Bug 1020300

Summary: Password gets shown on a retrieval of a particular user info
Product: [Retired] Pulp Reporter: Ina Panova <ipanova>
Component: API/integrationAssignee: Barnaby Court <bcourt>
Status: CLOSED CURRENTRELEASE QA Contact: Ina Panova <ipanova>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 2.2CC: bcourt, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: 2.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-09 06:56:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ina Panova 2013-10-17 12:11:56 UTC 
Description of problem:
the password field is shown when user's info in requested via api meanwhile docs claim that password should be excluded:

https://pulp-dev-guide.readthedocs.org/en/pulp-2.2/integration/rest-api/user/retrieval.html

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:

1. create user
2. retrieve user's info details

Actual results:
password is shown among user's details


Expected results:
password should not be shown

Additional info:

[root@ec2-50-19-147-225 ~]# curl -i -L -k -X POST -H "Content-Type: application/json" -d '{"login":"user01", "password":"user01"}' https://admin:admin@ec2-50-19-147-225.compute-1.amazonaws.com/pulp/api/v2/users/ 
HTTP/1.1 201 Created
Date: Thu, 17 Oct 2013 11:34:36 GMT
Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Location: user01
Content-Length: 184
Content-Type: application/json


[root@ec2-50-19-147-225 ~]# curl -i -L -k -X GET -H "Content-Type: application/json" https://admin:admin@ec2-50-19-147-225.compute-1.amazonaws.com/pulp/api/v2/users/user01/
HTTP/1.1 200 OK
Date: Thu, 17 Oct 2013 11:35:40 GMT
Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Content-Length: 257
Content-Type: application/json

{"_id": {"$oid": "525fcb4cda892d073367a621"}, "name": "user01", "roles": [], "_ns": "users", "login": "user01", "password": "99R+k4UJd70=,OxhzBRvNgGgYmtUPEFFoQ1pQep3nH/gBmdHtMcHItGc=", "id": "525fcb4cda892d073367a621", "_href": "/pulp/api/v2/users/user01/"}[root@ec2-50-19-147-225 ~]#
Comment 1 Barnaby Court 2013-11-22 15:56:03 UTC 
https://github.com/pulp/pulp/pull/717
Comment 2 Jeff Ortel 2014-04-03 13:36:00 UTC 
build: 2.4.0-0.7.beta
Comment 3 Ina Panova 2014-04-09 13:19:06 UTC 
Tested in pulp-server-2.4.0-0.8.beta.fc20.noarch

$ curl -H "Content-Type: application/json" -X GET -k -u admin:admin 'https://example.com/pulp/api/v2/users/test/'| python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   141  100   141    0     0     72      0  0:00:01  0:00:01 --:--:--    72
{
    "_href": "/pulp/api/v2/users/test/",
    "_id": {
        "$oid": "5345415e1f6ea8023a2c5d64"
    },
    "_ns": "users",
    "login": "test",
    "name": "test",
    "roles": []
}

Moving to Verified.
Comment 4 Randy Barlow 2014-08-09 06:56:26 UTC 
This has been fixed in Pulp 2.4.0-1.