: Approve
Revision history for this message
Julian Edwards (julian-edwards) :
review: Approve (rc)
Revision history for this message
Julian Edwards (julian-edwards) wrote :

This should have been a private MP!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/canonical/launchpad/security.py'
2--- lib/canonical/launchpad/security.py 2010-07-28 13:26:55 +0000
3+++ lib/canonical/launchpad/security.py 2010-08-09 17:17:44 +0000
4@@ -1171,14 +1171,17 @@
5 usedfor = ICodeImportMachine
6
7
8-class DeleteSourcePackageRecipeBuilds(OnlyBazaarExpertsAndAdmins):
9- """Control who can delete SourcePackageRecipeBuilds.
10+class EditSourcePackageRecipeBuilds(AuthorizationBase):
11+ """Control who can edit SourcePackageRecipeBuilds.
12
13- Access is restricted to members of ~bazaar-experts and Launchpad admins.
14+ Access is restricted to members of ~bazaar-experts and Buildd Admins.
15 """
16 permission = 'launchpad.Edit'
17 usedfor = ISourcePackageRecipeBuild
18
19+ def checkAuthenticated(self, user):
20+ return user.in_bazaar_experts or user.in_buildd_admin
21+
22
23 class AdminDistributionTranslations(AuthorizationBase):
24 """Class for deciding who can administer distribution translations.
25
26=== modified file 'lib/lp/code/browser/configure.zcml'
27--- lib/lp/code/browser/configure.zcml 2010-07-22 02:41:43 +0000
28+++ lib/lp/code/browser/configure.zcml 2010-08-09 17:17:44 +0000
29@@ -1129,13 +1129,13 @@
30 class="lp.code.browser.sourcepackagerecipebuild.SourcePackageRecipeBuildCancelView"
31 name="+cancel"
32 template="../../app/templates/generic-edit.pt"
33- permission="launchpad.View"/>
34+ permission="launchpad.Edit"/>
35 <browser:page
36 for="lp.code.interfaces.sourcepackagerecipebuild.ISourcePackageRecipeBuild"
37 class="lp.code.browser.sourcepackagerecipebuild.SourcePackageRecipeBuildRescoreView"
38 name="+rescore"
39 template="../../app/templates/generic-edit.pt"
40- permission="launchpad.View"/>
41+ permission="launchpad.Edit"/>
42 <browser:menus
43 classes="
44 SourcePackageRecipeNavigationMenu
45@@ -1159,7 +1159,7 @@
46 <browser:page
47 for="lp.code.interfaces.sourcepackagerecipe.ISourcePackageRecipe"
48 class="lp.code.browser.sourcepackagerecipe.SourcePackageRecipeDeleteView"
49- permission="zope.Public"
50+ permission="launchpad.Edit"
51 facet="branches"
52 name="+delete"
53 template="../../app/templates/generic-edit.pt"/>
54
55=== modified file 'lib/lp/code/browser/tests/test_sourcepackagerecipe.py'
56--- lib/lp/code/browser/tests/test_sourcepackagerecipe.py 2010-08-07 14:54:40 +0000
57+++ lib/lp/code/browser/tests/test_sourcepackagerecipe.py 2010-08-09 17:17:44 +0000
58@@ -13,6 +13,7 @@
59 from textwrap import dedent
60
61 import transaction
62+from mechanize import LinkNotFoundError
63 from pytz import utc
64 from zope.security.interfaces import Unauthorized
65 from zope.security.proxy import removeSecurityProxy
66@@ -922,3 +923,19 @@
67 self.assertEqual(
68 'http://code.launchpad.dev/~chef',
69 browser.url)
70+
71+ def test_delete_recipe_no_permissions(self):
72+ recipe = self.factory.makeSourcePackageRecipe(owner=self.chef)
73+ nopriv_person = self.factory.makePerson()
74+ recipe_url = canonical_url(recipe)
75+
76+ browser = self.getUserBrowser(
77+ recipe_url, user=nopriv_person)
78+
79+ self.assertRaises(
80+ LinkNotFoundError,
81+ browser.getLink, 'Delete recipe')
82+
83+ self.assertRaises(
84+ Unauthorized,
85+ self.getUserBrowser, recipe_url + '/+delete', user=nopriv_person)
86
87=== modified file 'lib/lp/code/browser/tests/test_sourcepackagerecipebuild.py'
88--- lib/lp/code/browser/tests/test_sourcepackagerecipebuild.py 2010-08-01 22:31:42 +0000
89+++ lib/lp/code/browser/tests/test_sourcepackagerecipebuild.py 2010-08-09 17:17:44 +0000
90@@ -9,6 +9,7 @@
91 from mechanize import LinkNotFoundError
92 import transaction
93 from zope.component import getUtility
94+from zope.security.interfaces import Unauthorized
95 from zope.security.proxy import removeSecurityProxy
96
97 from canonical.launchpad.interfaces.launchpad import ILaunchpadCelebrities
98@@ -96,6 +97,10 @@
99 LinkNotFoundError,
100 browser.getLink, 'Cancel build')
101
102+ self.assertRaises(
103+ Unauthorized,
104+ self.getUserBrowser, build_url + '/+cancel', user=self.chef)
105+
106 def test_cancel_build_wrong_state(self):
107 """If the build isn't queued, you can't cancel it."""
108 experts = getUtility(ILaunchpadCelebrities).bazaar_experts.teamowner
109@@ -176,6 +181,10 @@
110 LinkNotFoundError,
111 browser.getLink, 'Rescore build')
112
113+ self.assertRaises(
114+ Unauthorized,
115+ self.getUserBrowser, build_url + '/+rescore', user=self.chef)
116+
117 def test_rescore_build_wrong_state(self):
118 """If the build isn't queued, you can't rescore it."""
119 experts = getUtility(ILaunchpadCelebrities).bazaar_experts.teamowner

Subscribers

People subscribed via source and target branches

to status/vote changes: