Closed
Bug 1340167
Opened 7 years ago
Closed 4 years ago
enforce access to permissions and roles at the database layer
Categories
(Release Engineering Graveyard :: Applications: Balrog (backend), defect, P3)
Release Engineering Graveyard
Applications: Balrog (backend)
Tracking
(Not tracked)
RESOLVED
MOVED
People
(Reporter: bhearsum, Unassigned)
Details
(Whiteboard: [lang=python][ready])
In https://github.com/mozilla/balrog/pull/218, we added a new endpoint that allows someone to query for the permissions and roles of a named user. Nick correctly pointed out that we should restrict this to admins, and those users who are able to manipulate permissions. I implemented this for the new endpoint as part of that PR, but we should move this enforcement down to the database level to make sure that it is obeyed by all endpoints. We'll need to modiify the interface of AUSTable.select() to do this, because it requires knowing the current user. We already pass this as "changed_by" for insert/update/delete, so we should probably add an arg like that to select().
Updated•7 years ago
|
Assignee: nobody → varunj.1011
Reporter | ||
Comment 1•7 years ago
|
||
Varun, are you still planning to look at this?
Flags: needinfo?(varunj.1011)
Reporter | ||
Comment 2•7 years ago
|
||
Unassigning due to inactivity. If you want to pick it up again, feel free to.
Assignee: varunj.1011 → nobody
Flags: needinfo?(varunj.1011)
Reporter | ||
Updated•7 years ago
|
Priority: P2 → P3
Reporter | ||
Comment 3•4 years ago
|
||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → MOVED
Updated•4 years ago
|
Product: Release Engineering → Release Engineering Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•