Closed Bug 1018325 Opened 10 years ago Closed 8 years ago

[PulseGuardian] Restrict logins to mozillians

Categories

(Webtools :: Pulse, defect, P2)

Product:
Webtools
Component:
Pulse
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mcote, Assigned: mcc.ricardo)

References

Details

After thinking about this more and dealing with some (admittedly accidental) abuse of Pulse last night, I can't think of a good reason for letting anyone at all register PulseGuardian accounts.  We should restrict this service to vouched Mozillians, probably using Persona like we do for many services, such as Air Mozilla.  The system should otherwise work as it does now, except that logging in should (via Persona) now be separated from creating a Rabbit user.

Eventually we may want to allow creating multiple users associated with the same account, but for now one is probably enough.
Totally forgot this bug!

So we switched to Persona since then, but still unsure how to restrict login to mozillians. Maybe there's a people API for this? (otherwise we could just restrict based on the email domains)
Status: NEW → ASSIGNED
OS: Mac OS X → All
Hardware: x86 → All
I don't know exactly, but, as I mentioned, we restrict logins to things like Air Mozilla to Mozillians; we should figure out what they do. :peterbe might know; needinfoing him.
Flags: needinfo?(peterbe)
Air Mozilla does a couple of things with the Mozillians API that isn't just about auth. 
But it starts here:
https://github.com/mozilla/airmozilla/blob/master/airmozilla/base/mozillians.py#L38

With that little function available, the way we use this is by using the django-browserid plugin which allows you to override the class that does something once when user has signed in with Persona.
https://github.com/mozilla/airmozilla/blob/master/airmozilla/auth/views.py#L32-L45

The logic is simple:

1. You managed to auth with Persona? Great.
2. Is the domain of your email address something like 'mozilla.com' or 'mozillafoundation.org' or ... Then you're in!
3. No, but does your email address matched an account on mozillians.org (User API) that is vouched for? Then you're in!
Flags: needinfo?(peterbe)
Ahmed, I don't think you're actively working on this, so I'm unassigning you just to free it up for other contributors.  Please correct me if I'm wrong (and please feel free to look at other PulseGuardian bugs if you're ever bored :).
Assignee: ahmed.kachkach → nobody
Status: ASSIGNED → NEW
Priority: -- → P2
Ahmed, if you're not actively working on this I'll pick it up.

Peter, thank you so much for the input. You basically gave us the solution :) Now we just need to implement and test it.
Ricardo: Ahmed didn't reassign himself in the 1.5 months since I unassigned him, so I think that means you're safe to take it. :)
Though so. But since I was only be able to pick this up later, I just though about alerting Ahmed :)

Assigning to me.
Assignee: nobody → mcc.ricardo
Status: NEW → ASSIGNED
Hi Mark,

In order to use the Mozillian API to check if a user is vouched, we need access to an API key. Here's the wiki for that: https://wiki.mozilla.org/Mozillians/API
Flags: needinfo?(mcote)
Ah thanks for digging that up!  I filed bug 1091682.
Flags: needinfo?(mcote)
Depends on: 1091682
Excellent :)
Might take a while to get that sorted out, so feel free to browse other bugs. :)
Absolutely. Just got home, I'll start working on something else :)
With Persona going away, we're going to switch to Okta (see bug 1286611).  This is more restrictive than Mozillians, so we won't need this bug anymore.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.