Redact invisible subteams from members and mugshots listings
Bug #1785952 reported by
Simon Quigley
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
High
|
Unassigned | ||
Bug Description
I was curious, so I wanted to take a peek at the members of https:/
I don't have access to view members here: https:/
But I can view all of the mugshots, thus getting a complete list (eventually) here: https:/
I applied to be a member of the team but I am not currently one.
Revision history for this message
| Colin Watson (cjwatson) wrote | #1 |
| summary: |
- Mugshots are viewable when member lists are not + Redact invisible subteams from members and mugshots listings |
| information type: | Private Security → Public |
| tags: | added: 403 lp-registry privacy |
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → High |
Revision history for this message
| Robert Collins (lifeless) wrote | #2 |
Revision history for this message
| Colin Watson (cjwatson) wrote | #3 |
To post a comment you must log in.
This is actually just a bug in the +members page. It isn't a security bug because its overall effect is to forbid access to some information that ought to be permitted, rather than the other way round.
The team is public, so its membership list is meant to be public too; but the +members page shows the list of proposed memberships as well, and in this case that includes a private team on which you don't have the LimitedView permission needed to get the displayname attribute, so it returns an Unauthorized response. There are other cases of this that seem to be legitimate, so we should probably redact such subteams from the members listings rather than trying to render them and hitting Unauthorized. (Note that users who are themselves members of such a superteam get the LimitedView permission on the subteam so that they can at least see that the membership exists, so this redaction wouldn't stop team members from knowing about the membership.)
There's a similar bug in +mugshots, although the details are different: if a team has a subteam as a member on which you don't have the View permission (not LimitedView this time), then +mugshots on the superteam will return an Unauthorized response due to trying to get the mugshotID attribute of the subteam.