Bug 1054524 - Users api key is accessible by anyone
Summary: Users api key is accessible by anyone
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Zanata
Classification: Retired
Component: Security
Version: 3.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: ---
: 3.3
Assignee: Carlos Munoz
QA Contact: Damian Jansen
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-17 01:27 UTC by Lee Newson
Modified: 2014-03-20 05:47 UTC (History)
3 users (show)

Fixed In Version: 3.3.0-SNAPSHOT (20140207-1602)
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-20 05:47:09 UTC


Attachments (Terms of Use)

Description Lee Newson 2014-01-17 01:27:28 UTC
Description of problem:

Using the account service via the REST API anyone is able to get a users api key, provided they know their username.

Version-Release number of selected component (if applicable):
Tested on 3.2.1 (20131129-0009)

How reproducible:
Always

Steps to Reproduce:
1. Go to <HOST>/rest/accounts/u/{username} without providing any auth details (where {username} is the name of a user in the system).
2. Observe the api key is returned in the response.

Actual results:
A users api key is exposed to anyone.

Expected results:
A users api key (or even user information) should only be exposed to it's owner or people with adequate permissions (ie admins).

Additional info:

Comment 1 Carlos Munoz 2014-01-17 06:12:29 UTC
Restricted Account REST service to admin users only.

See:
https://github.com/zanata/zanata-server/pull/341

Comment 2 Damian Jansen 2014-02-07 06:25:54 UTC
Verified at 6d62fa3ad5db48d5c3ad3b9927f84bf306f3cdc6

Comment 3 Sean Flanigan 2014-03-20 05:47:09 UTC
Closing VERIFIED bugs for Zanata server 3.3.2.


Note You need to log in before you can comment on or make changes to this bug.