Bug 1271155

Summary: logged_in gives false positive when token does not match user name
Product: [Fedora] Fedora Reporter: Michal Hlavinka <mhlavink>
Component: python-bugzillaAssignee: Cole Robinson <crobinso>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: crobinso, dzickus, jskarvad, mhlavink, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-19 19:50:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Hlavinka 2015-10-13 09:23:16 UTC 
Description of problem:
Property logged_in returns False positive when token for other user is present. Any bug manipulation will fail (as expected).

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. login in as one user, let it create .bugzillatoken
2. remove .bugzillacookie and password from .bugzillarc, change name in .bugzillarc to different user


Actual results:
logged_in returns true, any bug manipulation (add a comment) will fail


Expected results:
logged_in returns false

Additional info:
I use logged_in to verify that token is true, to use the token both token and name must be provided to the server, so I verify it using this code:

try:
  uid = int(token.split('-')[0])
  user = bz._proxy.User.get({'ids': [uid]})
  if user['users'][0]['name'] == user:
    return True
except:
  pass
return False
Comment 1 Cole Robinson 2015-10-16 01:47:03 UTC 
Thanks for the report. What python-bugzilla version is this?

I tried to reproduce but couldn't, but I'm not sure if I followed your steps correctly. Can you try to distill a reproducer to a concrete set of shell commands, and then a test script with:

logging.basicConfig(level=logging.DEBUG)

in it, and post the full results
Comment 3 Michal Hlavinka 2015-10-19 17:32:26 UTC 
Seems I was wrong. Verify function for bugzilla >=5.0 requires both token and username, but it seems that present function ignores username completely. When I tried wrong combination of username and token, it did not work, but it does now, so I probably made some mistake. If you agree, we can close this bug, probably as "worksforme".
Comment 4 Cole Robinson 2015-10-19 19:50:27 UTC 
Okay, closing. thanks for testing

FWIW if you ever need to do bugzilla testing, you can use the public partner-bugzilla.redhat.com instance: shares same login credentials, but the content is wiped and synced with bugzilla.redhat.com every now and then.