On Wed, 2010-09-22 at 08:43 +1200, Michael Hudson wrote: > > The TeamParticipation code requires review and probable revision > because > > this mechanism for determining indirect membership is not aware of > privacy. > > I guess the code that flips a team from restricted to open also needs > to > be made aware of this. Two second instinct is that you don't need to > change TeamParticipation itself, but only code that touches it -- but > am > not sure about that.
We tested allow private teams to join public and vice versa and discovered that private teams leak into the results over API and pages. In most cases the pages showed an obfuscated team, but in some cases that view oopsed because it assumed it had permission to access the object. The bugs team recently fixed an issue similar to this last scenario that involved bug subscriptions. TeamParticipation is fast at the cost that is does not know context. -- __Curtis C. Hovey_________ http://launchpad.net/
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
