On Fri, Jul 30, 2010 at 5:35 PM, Julian Edwards <[email protected]> wrote: > On Thursday 29 July 2010 17:50:35 Abel Deuring wrote: >> On 29.07.2010 15:25, Aaron Bentley wrote: >> > On 07/29/2010 07:52 AM, Abel Deuring wrote: >> >> Hi Stuart, >> >> >> >> I am currently working on >> >> https://bugs.edge.launchpad.net/malone/+bug/39674 (Attachments of >> >> private bugreports are public). This involves of course to set the >> >> attribute LFA.restricted to True for private bugs. >> >> >> >> My first idea was to simply set the restricted flag of all LFAs of >> >> BugAttachments of a bug in the method Bug.setPrivate(). >> >> >> >> But a comment from Robert in >> >> https://code.edge.launchpad.net/~adeuring/launchpad/bug-39674-lfa-editab >> >> le/+merge/29314 let me think again if we should enforce the consistency >> >> of >> >> LFA.restricted and Bug.private on the database level. >> > >> > Another option is to just make all bug attachments restricted, and let >> > the bug provide access to the attachments as appropriate. This is the >> > approach we used with merge proposal diffs. >> >> Right. But I am not sure if we really want to serve files with a size >> of, let's say, 5MB via StreamOrRedirectLibraryFileAliasView.__call__() >> if the content is public. > > Didn't Rob just fix that problem? He said he'd done a patch that involves > token passing instead of redirecting the whole file via a webapp.
Robert is still working on it. Assuming no major hiccups, Launchpad will no longer need to proxy restricted files. Instead, they can be accessed as https://launchpadlibrarian.net/123/456/file.txt?token=abc123. The token will expire after a time, at which point the librarian will redirect requests back to the appserver for a new token. So restricted files will be publicly accessible if the URL + token is leaked, but only for a limited time. -- Stuart Bishop <[email protected]> http://www.stuartbishop.net/ _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
