Launchpad itself

Can request a review from someone who can't see the merge proposal

Bug #330290 reported by Martin Albisetti on 2009-02-16

This bug affects 7 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Low	Ian Booth

Bug Description

It turns out that you can request a review from a person who doesn't have permissions to view the (private) branch, so we end up in a situation where I need to review something I can't see :)
In my case, see: https://code.edge.launchpad.net/~barry/launchpad/affiliations-db/+merge/3526

Tags:

Related branches

lp:~wallyworld/launchpad/confirm-reviewer-subscription-330290

Merged into lp:launchpad at revision 14744

j.c.sackett (community): Approve on 2012-02-02

Richard Harding (community): Approve (code*) on 2012-02-02

Revision history for this message

Jonathan Lange (jml) wrote on 2009-02-22:

Related to bug 319405. We might want to do it in conjunction with other privacy work for 2.2.3.

Changed in launchpad-bazaar:
importance:	Undecided → Low
status:	New → Triaged

Revision history for this message

Barry Warsaw (barry) wrote on 2009-02-23:

I understand that it's possible to make a mistake when selecting a reviewer, and thus accidentally giving someone permission to see a private branch. Perhaps we can do things to help avoid that, such as looking to see if the requested reviewer is in the default review team. Alternatively, let's provide a u/i after the reviewer has been requested to 1) indicate in big red blinking letters if the reviewer does not have permission to see the branch; 2) let me click to give them permission.

Tim Penhey (thumper) on 2010-03-12

summary:

- Can request a review from someone without permission
+ Can request a review from someone who can't see the merge proposal

Revision history for this message

Michael Hudson-Doyle (mwhudson) wrote on 2010-10-17:

I think what barry suggests makes a great deal of sense. Dunno how hard it is to implement though -- how is the wizard support in lazr-js coming along?

Curtis Hovey (sinzui) on 2012-01-14

tags:

added: disclosure

Revision history for this message

Curtis Hovey (sinzui) wrote on 2012-01-17:

We have added rules to the person picker that ask you to confirm the action because there is a concern. The call back to the confirmation should subscribe the user to the private branch. This issue might need nothing more than a message and a js call back that subscribes the user/team.

Revision history for this message

Robert Collins (lifeless) wrote on 2012-01-17: Re: [Bug 330290] Re: Can request a review from someone who can't see the merge proposal

So, the necessary rules are:
If and only if the user cannot see the branch under review then
subscribe to it, to its stacked-on branch, and its stacked on branch
recursively, with 'no mail' and 'no code review' as the subscription
settings.
Ditto for the branch landing target.

I think this is complex enough to be best done as a new API - probably
on the MP itself. Or perhaps part of the api for adding a reviewer.

-Rob

Ian Booth (wallyworld) on 2012-01-17

Changed in launchpad:
status:	Triaged → In Progress
assignee:	nobody → Ian Booth (wallyworld)

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2012-02-03:

Fixed in stable r14744 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/14744>.

tags:	added: qa-needstesting
Changed in launchpad:
status:	In Progress → Fix Committed

Ian Booth (wallyworld) on 2012-02-06

tags:

added: qa-ok
removed: qa-needstesting

William Grant (wgrant) on 2012-02-06

Changed in launchpad:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.