IBugTask permissions are not in security.py and are obtuse
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Low
|
Steve Kowalik |
Bug Description
A bugtask's milestone and importance currently have different permission restrictions in the web UI than other attributes, such as assignee or status.
This is currently an informal hack, that puts some security checking code in the view. But importance can still be changed by anyone in the email interface, and this solution doesn't scale.
Here are some ideas for solving this problem:
* Create a new permission, launchpad.
* Write a checker for launchpad.Driver that does what we want, though the name "Driver" is a bit misleading here, because it's more than just drivers that can modify this attribute.
* Have a security policy that passes the name of the field being modified, so our checking can be more intelligent. This is harder to understand, and makes the checker code less reusable.
The most practical short-term solution, IMHO, is to add another permission.
Changed in malone: | |
status: | Unconfirmed → Confirmed |
description: | updated |
tags: | added: tech-debt |
Changed in malone: | |
status: | Confirmed → Triaged |
importance: | Undecided → Low |
summary: |
- Need a way to protect milestone and importance differently from the rest - of IBugTask + IBugTask permissions are not in security.py and are obtuse |
tags: | added: disclosure hardening |
The permissions were moved into the model to accommodate API needs, but the permissions are independent of security.py and somewhat obtuse.