Comment 1 for bug 1785952

Revision history for this message
Colin Watson (cjwatson) wrote : Re: Mugshots are viewable when member lists are not

This is actually just a bug in the +members page. It isn't a security bug because its overall effect is to forbid access to some information that ought to be permitted, rather than the other way round.

The team is public, so its membership list is meant to be public too; but the +members page shows the list of proposed memberships as well, and in this case that includes a private team on which you don't have the LimitedView permission needed to get the displayname attribute, so it returns an Unauthorized response. There are other cases of this that seem to be legitimate, so we should probably redact such subteams from the members listings rather than trying to render them and hitting Unauthorized. (Note that users who are themselves members of such a superteam get the LimitedView permission on the subteam so that they can at least see that the membership exists, so this redaction wouldn't stop team members from knowing about the membership.)

There's a similar bug in +mugshots, although the details are different: if a team has a subteam as a member on which you don't have the View permission (not LimitedView this time), then +mugshots on the superteam will return an Unauthorized response due to trying to get the mugshotID attribute of the subteam.