Guest users should not be able to call FxA users direct

VERIFIED FIXED

Status

Hello (Loop)
Server
VERIFIED FIXED
3 years ago
3 years ago

People

(Reporter: standard8, Assigned: natim)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [qa+])

Attachments

(1 attachment)

56 bytes, text/x-github-pull-request
alexis
: review+
alexis
: review+
Details | Review | Splinter Review
(Reporter)

Description

3 years ago
I've just confirmed this locally.

As a guest user, I'm able to create a direct call to a signed-in FxA user via their email address.

According to RT, this shouldn't be possible, as it creates the possibility to spam logged in users without being logged in.
That's correct, thanks for reporting!
(Assignee)

Updated

3 years ago
Assignee: nobody → rhubscher
Status: NEW → ASSIGNED
(Assignee)

Comment 2

3 years ago
Created attachment 8500417 [details] [review]
Link to GitHub PR.
Attachment #8500417 - Flags: review?(tarek)
Attachment #8500417 - Flags: review?(alexis+bugs)
Comment on attachment 8500417 [details] [review]
Link to GitHub PR.

r+ing for me and tarek since he's off until wed.
Attachment #8500417 - Flags: review?(tarek)
Attachment #8500417 - Flags: review?(alexis+bugs)
Attachment #8500417 - Flags: review+
https://github.com/mozilla-services/loop-server/commit/139b96474511560471bc998602459c6deb401698
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Whiteboard: [qa+]
Part of 0.12.4/0.12.5
Version 0.12.5 is out in Stage and in Prod.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.