Forbidden error when trying to mark a bug as private
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Graham Binns |
Bug Description
OOPS-1978QASTAGING34
Using the +secrecy form to change a bug one is not subscribed to to a private bug causes the page render after the form submission to fail because the bug is inaccessible.
Discussion
==========
Setting privacy is currently an unprivileged operation, and this is problematic in a couple of places.
For the unsetting case commercial projects probably don't want can-view-the-bug to equate to can-decide-
For the setting case, taking a bug private partitions it off from its normal community, so again letting anyone decide that it should be hidden is probably too broad.
Its not clear who should be able to decide that a bug should be private.
Solutions
=========
One way of fixing this bug is to just subscribe the person marking it as private.
Another way is to prevent marking existing bugs as private (or security) unless the person doing the marking is affiliated with the project in some sensible fashion.
Related branches
- Robert Collins (community): Needs Information
- Jeroen T. Vermeulen (community): Approve (code)
- Diff: 0 lines
Changed in launchpad: | |
status: | Confirmed → Triaged |
importance: | Undecided → Low |
tags: |
added: privacy removed: oops |
tags: | added: 403 |
description: | updated |
Changed in launchpad: | |
importance: | Low → Critical |
Changed in launchpad: | |
assignee: | nobody → Graham Binns (gmb) |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
To reproduce using sample data: launchpad. dev/distros/ debian/ +source/ mozilla- firefox/ +bug/3/ Security" check the "Keep bug confidential"
1. Logged in as Sample Person open: http://
2. In "Visibility/
3. Forbidden error.