| 2012-08-06 14:42:43 |
Curtis Hovey |
description |
Launchpad's zcml states that anyone can unlink a package from a series. The rule is used on the distrribution and source package pages, and on the project's package pages. When translation message sharing was added, a condition was added to the code that will raise a forbidden error if the user attempts to unlink a package from a series that is sharing translations.
A. When the rule was added, all places that show the remove packaging links should have been updated to use the code rules. so that Lp does not lie to users. I see a nominal attempt to guard the links on the source package's menu, which is seen less often than the DSP's page.
B. I think the code rule is wrong. Packaging.userCanDelete() assumes that unlinking the package will also remove the shared messages accidentally. A common reason a series is unlinked is because a series was linked to several packages, which is wrong. Ubuntu does not loose data in this case. Secondly the permission check assumes that Packaging.owner entitles a group control the package. This is not so. Packaging.owner is the registrant. This check entitles sinzui and jelmer to change packaging because they registered 50% of all packaging links.
If the link is wrong, anyone should be permitted to remove it. I think the restriction exists to prevent accidental loss of translations, and that could be solved by asking the user to confirm the the series with translations must be removed. The confirmation is not needed is the series is linked to several packages. |
Launchpad's zcml states that anyone can unlink a package from a series. The rule is used on the distrribution and source package pages, and on the project's package pages. When translation message sharing was added, a condition was added to the code that will raise a forbidden error if the user attempts to unlink a package from a series that is sharing translations.
A. When the rule was added, all places that show the remove packaging links should have been updated to use the code rules. so that Lp does not lie to users. I see a nominal attempt to guard the links on the source package's menu, which is seen less often than the DSP's page.
B. I think the code rule is wrong. Packaging.userCanDelete() assumes that unlinking the package will also remove the shared messages accidentally. A common reason a series is unlinked is because a series was linked to several packages, which is wrong. Ubuntu does not loose data in this case. Secondly the permission check assumes that Packaging.owner entitles a group control the package. This is not so. Packaging.owner is the registrant. This check entitles sinzui and jelmer to change packaging because they registered 50% of all packaging links.
If the link is wrong, anyone should be permitted to remove it. I think the restriction exists to prevent accidental loss of translations, and that could be solved by asking the user to confirm the the series with translations must be removed. The confirmation is not needed is the series is linked to several packages. There already is a confirmation page, all that is needed is an explanation that translations are shared, do you still want to remove the packaging link? |
|
