branch visibility queries do not consider visibility of stacked on branches
Bug #900431 reported by
David Owen
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
High
|
Unassigned |
Bug Description
Report
======
I'm an indirect member of canonical-
Analysis
========
A private branch in a merge proposal was stacked on a different private branch which was not visible to ~dsowen. The query that returns merge proposals did not filter that proposal out because the queries don't check the transitive visibility status, only the proximate status.
Changed in launchpad: | |
status: | Incomplete → Triaged |
importance: | Undecided → Critical |
Changed in launchpad: | |
importance: | Critical → High |
tags: | added: sharing |
tags: | removed: disclosure |
To post a comment you must log in.
This almost certainly means we have a bug where the logged in query is returning a MP that the security adapters think you can't access. As its a public team, and our defense-in-depth precautions are working, this doesn't imply a security vulnerability.
Did you get an OOPS id on the page?