Bug 1054524

Summary: Users api key is accessible by anyone
Product: [Retired] Zanata Reporter: Lee Newson <lnewson>
Component: SecurityAssignee: Carlos Munoz <camunoz>
Status: CLOSED CURRENTRELEASE QA Contact: Damian Jansen <djansen>
Severity: unspecified Docs Contact:
Priority: high    
Version: 3.2CC: camunoz, djansen, sflaniga
Target Milestone: ---   
Target Release: 3.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 3.3.0-SNAPSHOT (20140207-1602) Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-20 05:47:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Lee Newson 2014-01-17 01:27:28 UTC
Description of problem:

Using the account service via the REST API anyone is able to get a users api key, provided they know their username.

Version-Release number of selected component (if applicable):
Tested on 3.2.1 (20131129-0009)

How reproducible:
Always

Steps to Reproduce:
1. Go to <HOST>/rest/accounts/u/{username} without providing any auth details (where {username} is the name of a user in the system).
2. Observe the api key is returned in the response.

Actual results:
A users api key is exposed to anyone.

Expected results:
A users api key (or even user information) should only be exposed to it's owner or people with adequate permissions (ie admins).

Additional info:

Comment 1 Carlos Munoz 2014-01-17 06:12:29 UTC
Restricted Account REST service to admin users only.

See:
https://github.com/zanata/zanata-server/pull/341

Comment 2 Damian Jansen 2014-02-07 06:25:54 UTC
Verified at 6d62fa3ad5db48d5c3ad3b9927f84bf306f3cdc6

Comment 3 Sean Flanigan 2014-03-20 05:47:09 UTC
Closing VERIFIED bugs for Zanata server 3.3.2.