1054524 – Users api key is accessible by anyone

Bug 1054524 - Users api key is accessible by anyone

Summary: Users api key is accessible by anyone

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Zanata
Classification:	Retired
Component:	Security
Sub Component:
Version:	3.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Target Release:	3.3
Assignee:	Carlos Munoz
QA Contact:	Damian Jansen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-17 01:27 UTC by Lee Newson
Modified:	2014-03-20 05:47 UTC (History)
CC List:	3 users (show)
Fixed In Version:	3.3.0-SNAPSHOT (20140207-1602)
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-03-20 05:47:09 UTC
Embargoed:

Attachments	(Terms of Use)

Description Lee Newson 2014-01-17 01:27:28 UTC

Description of problem:

Using the account service via the REST API anyone is able to get a users api key, provided they know their username.

Version-Release number of selected component (if applicable):
Tested on 3.2.1 (20131129-0009)

How reproducible:
Always

Steps to Reproduce:
1. Go to <HOST>/rest/accounts/u/{username} without providing any auth details (where {username} is the name of a user in the system).
2. Observe the api key is returned in the response.

Actual results:
A users api key is exposed to anyone.

Expected results:
A users api key (or even user information) should only be exposed to it's owner or people with adequate permissions (ie admins).

Additional info:

Comment 1 Carlos Munoz 2014-01-17 06:12:29 UTC

Restricted Account REST service to admin users only.

See:
https://github.com/zanata/zanata-server/pull/341

Comment 2 Damian Jansen 2014-02-07 06:25:54 UTC

Verified at 6d62fa3ad5db48d5c3ad3b9927f84bf306f3cdc6

Comment 3 Sean Flanigan 2014-03-20 05:47:09 UTC

Closing VERIFIED bugs for Zanata server 3.3.2.

Note You need to log in before you can comment on or make changes to this bug.