Launchpad itself

Project can join a project group without group owner's permission

Bug #58297 reported by Matthew Paul Thomas
30
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

Anyone can register a project in Launchpad, and make it part of someone else's project group without approval from the owner(s) of that group. This can mislead people about the legitimacy of the project.

For example, the "Costato" project was able to join the Launchpad project group without approval from the Launchpad developers.

One way to fix this would be to require the project group owner's permission before adding any project.

This might be made an option for project groups.

See original description
Matthew Paul Thomas (mpt)
description: updated
Diogo Matsubara (matsubara)
Changed in launchpad:
importance: Untriaged → Low
status: Unconfirmed → Confirmed
Matthew Paul Thomas (mpt)
description: updated
Curtis Hovey (sinzui)
Changed in launchpad-registry:
importance: Low → Wishlist
status: Confirmed → Triaged
Diogo Matsubara (matsubara)
tags: added: oem-services
Revision history for this message
Curtis Hovey (sinzui) wrote : Re: Making a project part of a project group should require project group owner's approval

I'm going to investigate the overlap between ownership and member projects to see if it is viable to switch from a text field to a vocabulary to restrict the field to only project-groups that the user is an owner of.

Changed in launchpad-registry:
assignee: nobody → Curtis Hovey (sinzui)
Curtis Hovey (sinzui)
Changed in launchpad-registry:
milestone: none → series-future
assignee: Curtis Hovey (sinzui) → nobody
Curtis Hovey (sinzui)
tags: added: disclosure
removed: registry
Curtis Hovey (sinzui)
tags: added: hardening
Revision history for this message
Robert Collins (lifeless) wrote :

I think this is not doable as a tweak; there are communities that use and desire the free form collection, there are others that want top-down. We need two different things (or one with knobs); either way we need to design it to ensure we have consistent predictable behaviour, discoverable and understandable behaviour.

This isn't a wontfix per se, but the bug should be recast as a symptom - e.g. that project groups allow all and sundry to join, which some [would be] project group owners are opposed to.

Revision history for this message
Curtis Hovey (sinzui) wrote :

I am not certain knobs are enough. We could add bool to toggle between inclusive and exclusive behaviour. The current behaviour is inclusive where the project adds itself to the group. The exclusive behaviour would only permit adding project to the group from the group's perspective. The exclusive would used a new method on project group and the Ui might user a project picker.

I think this is a hack to address the immediate concern of forging a relationship to socially engineer an attacks.

Projects do not like the limit being a member of one project group. A project might want to be a member of python, twisted, and gnome project groups. A project might want to be a member of several of it's organisation's exclusive groups such a project that is both OEM and PES. Maybe we want to split this bug into several to address the different concerns.

Revision history for this message
Matthew Paul Thomas (mpt) wrote :

Ah, from the days before I realized "should" in bug summaries is a bad idea. :-)

I think allowing a project to be part of multiple groups is a separate problem.

description: updated
summary: - Making a project part of a project group should require project group
- owner's approval
+ Project can join a project group without group owner's permission
Curtis Hovey (sinzui)
tags: added: private-projects
removed: disclosure
Curtis Hovey (sinzui)
tags: added: projectgroups
William Grant (wgrant)
no longer affects: ubuntu
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.