Bug 1054524 - Users api key is accessible by anyone
Users api key is accessible by anyone
Status: CLOSED CURRENTRELEASE
Product: Zanata
Classification: Community
Component: Security (Show other bugs)
3.2
Unspecified Unspecified
high Severity unspecified
: ---
: 3.3
Assigned To: Carlos Munoz
Damian Jansen
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-16 20:27 EST by Lee Newson
Modified: 2014-03-20 01:47 EDT (History)
3 users (show)

See Also:
Fixed In Version: 3.3.0-SNAPSHOT (20140207-1602)
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-20 01:47:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lee Newson 2014-01-16 20:27:28 EST
Description of problem:

Using the account service via the REST API anyone is able to get a users api key, provided they know their username.

Version-Release number of selected component (if applicable):
Tested on 3.2.1 (20131129-0009)

How reproducible:
Always

Steps to Reproduce:
1. Go to <HOST>/rest/accounts/u/{username} without providing any auth details (where {username} is the name of a user in the system).
2. Observe the api key is returned in the response.

Actual results:
A users api key is exposed to anyone.

Expected results:
A users api key (or even user information) should only be exposed to it's owner or people with adequate permissions (ie admins).

Additional info:
Comment 1 Carlos Munoz 2014-01-17 01:12:29 EST
Restricted Account REST service to admin users only.

See:
https://github.com/zanata/zanata-server/pull/341
Comment 2 Damian Jansen 2014-02-07 01:25:54 EST
Verified at 6d62fa3ad5db48d5c3ad3b9927f84bf306f3cdc6
Comment 3 Sean Flanigan 2014-03-20 01:47:09 EDT
Closing VERIFIED bugs for Zanata server 3.3.2.

Note You need to log in before you can comment on or make changes to this bug.