Launchpad itself

Deactivating a product doesn't hide its productseries' bugs

Bug #1321055 reported by Scott Ritchie on 2014-05-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Triaged	High	Unassigned

Bug Description

I used to work for iSwifter, and while I was there we created a private Launchpad project to host some private PPAs for us. At the time we were also considering moving away from Jira, so I filed https://bugs.launchpad.net/iswifter/iswifter-server/+bug/1025939 as a sort of placeholder bug to see if we might use Launchpad for bugs.

I no longer work there, and am no longer a member of the private team, however when I do a search of my own reported bugs I can see the above bug in the result list, including its current status and heat level. This is an information leak of some kind, as I might be able to infer things from it (in this case it's rather innocuous, but I could in principle track where and what bugs I filed people were now working on / discussing).

Tags:

Related branches

~ines-almeida/launchpad:prevent-bug-reporter-from-accessing-bug-in-disabled-product

Merged into launchpad:master

Colin Watson (community): Approve on 2023-04-19

Revision history for this message

William Grant (wgrant) wrote on 2014-05-20:

You still have permission to see that bug, but you can't navigate to it because it's on a deactivated project. We normally exclude bugs on inactive projects from searches, but apparently we don't also apply that same check to bugs on series on inactive projects.

information type:

Private Security → Public

Revision history for this message

William Grant (wgrant) wrote on 2014-05-20:

BugTaskFlat.active exists, and it's set by bugtask_flatten, but it doesn't currently follow Product.active changes so we don't yet use it in bugtasksearch:

        extra_clauses.append(
            Or(BugTaskFlat.product == None, Product.active == True))
        join_tables.append(
            (Product, LeftJoin(Product, And(
                            BugTaskFlat.product_id == Product.id,
                            Product.active))))

We should make setting Product.active trigger an update on all affected BugTaskFlat rows, or we should just fix the bugtasksearch check to consider ProductSeries too.

summary:

- Search results show bugs I reported but should no longer be able to see
- due to leaving private team
+ Deactivating a product doesn't hide its productseries' bugs

William Grant (wgrant) on 2014-05-22

Changed in launchpad:
importance:	Undecided → High
status:	New → Triaged
tags:	added: bugs search series trivial

Ines Almeida (ines-almeida) on 2023-03-31

Changed in launchpad:
assignee:	nobody → Ines Almeida (ines-almeida)

Ines Almeida (ines-almeida) on 2023-04-05

Changed in launchpad:
status:	Triaged → In Progress

Ines Almeida (ines-almeida) on 2023-04-19

Changed in launchpad:
status:	In Progress → Fix Committed

Ines Almeida (ines-almeida) on 2023-05-09

Changed in launchpad:
status:	Fix Committed → Triaged
status:	Triaged → In Progress

Revision history for this message

Ines Almeida (ines-almeida) wrote on 2023-05-09:

Previous fix was reverted due to a found issue.

Ines Almeida (ines-almeida) on 2023-09-06

Changed in launchpad:
status:	In Progress → Triaged
assignee:	Ines Almeida (ines-almeida) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.