people with upload privileges are not allowed to use syncSource
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Won't Fix
|
Low
|
Unassigned |
Bug Description
I attempted to walk Brian Thomason (who has upload privileges to the partner archive) through performing a sync from Debian into the partner archive using the Launchpad API. This failed due to permissions:
brian@
>>> from debian_bundle import debian_support
>>> debian = lp.distribution
>>> unstable = debian.
>>> debian_archive = debian.main_archive
>>> pubs = debian_
>>> version = sorted(pubs, key=lambda pub: debian_
>>> partner_archive = [a for a in lp.distribution
>>> lucid = lp.distribution
>>> partner_
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
url, in_representation, http_method, extra_headers=
File "/usr/lib/
raise HTTPError(response, content)
lazr.
Response headers:
---
content-length: 63
content-type: text/plain
date: Wed, 24 Feb 2010 23:12:00 GMT
server: zope.server.http (HTTP)
status: 401
via: 1.1 wildcard.
x-lazr-oopsid: OOPS-1516EA1149
x-powered-by: Zope (www.zope.org), Python (www.python.org)
---
Response body:
---
(<Archive at 0x2aaab875fe10>, 'syncSource', 'launchpad.Append')
---
>>>
Examination of the source code shows that normal upload permission checks are not applied to the syncSource method; instead, it merely looks at the archive owner. The Ubuntu primary and partner archives are both owned by ubuntu-drivers, which is quite a restricted team.
Until we are ready to start using the API across the board for syncs, which is mainly blocked on the resulting *-changes mails being sensible (see https:/
Changed in soyuz: | |
importance: | Undecided → Low |
status: | New → Triaged |
tags: | added: soyuz-upload |
tags: | added: soyuz-core |
This should only be fixed after bug 529936 is fixed.