Trying to access rss feeds of a private bug OOPSes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Ian Booth |
Bug Description
As seen on OOPS-1060EB129, trying to access the rss feeds of a private bug - that you have access - gives you a Forbidden error, and says you're not logged in. When trying to login, it gives a Page not found error, and OOPSes:
NotFound: Object: <canonical.
Steps to reproduce:
1) Go to a private bug, for instance https:/
2) Click on the rss feed icon (on firefox), on the address bar, to subscribe to changes on the bug. You'll get a Not allowed here error, and lp will tell you're not logged in.
3) Click on the "Log in/Register" link in the error page. You get a "Lost something?" page warning about the generated OOPS, and you can't see the traceback.
Related branches
- Jeroen T. Vermeulen (community): Approve (code)
-
Diff: 306 lines (+119/-45)6 files modifiedlib/canonical/launchpad/browser/feeds.py (+29/-2)
lib/canonical/launchpad/pagetests/feeds/xx-authentication.txt (+0/-26)
lib/canonical/launchpad/pagetests/feeds/xx-links.txt (+49/-0)
lib/canonical/launchpad/pagetests/feeds/xx-security.txt (+3/-10)
lib/lp/bugs/feed/bug.py (+16/-4)
lib/lp/code/feed/branch.py (+22/-3)
description: | updated |
Changed in launchpad-registry: | |
status: | New → Triaged |
affects: | launchpad-registry → malone |
Changed in launchpad: | |
importance: | Low → Critical |
tags: | added: easy |
Changed in launchpad: | |
assignee: | nobody → Ian Booth (wallyworld) |
Changed in launchpad: | |
status: | Triaged → In Progress |
status: | In Progress → Triaged |
Changed in launchpad: | |
status: | Triaged → In Progress |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
RSS feeds are not secure, and they are cached for everyone. These rules conflict with the intent of privacy. I do not see a simple fix for this.