Bug 1271155 - logged_in gives false positive when token does not match user name
logged_in gives false positive when token does not match user name
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: python-bugzilla (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Cole Robinson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-13 05:23 EDT by Michal Hlavinka
Modified: 2015-10-19 15:50 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-19 15:50:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Hlavinka 2015-10-13 05:23:16 EDT
Description of problem:
Property logged_in returns False positive when token for other user is present. Any bug manipulation will fail (as expected).

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. login in as one user, let it create .bugzillatoken
2. remove .bugzillacookie and password from .bugzillarc, change name in .bugzillarc to different user


Actual results:
logged_in returns true, any bug manipulation (add a comment) will fail


Expected results:
logged_in returns false

Additional info:
I use logged_in to verify that token is true, to use the token both token and name must be provided to the server, so I verify it using this code:

try:
  uid = int(token.split('-')[0])
  user = bz._proxy.User.get({'ids': [uid]})
  if user['users'][0]['name'] == user:
    return True
except:
  pass
return False
Comment 1 Cole Robinson 2015-10-15 21:47:03 EDT
Thanks for the report. What python-bugzilla version is this?

I tried to reproduce but couldn't, but I'm not sure if I followed your steps correctly. Can you try to distill a reproducer to a concrete set of shell commands, and then a test script with:

logging.basicConfig(level=logging.DEBUG)

in it, and post the full results
Comment 3 Michal Hlavinka 2015-10-19 13:32:26 EDT
Seems I was wrong. Verify function for bugzilla >=5.0 requires both token and username, but it seems that present function ignores username completely. When I tried wrong combination of username and token, it did not work, but it does now, so I probably made some mistake. If you agree, we can close this bug, probably as "worksforme".
Comment 4 Cole Robinson 2015-10-19 15:50:27 EDT
Okay, closing. thanks for testing

FWIW if you ever need to do bugzilla testing, you can use the public partner-bugzilla.redhat.com instance: shares same login credentials, but the content is wiped and synced with bugzilla.redhat.com every now and then.

Note You need to log in before you can comment on or make changes to this bug.