Off Topic arugument - for Amedee

[Colin Watson]

On Mon, Nov 21, 2011 at 08:31:11PM +0100, Amedee Van Gasse wrote:
> On 21-11-11 16:51, W. Scott Lockwood III wrote:
> >I find it far more curious that attempting to view your signature results
> >in:
> >Not allowed here
> >Sorry, you don't have permission to access this page.
> >
> >You are logged in as Scott Lockwood.
> 
> Perhaps we can only view our own signatures?
> 
> 2007-02-18: digitally signed by Amedee Van Gasse (1024D/82BA02FC)

Correct; that page is restricted to the user in question and the
Launchpad administrators.  lib/lp/registry/browser/configure.zcml:

          <browser:page
              name="+codesofconduct"
              for="lp.registry.interfaces.person.IPerson"
              permission="launchpad.Edit"
              class="lp.registry.browser.person.PersonCodeOfConductEditView"
              template="../templates/person-codesofconduct.pt"/>

And lib/canonical/launchpad/security.py:

  class EditPersonBySelfOrAdmins(AuthorizationBase):
      permission = 'launchpad.Edit'
      usedfor = IPerson
  
      def checkAuthenticated(self, user):
          """A user can edit the Person who is herself.
  
          The admin team can also edit any Person.
          """
          return self.obj.id == user.person.id or user.in_admin

It does seem slightly odd that you can see the fact that somebody else
signed the code of conduct, but not when; it's possible that this is
unintentional, as there's no explicit security model applied to
SignedCodeOfConduct that I can see, but it just so happens that the only
place that's ever rendered is on the +codesofconduct edit page.  It
might be worth filing a bug about that if it's something you care about.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]