Off Topic arugument - for Amedee
Colin Watson
cjwatson at ubuntu.com
Mon Nov 21 20:29:10 UTC 2011
On Mon, Nov 21, 2011 at 08:31:11PM +0100, Amedee Van Gasse wrote:
> On 21-11-11 16:51, W. Scott Lockwood III wrote:
> >I find it far more curious that attempting to view your signature results
> >in:
> >Not allowed here
> >Sorry, you don't have permission to access this page.
> >
> >You are logged in as Scott Lockwood.
>
> Perhaps we can only view our own signatures?
>
> 2007-02-18: digitally signed by Amedee Van Gasse (1024D/82BA02FC)
Correct; that page is restricted to the user in question and the
Launchpad administrators. lib/lp/registry/browser/configure.zcml:
<browser:page
name="+codesofconduct"
for="lp.registry.interfaces.person.IPerson"
permission="launchpad.Edit"
class="lp.registry.browser.person.PersonCodeOfConductEditView"
template="../templates/person-codesofconduct.pt"/>
And lib/canonical/launchpad/security.py:
class EditPersonBySelfOrAdmins(AuthorizationBase):
permission = 'launchpad.Edit'
usedfor = IPerson
def checkAuthenticated(self, user):
"""A user can edit the Person who is herself.
The admin team can also edit any Person.
"""
return self.obj.id == user.person.id or user.in_admin
It does seem slightly odd that you can see the fact that somebody else
signed the code of conduct, but not when; it's possible that this is
unintentional, as there's no explicit security model applied to
SignedCodeOfConduct that I can see, but it just so happens that the only
place that's ever rendered is on the +codesofconduct edit page. It
might be worth filing a bug about that if it's something you care about.
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list