Launchpad itself

Trying to access rss feeds of a private bug OOPSes

Bug #302097 reported by Ursula Junque
4
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Ian Booth

Bug Description

As seen on OOPS-1060EB129, trying to access the rss feeds of a private bug - that you have access - gives you a Forbidden error, and says you're not logged in. When trying to login, it gives a Page not found error, and OOPSes:

 NotFound: Object: <canonical.launchpad.webapp.servers.FeedsPublication object at 0x953c290>, name: ''

Steps to reproduce:
1) Go to a private bug, for instance https://bugs.edge.launchpad.net/bugs/292398
2) Click on the rss feed icon (on firefox), on the address bar, to subscribe to changes on the bug. You'll get a Not allowed here error, and lp will tell you're not logged in.
3) Click on the "Log in/Register" link in the error page. You get a "Lost something?" page warning about the generated OOPS, and you can't see the traceback.

See original description

Related branches

lp:~wallyworld/launchpad/no-private-bug-rss
Jeroen T. Vermeulen (community): Approve (code)
Diff: 306 lines (+119/-45)
6 files modified
lib/canonical/launchpad/browser/feeds.py (+29/-2)
lib/canonical/launchpad/pagetests/feeds/xx-authentication.txt (+0/-26)
lib/canonical/launchpad/pagetests/feeds/xx-links.txt (+49/-0)
lib/canonical/launchpad/pagetests/feeds/xx-security.txt (+3/-10)
lib/lp/bugs/feed/bug.py (+16/-4)
lib/lp/code/feed/branch.py (+22/-3)
Ursula Junque (ursinha)
description: updated
Diogo Matsubara (matsubara)
Changed in launchpad-registry:
status: New → Triaged
Revision history for this message
Curtis Hovey (sinzui) wrote :

RSS feeds are not secure, and they are cached for everyone. These rules conflict with the intent of privacy. I do not see a simple fix for this.

Changed in launchpad-registry:
importance: Undecided → Low
Curtis Hovey (sinzui)
affects: launchpad-registry → malone
Robert Collins (lifeless)
Changed in launchpad:
importance: Low → Critical
Revision history for this message
Tim Penhey (thumper) wrote :

The general approach is not to private an RSS feed for anything private

Curtis Hovey (sinzui)
tags: added: easy
Ian Booth (wallyworld)
Changed in launchpad:
assignee: nobody → Ian Booth (wallyworld)
Ian Booth (wallyworld)
Changed in launchpad:
status: Triaged → In Progress
status: In Progress → Triaged
Ian Booth (wallyworld)
Changed in launchpad:
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r13110 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/13110>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Curtis Hovey (sinzui) wrote :

This may not really be ready to QA. qastaging does not support feeds. Visiting http://feeds.staging.launchpad.net/bugs/292398/bug.atom still shows me a link to login, and following the link does product an OOPs.

Revision history for this message
Ian Booth (wallyworld) wrote : Re: [Bug 302097] Re: Trying to access rss feeds of a private bug OOPSes

We need rev 10593 to be deployed to staging in order to qa. Staging is
currently only running 10574

On 25/05/11 07:29, Curtis Hovey wrote:
> This may not really be ready to QA. qastaging does not support feeds.
> Visiting http://feeds.staging.launchpad.net/bugs/292398/bug.atom still
> shows me a link to login, and following the link does product an OOPs.
>

Revision history for this message
William Grant (wgrant) wrote :

QAed fine on qastaging, with feeds.qa[...] in /etc/hosts, and using HTTPS instead of HTTP.

tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.