new location code allows anyone to set anyone else's location
Bug #262193 reported by
James Troup
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Unassigned |
Bug Description
According to <https:/
Canada. Unfortunately I didn't set this location, someone else (with
no special LP privileges) did[1]. We can't allow random
people to set personal data for other people! Apart from being
obviously wrong and bad, it has legal implications as well.
[1] Just out of interest, could you even tell me who did, if I didn't
already know?
Related branches
lp://qastaging/~sinzui/launchpad/location-bug-262193
- Eleanor Berger (community): Approve (code)
-
Diff: 459 lines (+57/-212)10 files modifiedlib/canonical/launchpad/emailtemplates/person-location-modified.txt (+0/-19)
lib/canonical/launchpad/permissions.zcml (+0/-4)
lib/canonical/launchpad/security.py (+0/-32)
lib/lp/registry/browser/configure.zcml (+1/-1)
lib/lp/registry/browser/person.py (+2/-14)
lib/lp/registry/configure.zcml (+1/-1)
lib/lp/registry/doc/personlocation.txt (+15/-53)
lib/lp/registry/model/person.py (+0/-14)
lib/lp/registry/stories/location/personlocation-edit.txt (+27/-59)
lib/lp/registry/stories/location/personlocation.txt (+11/-15)
description: | updated |
Changed in launchpad: | |
assignee: | nobody → salgado |
importance: | Undecided → High |
status: | New → Triaged |
Changed in launchpad: | |
assignee: | salgado → nobody |
status: | Triaged → Incomplete |
Changed in launchpad-foundations: | |
status: | Incomplete → New |
Changed in launchpad-foundations: | |
milestone: | none → 2.1.10 |
Changed in launchpad-registry: | |
milestone: | 2.1.10 → none |
tags: |
added: tech-debt removed: registry |
Changed in launchpad-registry: | |
status: | Triaged → In Progress |
milestone: | none → 3.1.11 |
Changed in launchpad: | |
assignee: | Curtis Hovey (sinzui) → nobody |
To post a comment you must log in.
I believe this was implemented as designed.
[1] Including keeping a log of who last messed with the record, so we can tell you who changed your location. I don't think it is visible in the UI though.