ISpecification.all_specifications returns an empty list for anonymous users of the API
Bug #683106 reported by
Guilherme Salgado
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Guilherme Salgado |
Bug Description
Apps accessing the API anonymously will always get an empty list from .all_specifications and .valid_
The same happens on ISpecification.
Related branches
lp://qastaging/~salgado/launchpad/bug-683106
- Jelmer Vernooij (community): Approve
-
Diff: 141 lines (+50/-1)5 files modifiedlib/canonical/launchpad/security.py (+15/-1)
lib/lp/blueprints/interfaces/specification.py (+1/-0)
lib/lp/blueprints/tests/test_webservice.py (+16/-0)
lib/lp/testing/__init__.py (+1/-0)
lib/lp/testing/_webservice.py (+17/-0)
description: | updated |
Changed in blueprint: | |
assignee: | nobody → Guilherme Salgado (salgado) |
status: | In Progress → Fix Committed |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in blueprint: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Leonard believes this is a permission issue:
<leonardr> salgado: lazr.restful does an explicit permission check to filter items from a collection. it does not do an explicit check on the return value of a named operation--it relies on zope throwing an exception
<leonardr> we might have a situation where an explicit permission check fails but the permission is never enforced?
(that would explain why we can get specs anonymously via getSpecification() but not via all_specifications)