Forbidden error when trying to mark a bug as private

To reproduce using sample data:
1. Logged in as Sample Person open: http://launchpad.dev/distros/debian/+source/mozilla-firefox/+bug/3/
2. In "Visibility/Security" check the "Keep bug confidential"
3. Forbidden error.

mpt, what about greying out the option, like:

[ ] This bug should be visible only to its subscribers
/!\ You must _subscribe to this bug_ to set this option

?

But I didn't want to subscribe to it.

On 15-Oct-06, at 2:30 AM, Matthew Paul Thomas wrote:

> But I didn't want to subscribe to it.

Should a non-subscriber be able to make a bug visible only to its
subscribers?

It's not making it visible only to subscribers, it's making it visible only to subscribers plus the security contact. I should be able to do that if I am either a subscriber (which I wasn't), or a member of the security contact team (which I was).

On 18-Oct-06, at 3:42 AM, Matthew Paul Thomas wrote:

> It's not making it visible only to subscribers, it's making it visible
> only to subscribers plus the security contact. I should be able to do
> that if I am either a subscriber (which I wasn't), or a member of the
> security contact team (which I was).

Currently it's "visible only to subscribers". And you weren't a
security contact for the example you gave.

But I agree that if privacy does implicitly allow security contacts
to view bugs, and you were a security contact, you should have been
allowed to change it. I still think a greyed out widget would be more
helpful to explain why it's sometimes available and sometimes not.

Sorry, I got the bug number wrong in my description. It was a Launchpad bug, for which I am (a member of the team that is) security contact.

(To do: Check whether the security contact problem still happens, and if so, split it out into a separate bug report.)

If this is still present we will get an OOPS due to the 404-from-lp-action logic, so I've retriaged it appropriately.

I was able to duplicate a related problem, but there was no OOPS, so I'm re-triaging back to Low.

Logged in as Sample User, I went to https://launchpad.dev/debian/+source/mozilla-firefox/+bug/3, and clicked on the edit button by "This report is public". I checked "This bug report should be private" and saved the change. The change went through with no error.

At this point I could no longer see the bug. Reloading the page gave me a fake 404 error. Using the other Ajax forms instead of reloading the page gives an unfriendly error "Object: , name: u'3'" that I happen to know corresponds to a 404 error.

It seems strange that Sample User has permission to make the bug private but not permission to see the bug when it's private. But if this is the correct behavior, it should be handled more gracefully.

leonard - I suspect that your local error dir will be accumulating OOPSes when you're getting those 404s from ajax.

Trivially reproduced on qastaging:
https://bugs.qastaging.launchpad.net/libdbusmenu-qt/+bug/633339/+secrecy, tick 'private' and save.

Fixed in stable r13244 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/13244>.