Bug 1020300 - Password gets shown on a retrieval of a particular user info
Password gets shown on a retrieval of a particular user info
Product: Pulp
Classification: Community
Component: API/integration (Show other bugs)
Unspecified Unspecified
medium Severity unspecified
: ---
: 2.4.0
Assigned To: Barnaby Court
Ina Panova
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2013-10-17 08:11 EDT by Ina Panova
Modified: 2014-08-09 02:56 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-08-09 02:56:26 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ina Panova 2013-10-17 08:11:56 EDT
Description of problem:
the password field is shown when user's info in requested via api meanwhile docs claim that password should be excluded:


Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. create user
2. retrieve user's info details

Actual results:
password is shown among user's details

Expected results:
password should not be shown

Additional info:

[root@ec2-50-19-147-225 ~]# curl -i -L -k -X POST -H "Content-Type: application/json" -d '{"login":"user01", "password":"user01"}' https://admin:admin@ec2-50-19-147-225.compute-1.amazonaws.com/pulp/api/v2/users/ 
HTTP/1.1 201 Created
Date: Thu, 17 Oct 2013 11:34:36 GMT
Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Location: user01
Content-Length: 184
Content-Type: application/json

[root@ec2-50-19-147-225 ~]# curl -i -L -k -X GET -H "Content-Type: application/json" https://admin:admin@ec2-50-19-147-225.compute-1.amazonaws.com/pulp/api/v2/users/user01/
HTTP/1.1 200 OK
Date: Thu, 17 Oct 2013 11:35:40 GMT
Server: Apache/2.4.6 (Fedora) OpenSSL/1.0.1e-fips mod_wsgi/3.4 Python/2.7.5
Content-Length: 257
Content-Type: application/json

{"_id": {"$oid": "525fcb4cda892d073367a621"}, "name": "user01", "roles": [], "_ns": "users", "login": "user01", "password": "99R+k4UJd70=,OxhzBRvNgGgYmtUPEFFoQ1pQep3nH/gBmdHtMcHItGc=", "id": "525fcb4cda892d073367a621", "_href": "/pulp/api/v2/users/user01/"}[root@ec2-50-19-147-225 ~]#
Comment 1 Barnaby Court 2013-11-22 10:56:03 EST
Comment 2 Jeff Ortel 2014-04-03 09:36:00 EDT
build: 2.4.0-0.7.beta
Comment 3 Ina Panova 2014-04-09 09:19:06 EDT
Tested in pulp-server-2.4.0-0.8.beta.fc20.noarch

$ curl -H "Content-Type: application/json" -X GET -k -u admin:admin 'https://example.com/pulp/api/v2/users/test/'| python -m json.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   141  100   141    0     0     72      0  0:00:01  0:00:01 --:--:--    72
    "_href": "/pulp/api/v2/users/test/",
    "_id": {
        "$oid": "5345415e1f6ea8023a2c5d64"
    "_ns": "users",
    "login": "test",
    "name": "test",
    "roles": []

Moving to Verified.
Comment 4 Randy Barlow 2014-08-09 02:56:26 EDT
This has been fixed in Pulp 2.4.0-1.

Note You need to log in before you can comment on or make changes to this bug.