Bug 1020300 - Password gets shown on a retrieval of a particular user info
Summary: Password gets shown on a retrieval of a particular user info
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: API/integration
Version: 2.2
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: ---
: 2.4.0
Assignee: Barnaby Court
QA Contact: Ina Panova
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-17 12:11 UTC by Ina Panova
Modified: 2014-08-09 06:56 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-09 06:56:26 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ina Panova 2013-10-17 12:11:56 UTC 
Description of problem:
the password field is shown when user's info in requested via api meanwhile docs claim that password should be excluded:

https://pulp-dev-guide.readthedocs.org/en/pulp-2.2/integration/rest-api/user/retrieval.html

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:

1. create user
2. retrieve user's info details

Actual results:
password is shown among user's details


Expected results:
password should not be shown

Additional info:

[root@ec2-50-19-147-225 ~]# curl -i -L -k -X POST -H "Content-Type: application/json" -d '{"login":"user01", "password":"user01"}' https://admin:admin@ec2-50-19-147-225.compute-1.amazonaws.com/pulp/api/v2/users/ 
HTTP/1.1 201 Created
Date: Thu, 17 Oct 2013 11:34:36 GMT
Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Location: user01
Content-Length: 184
Content-Type: application/json


[root@ec2-50-19-147-225 ~]# curl -i -L -k -X GET -H "Content-Type: application/json" https://admin:admin@ec2-50-19-147-225.compute-1.amazonaws.com/pulp/api/v2/users/user01/
HTTP/1.1 200 OK
Date: Thu, 17 Oct 2013 11:35:40 GMT
Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Content-Length: 257
Content-Type: application/json

{"_id": {"$oid": "525fcb4cda892d073367a621"}, "name": "user01", "roles": [], "_ns": "users", "login": "user01", "password": "99R+k4UJd70=,OxhzBRvNgGgYmtUPEFFoQ1pQep3nH/gBmdHtMcHItGc=", "id": "525fcb4cda892d073367a621", "_href": "/pulp/api/v2/users/user01/"}[root@ec2-50-19-147-225 ~]#
Comment 1 Barnaby Court 2013-11-22 15:56:03 UTC 
https://github.com/pulp/pulp/pull/717
Comment 2 Jeff Ortel 2014-04-03 13:36:00 UTC 
build: 2.4.0-0.7.beta
Comment 3 Ina Panova 2014-04-09 13:19:06 UTC 
Tested in pulp-server-2.4.0-0.8.beta.fc20.noarch

$ curl -H "Content-Type: application/json" -X GET -k -u admin:admin 'https://example.com/pulp/api/v2/users/test/'| python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   141  100   141    0     0     72      0  0:00:01  0:00:01 --:--:--    72
{
    "_href": "/pulp/api/v2/users/test/",
    "_id": {
        "$oid": "5345415e1f6ea8023a2c5d64"
    },
    "_ns": "users",
    "login": "test",
    "name": "test",
    "roles": []
}

Moving to Verified.
Comment 4 Randy Barlow 2014-08-09 06:56:26 UTC 
This has been fixed in Pulp 2.4.0-1.
Note You need to log in before you can comment on or make changes to this bug.