Launchpad itself

code.launchpad.net returns a forbidden error

Bug #342467 reported by Marc Tardif
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Tim Penhey
Launchpad itself 2.2.6

Bug Description

By clicking on the Code tab in any of the core Launchpad projects, such as from http://bugs.launchpad.net/, this returns a Forbidden error message. To reproduce this problem, simply point your browser to http://code.launchpad.net.

Perhaps it is by design that the root of the Code tab should not display anything and only paths under the root are relevant. However, if this were the case, there should be no links pointing to the root of the Code tab which results in an unfortunate user experience.

Tags: lp-code
Revision history for this message
Diogo Matsubara (matsubara) wrote :

Can you still reproduce this one? I thought this could be caused by a private branch being displayed in that page, resulting in the Forbidden error for you, but I couldn't reproduce.

affects: launchpad → launchpad-code
Changed in launchpad-code:
status: New → Incomplete
Revision history for this message
Diogo Matsubara (matsubara) wrote :

Christopher Armstrong just experienced this bug. Here is the OOPS-1227EA183 and apparently the code front page had a private branch and for that reason returned a forbidden error to Christopher.

Changed in launchpad-code:
importance: Undecided → High
status: Incomplete → Triaged
Tim Penhey (thumper)
Changed in launchpad-code:
milestone: none → 2.2.5
Revision history for this message
Jonathan Lange (jml) wrote :

Tim, it's probably a little ambitious to assign this to the current milestone without assigning it to someone.

I've taken a look at the OOPS. The lists of branches displayed on the front page are already filtered for user visibility, but...

... you'll love this...

lp:~allenap/launchpad/api-create-bug-mail-bug-373174 is stacked on lp:~launchpad-pqm/launchpad/db-devel

Nominally, radix has permission to view the former branch, because he's a member of Launchpad Hackers via Landscape (those playing at home might want to look at query 33 in the SQL Statement Log.). But radix does *not* have permission to view the latter branch -- the stacked-on branch -- for reasons that elude me. Our security code checks the visibility of the stacked-on branch when checking the visibility of a stacked branch and boom!

The underlying bug is that IBranchCollection.visibleByUser is returning false positives, branches that the user cannot see. Possible fixes include:
  - changing visibleByUser to filter out branches with invisible stacked-on branches
  - change our security policy somehow so that stacked-on branch visibility doesn't need to be checked.

The workaround for radix and cr3 is probably just to subscribe them to the lp:~launchpad-pqm/launchpad/db-devel branch.

Revision history for this message
Jonathan Lange (jml) wrote :

My vote is for *not* fixing this bug in the 2.2.5 cycle, fwiw.

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Bumping to 2.2.6.

Changed in launchpad-code:
milestone: 2.2.5 → 2.2.6
Tim Penhey (thumper)
Changed in launchpad-code:
assignee: nobody → Tim Penhey (thumper)
Tim Penhey (thumper)
Changed in launchpad-code:
status: Triaged → In Progress
Revision history for this message
Tim Penhey (thumper) wrote :

Fixed in RF 8556.

Changed in launchpad-code:
status: In Progress → Fix Committed
Tim Penhey (thumper)
Changed in launchpad-code:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.