Launchpad itself

launchpad.View is sufficient to remove sources and binaries

Bug #500018 reported by William Grant on 2009-12-24

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Critical	Jelmer Vernooij	Launchpad itself 10.01

Bug Description

r10038 exposed IPublishing.requestDeletion through the webservice. But that method is accessible with launchpad.View, so I can delete any source (and impersonate anybody) that I can see.

Tags:

William Grant (wgrant) on 2009-12-24

summary:

- launchpad.View is sufficient to remove sources
+ launchpad.View is sufficient to remove sources and binaries

Jelmer Vernooij (jelmer) on 2009-12-24

Changed in soyuz:
status:	New → Triaged
importance:	Undecided → Critical

Revision history for this message

Muharem Hrnjadovic (al-maisan) wrote on 2009-12-24:

#1

<wgrant> Are you trying to work out permissions for that bug?
<al-maisan> yes
<al-maisan> I guess we need to split the interface into a ViewOnly/Write part and make sure that only the owner has permission="launchpad.Edit"?
<wgrant> I would just delegate launchpad.Edit to the archive.
<wgrant> Do SPPHs have an owner?
<wgrant> I don't think so.
<al-maisan> i.e. if the user has launchpad.Edit for the archive he/she may request the deletion of a SPPH?
<wgrant> Right. That's the rule used for PPAs at the moment.
<al-maisan> cool
<al-maisan> makes a lot of sense
<al-maisan> Thanks for the advice!
<wgrant> It's too restrictive for the primary archive, but that all needs a rethink anyway.
<al-maisan> yeah .. also, I guess PPAs will be the primary application case
<wgrant> Right.

Revision history for this message

Diogo Matsubara (matsubara) wrote on 2009-12-24: Bug fixed by a commit

#2

Fixed in devel r10091 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/devel/revision/10091>

Changed in soyuz:
status:	Triaged → Fix Committed

Revision history for this message

William Grant (wgrant) wrote on 2009-12-24:

#3

review needsfixing

The impersonation bug still exists.

Revision history for this message

Muharem Hrnjadovic (al-maisan) wrote on 2009-12-30:

#4

Hello William,

thank you very much for catching this bug and keeping an eye on the changes. Can you please elaborate on the "impersonation bug"? I don't understand what you mean..

Revision history for this message

William Grant (wgrant) wrote on 2009-12-30:

#5

IPublishing.requestDeletion still takes a requested_by argument through the API. It should always be set to the user calling the method, probably with something like:

@call_with(requested_by=REQUEST_USER)

Julian Edwards (julian-edwards) on 2010-01-04

Changed in soyuz:
milestone:	none → 10.01
assignee:	nobody → Jelmer Vernooij (jelmer)

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2010-01-27:

#6

This didn't work due to a bug in lazr.restful, see bug 513275

Changed in soyuz:
status:	Fix Committed → Fix Released

William Grant (wgrant) on 2012-08-10

visibility:

private → public

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.