on bugs page can see a branch merge proposal which cannot be seen directly

Bug #750607 reported by Andrea Corbellini
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
William Grant

Bug Description

Looking at bug #643366 I see a branch attached and its merge proposal. Trying to access the merge proposal, I get a 'Not allowed here (Sorry, you don't have permission to access this page.)' error. But this makes no sense to me because:

* I can see the branch, its revisions and I can download it;
* from the bug report, I can see the merge proposal status and the votes;
* I'm able to download the diff associated to the merge proposal.

So I think the cases are two:

1. either the merge proposal is public (and therefore I should be able to access it);
2. or the merge proposal is private (and I shouldn't be able to know anything about it).

Related branches

Revision history for this message
Robert Collins (lifeless) wrote :

Its probably the stacked on branch or the target branch that you can't see (or both).

Changed in launchpad:
status: New → Triaged
importance: Undecided → Critical
tags: added: disclosure regression
summary: - Odd 'Not allowed here' error on bug #643366
+ on bugs page can see a branch merge proposal which cannot be seen
+ directly
Revision history for this message
William Grant (wgrant) wrote :

In this case the prereq is private. It's not a regression.

tags: removed: regression
Revision history for this message
Deryck Hodge (deryck) wrote :

Should this be critical still since it's not a regression? I would guess HIGH since it's relates to the disclosure story. I'll triage it accordingly, but please re-triage if I'm missing something else.

Changed in launchpad:
importance: Critical → High
Revision history for this message
Robert Collins (lifeless) wrote :

Its critical because:
 - if it oopses its critical
 - when users follow links within LP to 404s we generate and report an OOPS
 - we're generating a link to a page they cannot see

tags: added: oops
Changed in launchpad:
importance: High → Critical
Revision history for this message
Deryck Hodge (deryck) wrote :

Ah, right. I forget that 404 == OOPS.

FWIW, I've alway thought that was incredibly weird. I don't think of a page not found error as an exceptional circumstance. :-) Maybe if it were based on the referrer and we knew we had pointed the user at a page they couldn't see.

Revision history for this message
Robert Collins (lifeless) wrote : Re: [Bug 750607] Re: on bugs page can see a branch merge proposal which cannot be seen directly

On Tue, May 10, 2011 at 8:49 AM, Deryck Hodge
<email address hidden> wrote:
> Ah, right.  I forget that 404 == OOPS.
>
> FWIW, I've alway thought that was incredibly weird.  I don't think of a
> page not found error as an exceptional circumstance. :-)  Maybe if it
> were based on the referrer and we knew we had pointed the user at a page
> they couldn't see.

Thats exactly what it is - though we do that analysis in oops-tools
rather than at the time it happens (which I'd like to change so we
have less oopses recorded-but-not-rendered).

Revision history for this message
Deryck Hodge (deryck) wrote :

ah, ok. Excellent then.

William Grant (wgrant)
Changed in launchpad:
assignee: nobody → William Grant (wgrant)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
tags: added: qa-ok
removed: qa-needstesting
Changed in launchpad:
milestone: none → 11.06
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui)
tags: added: security
Curtis Hovey (sinzui)
tags: added: hardening
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.