Closed Bug 1121244 Opened 9 years ago Closed 9 years ago

Ensure unlisted add-ons are not accessible by the public

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
2015-05

People

(Reporter: clouserw, Assigned: magopian)

References

Details

Unlisted add-ons shouldn't be visible anywhere publicly.  No search, no deeplinking to a reviews page, no changing the URL to view the statistics, only a 404 response for an update request, etc.  Once development is confident please close this bug to let QA poke.
Blocks: 1122114
PR: https://github.com/mozilla/olympia/pull/479
Assignee: nobody → mathieu
Target Milestone: --- → 2015-04
The task was too big to do in one PR, so this bug is also going to be the tracking bug for all the sub-tasks.
Depends on: 1144676
Depends on: 1144685
Depends on: 1144688
Depends on: 1144708
Depends on: 1144711
Fixed in https://github.com/mozilla/olympia/commit/1a771ec3d20a5d78e149f39ddf484b4fa27dc98c
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: 2015-04 → 2015-05
I did managed to load an unlisted addon review page (Logs-Addon Review Log->clicked approve/reject; if i click the addon name, nothing happens), but I'm not sure if this is intended or not?
Please see the screencast: http://screencast.com/t/9PKZ57i9G9
Flags: needinfo?(mathieu)
If you are allowed to display the review page the "standard" way (because you are an unlisted reviewer), then yes it's normal that you can access it via the review log.
Flags: needinfo?(mathieu)
 (In reply to Mathieu Agopian [:magopian] from comment #5)
> If you are allowed to display the review page the "standard" way (because
> you are an unlisted reviewer), then yes it's normal that you can access it
> via the review log.

If I am a normal user (without admin rights) I cannot access Editor Tools at all, so, there is no chance to access the Addon Review Log for unlisted(or listed) addons.

I've verified as fixed on AMO-dev FF38(Win 7), according to comment #0: searching the unlisted addon(using the account used to create the addon), accessing the statistics of the unlisted addon using a direct URL, same for any review page, and no trace of the unlisted addon.

Postfix screencast: http://screencast.com/t/BVIjSfy8L

If there is anything we should be checked, please add other STR.
If no, I'll close the issue.
Flags: needinfo?(mathieu)
I think that's all there is to test on this subject.
Flags: needinfo?(mathieu)
Closing bug.
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.