Description of problem: Using the account service via the REST API anyone is able to get a users api key, provided they know their username. Version-Release number of selected component (if applicable): Tested on 3.2.1 (20131129-0009) How reproducible: Always Steps to Reproduce: 1. Go to <HOST>/rest/accounts/u/{username} without providing any auth details (where {username} is the name of a user in the system). 2. Observe the api key is returned in the response. Actual results: A users api key is exposed to anyone. Expected results: A users api key (or even user information) should only be exposed to it's owner or people with adequate permissions (ie admins). Additional info:
Restricted Account REST service to admin users only. See: https://github.com/zanata/zanata-server/pull/341
Verified at 6d62fa3ad5db48d5c3ad3b9927f84bf306f3cdc6
Closing VERIFIED bugs for Zanata server 3.3.2.