The proposal to merge lp:~adeuring/launchpad/productseries-sec-adapter into lp:launchpad has been updated.
Description changed to: This branch adds a "sharing aware" security adapter for IProductSeries. Serieses of private products are now only shown to persons with policy grants for the product; the only exception are some attributes that do not leak any "real" information: the database ID, and the method userCanView(). Details of the change: lp/registry/configure.zcml: Access to most attributes and to "partial" interfaces that were public now requires the permission launchpad.View; the permission launchpad.AnyPerson is replaced with launchapd.AnyAllowedPerson. (lp.services.webapp.authorization.LaunchpadSecurityPolicy.checkPermission() has a "shortcut" for the permission launchpad.AnyPerson: no dedicated security adapters are looked up for this permission, so the new rule "data for serieses of private products should only be visible for persons having a policy grant" cannot be implemented with this permission.) lp/security.py: The existing class ViewProductSeries derived AnonymousAuthorization. This does not make sense anymore, instead the class now derives AuthorizationBase and calls the new method ProductSeries,userCanView() for real authorization check. The new class ChangeProductSeries does the authorization check for the permission launchpad.AnyAllowedPerson. lp/registry/interfaces/productseries.py The existing interface IProductSeriesPublic now defines only the DB ID and the method userCanView(), all other attributes are defined in the new class IProductSeriesView. lp/registry/model/productseries.py: The new method userCanView(). The actual permission check is done by IProduct.userCanView(). lp/registry/tests/test_productseries.py: Tests for the permissions. The test class properties expected_get_permissions and expected_set_permissions are also intended to document which permissions are acutally used for IProductSeries. test: ./bin/test registry -vvt lp.registry.tests.test_productseries.ProductSeriesSecurityAdaperTestCase no lint Update: I'm running an EC2 test for this branch; several failures are fixed in r 10250. The tests lp.registry.tests.test_packaging.TestCreatePackaging.test_createPackaging_refuses_EMBARGOED and lp.registry.tests.test_packaging.TestCreatePackaging.test_createPackaging_refuses_PROPRIETARY failed in lp.registry.packaging.PackagingUtil.createPackaging() because productseries.product is no longer available. To fix these tests, I added the interfaces IInformationType to IProduct. The other failures were either Unauthorized execption, or, in browser tests, "AttributeError: 'thread._local' object has no attribute 'interaction'". WHen a borwser instance is created, an existing interaction in terminated, so that thread._local.interaction is no longer available outside a a browser call -- but the current user is stored as an attribute of interaction, and the new security tests require a check if this user has access rights. The most easy fix is to access some required attribute the broswer object is created. additional tests: lp.registry.tests.test_productseries.TestProductSeriesInformationType lp.code.browser.tests.test_branchlisting.TestProductSeriesTemplate.test_product_series_link lp.registry.browser.tests.test_sourcepackage_views.TestSourcePackageChangeUpstreamView.test_error_on_proprietary_productseries lp.registry.tests.test_packaging.TestCreatePackaging.test_createPackaging_refuses_EMBARGOED lp.registry.tests.test_packaging.TestCreatePackaging.test_createPackaging_refuses_PROPRIETARY lp.registry.tests.test_sourcepackage.TestSourcePackage.test_refuses_PROPRIETARY For more details, see: https://code.launchpad.net/~adeuring/launchpad/productseries-sec-adapter/+merge/130305 -- https://code.launchpad.net/~adeuring/launchpad/productseries-sec-adapter/+merge/130305 Your team Launchpad code reviewers is requested to review the proposed merge of lp:~adeuring/launchpad/productseries-sec-adapter into lp:launchpad. _______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp
