~launchpad-pqm/launchpad/devel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Security
========

These tests illustrate how the security model works with the
Launchpad data model objects.


Visibility
----------

A user without permission to see items in a collection will, of
course, not see those items. The 'salgado' user can see all bugs on the
site.

  >>> salgado_output = webservice.get("/bugs?ws.size=50").jsonBody()
  >>> salgado_output['total_size']
  15
  >>> len(salgado_output['entries'])
  15

But the 'no-priv' user can't see bug number 14, which is private.

  >>> print user_webservice.get("/bugs/14")
  HTTP/1.1 404 Not Found
  ...

  >>> nopriv_output = user_webservice.get(
  ...     "/bugs?ws.size=100").jsonBody()
  >>> nopriv_output['total_size']
  14
  >>> len(nopriv_output['entries'])
  14

Things are a little different for a user who has permission to see
private data, but is using an OAuth key that restricts the client to
operating on public data.

  >>> print public_webservice.get("/bugs/14")
  HTTP/1.1 404 Not Found
  ...

  >>> public_output = public_webservice.get(
  ...     "/bugs?ws.size=50").jsonBody()
  >>> public_output['total_size']
  15
  >>> len(public_output['entries'])
  14

Although this behavior is inconsistent, it doesn't leak any private
information and implementing it consistently would be very difficult,
so it's good enough. What happened here is that the web service
request was made by a user who can see all 15 bugs, but the user used
an OAuth token that only allows access to public data. The actual bugs
are filtered against the OAuth token at a fairly high level, but the
number of visible bugs comes from database-level code that only
respects the user who made the request. The user can see 15 bugs, but
their token can only see the 14 public bugs.