Closed
Bug 841951
Opened 11 years ago
Closed 10 years ago
Cannot download rejected packaged apps versions
Categories
(Marketplace Graveyard :: Developer Pages, defect, P4)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: krupa.mozbugs, Unassigned)
References
()
Details
(Keywords: regression, Whiteboard: p=2 [incorrect_implementation])
Attachments
(1 file)
195.71 KB,
image/png
|
Details |
steps to reproduce: 1. Submit a packaged app 2. Reject this app from the Reviewer tools 3. Try to download the app from its Manage Status page - https://marketplace-dev.allizom.org/developers/app/test-app-subdomain-4/status 4. Load https://marketplace-dev.allizom.org/reviewers/apps/review/test-app-subdomain-4 and click to view the Contents expected behavior: Reviewers and developers can still see/download of a rejected app observed behavior: We don't allow this anymore. This used to work.
Comment 1•11 years ago
|
||
I tried to reproduce locally but couldn't. Which role can't download the file? The author? The reviewer? Perhaps admins can and that's why it's working for me locally?
Comment 2•11 years ago
|
||
The file doesn't appear to be on the file system:
>>> from apps.files.models import File
>>> f = File.objects.get(pk=185395)
>>> f.file_path
u'/mnt/netapp_amo_dev/addons-dev.allizom.org/files/415223/test-app-subdomain-4-1.0.zip'
$ ls /mnt/netapp_amo_dev/addons-dev.allizom.org/files/415223/test-app-subdomain-4-1.0.zip
ls: cannot access /mnt/netapp_amo_dev/addons-dev.allizom.org/files/415223/test-app-subdomain-4-1.0.zip: No such file or directory
Reporter | ||
Comment 3•11 years ago
|
||
(In reply to Rob Hudson [:robhudson] from comment #1) > I tried to reproduce locally but couldn't. > > Which role can't download the file? The author? The reviewer? Perhaps admins > can and that's why it's working for me locally? I tried as an admin, reviewer and developer.
Updated•11 years ago
|
Assignee: nobody → mattbasta
Updated•11 years ago
|
Target Milestone: 2013-02-28 → 2013-03-28
Updated•11 years ago
|
Priority: -- → P4
Whiteboard: p=2
Updated•11 years ago
|
Target Milestone: 2013-03-28 → 2013-04-04
Updated•11 years ago
|
Target Milestone: 2013-04-04 → ---
Comment 4•11 years ago
|
||
Why are we giving developers access to apps that have been explicitly rejected?
Updated•11 years ago
|
Assignee: mattbasta → nobody
Comment 5•11 years ago
|
||
(In reply to Matt Basta [:basta] from comment #4) > Why are we giving developers access to apps that have been explicitly > rejected? ....why wouldn't we? They are the ones that uploaded them
Comment 6•11 years ago
|
||
If you uploaded your package and then immediately deleted your source code and you don't have a backup, then that sounds a lot like a really low priority issue. We also shouldn't be encouraging developers to take their rejected packages, unzip them, fix the issues, and submit them back to us. We should be encouraging them to use version control, have clean build processes, and be mindful of the changes they make. Plus, there's a whole host of pitfalls that could happen along the way: they forget to remove the signature directory (validation error), they introduce hidden files (validation warning, iirc), file encodings change, two files with the same name in the zip (potentially a validation error depending on how they do it). On top of that, it increases our attack surface area. If we're hosting rejected packages, all it takes is one bug in the way we grant access to those packages for someone to start linking to them remotely and distributing signed (!) malware from our servers. Also note that other app stores don't let you download your rejected submissions (partly because they're useless binary blobs) for precisely these reasons.
Comment 7•11 years ago
|
||
(In reply to Matt Basta [:basta] from comment #6) > On top of that, it increases our attack surface area. If we're hosting > rejected packages, all it takes is one bug in the way we grant access to > those packages for someone to start linking to them remotely and > distributing signed (!) malware from our servers. The downloads should never link to the signed packages (and if the app was rejected it didn't get signed). The intention was always to link to the original uploaded zip file, which we keep separate from the publicly signed app and the reviewer signed app.
Updated•10 years ago
|
Whiteboard: p=2 → p=2 [incorrect_implementation]
Comment 9•10 years ago
|
||
Thanks for filing, but we don't think this is something we are concerned with fixing.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Comment 10•10 years ago
|
||
even the download status of the apps in the marketplace cannot the seen in the New version of the marketplace...please reopen this bug.check the screenshots.
Flags: needinfo?(clouserw)
Comment 11•10 years ago
|
||
That's unrelated to this bug (and I'm pretty sure is in a fix going out this week or next, but I don't have the bug number)
Flags: needinfo?(clouserw)
You need to log in
before you can comment on or make changes to this bug.
Description
•