/srv/irclogs.ubuntu.com/2013/02/18/#launchpad-dev.txt

StevenKwgrant: Unauthorized: (<zope.browserpage.metaconfigure.SimpleViewClass from /home/steven/launchpad/lp-branches/archive-limitedview/lib/lp/soyuz/browser/../templates/archive-packages.pt object at 0x2b1e9815e290>, 'browserDefault', 'launchpad.View')<br /> I guess from traversal, which create_initialized_view doesn't call into?01:27
RoelVHi all01:43
RoelVbzr: ERROR: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed01:43
RoelVhow do I fix this?01:43
wgrantStevenK: That usually just means you don't hold launchpad.View on the object, and the view requires launchpad.View02:28
StevenKwgrant: Right. Which is expected. But the test uses create_initialized_view, which shows me the page content02:32
wgrantRight, that might skip it. Normally the page would 403 anyway because it accesses launchpad.View attributes02:33
StevenKwgrant: So this change looks okay to me, except for the +packages test for subscribers failing03:18
wgrantStevenK: What if you call the view?03:19
StevenKview.render() returns the page content03:19
wgrantAre you sure you set up the interaction correctly?03:19
wgrantSurely it needs to access some attributes that need launchpad.View03:19
StevenKThe test calls login_person(self.subscriber) and c_i_v is called with self.subscriber as the principal03:20
StevenKwgrant: The P3A is empty, so maybe I need to publish a source into it first03:25
wgrantStevenK: Doesn't getPublishedSources need launchpad.View?03:28
wgrantOh, I guess not03:28
wgrantSince it's necessary for +index03:28
wgrantSo you may be right03:28
StevenKRight03:28
wgrantBut stuff like the build counters might be protected03:28
StevenKI've moved description, is_active, is_copy, num_pkgs_building, publish, series_with_sources, signing_key and getPublishedSources()03:29
StevenKwgrant: So I can destroy the test, but I'd like to keep it03:34
StevenKMaybe I should switch it to the browser test03:35
wgrantStevenK: You probably want to adjust it so it triggers the view permission failure03:35
StevenKwgrant: Right, and it seems neither c_i_v() or c_v() will do so for me03:35
StevenKWhereas +packages requires View in the ZCML03:35
StevenK+        browser = setupBrowserForUser(self.subscriber)03:44
StevenK+        self.assertRaises(Unauthorized, browser.open, url)03:44
StevenKThat works fine, since it uses the traversal rules03:45
wgrantRight03:45
StevenKSo maybe I'll push this crap up and you can sob03:45
StevenKlib/lp/security.py:120: 'IAbstractMilestone' imported but unused03:45
wgrantOops03:45
wgrantMy fault03:45
wgrantA few weeks ago03:45
StevenKBut I got burned last time I removed useless imports :-)03:46
StevenKI shall pull it out03:46
wgrantlp.security is not webservice definitions :)03:46
StevenKwgrant: https://code.launchpad.net/~stevenk/launchpad/new-perm-for-archive-subscribers/+merge/14897404:08
wgrantStevenK: Doesn't SubscriberView want to short-circuit if View is held?04:13
StevenKProbably04:14
wgrantAlso, SubscriberView might want to imply LimitedView04:14
wgrants/might/does/04:14
StevenKwgrant: How do I imply LimitedView?04:15
wgrantStevenK: The current default LimitedView adapter delegates to View, I believe04:15
wgrantIt probably wants to fall back to SubscriberView04:15
wgrantStevenK: You also seem to be seriously allergic to VWS04:16
wgrantThere's no gap before getPulbishedSources in the interface04:16
wgrantAnd you'll want tests for the permissions04:17
StevenKThere is one before the API params04:17
wgranteg. check directly that a subscriber has SubscriberView but not View04:17
wgrant242+ )04:17
wgrant243+ # Really returns ISourcePackagePublishingHistory, see below for04:17
wgrant244+ # patch to avoid circular import.04:17
wgrant245+ @call_with(eager_load=True)04:17
wgrantNo space04:17
wgrantOh04:17
wgrantSo there is04:17
wgrantThat's just a really huge operation_parameters04:18
StevenKYes04:18
StevenKwgrant: Why do I want to imply LimitedView ?04:22
wgrantStevenK: Some things (eg. lazr.restful) won't acknowledge an object's existence without LimitedView04:22
wgranteg. objects will not appear in collections unless LimitedView is held04:22
StevenKwgrant: http://pastebin.ubuntu.com/1675575/ is the permission test04:22
StevenKwgrant: Oh, ViewArchive backs onto get_enabled_archive_filter anyway, so it should be fine, no?04:26
wgrantStevenK: What do you mean?04:26
StevenKget_enabled_archive_filter is used for checking for launchpad.View, and we use the same method for SubscriberView, so we don't need a short-cut?04:27
wgrantStevenK: ViewArchive has several shortcuts04:27
wgrantI'm not sure if get_enabled_archive_filter also has all of them, but it's almost certainly slower too04:28
StevenKRight, I want to return True if ViewArchive does?04:28
wgrantRight04:29
StevenKwgrant: http://pastebin.ubuntu.com/1675592/04:30
wgrantif check_permission(...):04:31
wgrant   return True04:31
wgrantif check_permission(...):04:31
wgrant   return True04:31
wgrantreturn False04:31
wgrantOr or, I guess04:31
StevenKwgrant: In which bit of that diff?04:33
StevenKOh, right04:33
StevenKFixing04:33
wgrantAll of it04:34
StevenKwgrant: http://pastebin.ubuntu.com/1675600/04:35
wgrantStevenK: Also, what happens when there's no SubscriberView adapter?04:38
wgrantI assume it just evaluates to False, but you should confirm04:38
wgrant     def checkAuthenticated(self, user):04:38
wgrant+        view_permission = ViewArchive.checkAuthenticated(self, user)04:38
wgrant+        if view_permission:04:38
wgrant+            return view_permission04:38
wgrantThat's a bit silly04:38
StevenKSo I considered calling if check_permission or self.store.find, but that means we need to do the work to calculate the filter if the user has View anyway04:40
wgrantfoo = bar04:41
wgrantif foo:04:41
wgrant   return foo04:41
wgrantWhere foo is boolean04:41
wgrantIs equivalent to:04:41
wgrantif bar:04:41
wgrant    return true04:41
wgrants/t/T/04:41
StevenKwgrant: No SubscriberView adapter for IArchive, or something like IProduct?04:42
wgrantStevenK: Anything04:43
wgrantBecause if something asks for LimitedView and View fails, it'll defer to SubscriberView04:43
StevenKwgrant: Hmmm, still trying to toss up how to test that04:50
StevenKAnd grumbling at the construction crew outside, who sound like they're grinding up cars04:51
wgrantStevenK: check_permission('launchpad.SubscriberView', someproduct)04:54
wgrantdone04:54
wgrantNo need for an actual test, just do it in a harness04:54
StevenKYeah04:57
StevenK------> print(check_permission('launchpad.SubscriberView', factory.makeProduct()))04:58
StevenKTrue04:58
wgrantErm04:58
wgrantSo, work out why :)05:01
StevenKSorry, dealing with the fun of car ownership05:08
StevenKwgrant: Due to PermissiveSecurityPolicy05:11
StevenKWhich returns True for anything05:11
StevenKAnd interaction being none results in <lp.services.webapp.authorization.LaunchpadPermissiveSecurityPolicy object at 0x8072d90>05:12
wgrantStevenK: Ah, right.05:13
wgrantMight have to hack the harness to use_web_security=True05:13
StevenKIn [2]: print(check_permission('launchpad.SubscriberView', factory.makeProduct()))05:16
StevenKFalse05:16
wgrantRight05:16
StevenKWith the following diff:05:16
wgrantThat is less terrifyingly incorrect05:16
StevenK-    execute_zcml_for_scripts()05:16
StevenK+    execute_zcml_for_scripts(use_web_security=True)05:16
StevenKTempted to hack iharness to respect LP_HARNESS_WEB_SECURITY=105:18
StevenK(Or so)05:18
StevenKwgrant: Diff updated05:26
wgrantStevenK: Done05:37
StevenKwgrant: Does http://pastebin.ubuntu.com/1675739/ address your concerns?05:39
wgrantStevenK: Indeed.05:42
StevenKwgrant: Where's your GC branch + Archive:+delete timeout fix up to?06:00
wgrantStevenK: Doing more archive deletion rework06:03
StevenKOh, so it won't suck. That would be nice.06:03
wgrantActually, might propose the first stage now06:16
wgrantStevenK: https://code.launchpad.net/~wgrant/launchpad/archive-defer-deletion/+merge/14898806:33
wgrantI may not be around to answer grillings06:34
* StevenK gets the chair, desk lamp and dripping tap ready06:34
StevenKwgrant: Did you consider only calling getUtility(IPublishingSet).requestDeletion() once in the publisher?06:40
wgrantStevenK: That'd delete most binaries twice06:42
* wgrant goes06:42
StevenKwgrant: So, you did consider it. r=me06:45
=== almaisan-away is now known as al-maisan
adeuringgood morning08:56
StevenKUnauthorized: (<Archive at 0xef0f490>, 'dependencies', 'launchpad.View')08:57
StevenKBah! This was the *whole* point of the exercise08:57
=== yofel_ is now known as yofel
=== Ursinha is now known as Ursinha-afk
=== Ursinha-afk is now known as Ursinha
=== Ursinha_ is now known as Ursinha
=== Ursinha is now known as Ursinha-afk
=== Ursinha-afk is now known as Ursinha
=== al-maisan is now known as almaisan-away
=== deryck is now known as deryck[lunch]
=== deryck[lunch] is now known as deryck
=== yofel_ is now known as yofel
=== almaisan-away is now known as al-maisan
=== al-maisan is now known as almaisan-away
=== almaisan-away is now known as al-maisan
=== al-maisan is now known as almaisan-away

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!