1124437 - Backport upstream bug 1090275 to bmo/4.2 to whitelist webservice api methods

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: API, defect)

Description

[David Lawrence [:dkl]]

SSIA

Comment 1

[:glob ✱]

Attachment: 1124437_1.patch

taking because we need this asap, and dkl is likely to be busy with another upstream release.

Comment 2

[Dylan Hardison [:dylan] (he/him)]

Comment on attachment 8552920 [details] [diff] [review]
1124437_1.patch

Review of attachment 8552920 [details] [diff] [review]:
-----------------------------------------------------------------

r-

Tests pass and disallowed methods are forbidden from running. However, what I missed before is that there is no method bz_method_name() -- it is spelled _bz_method_name()
so this fails for the entirely wrong reason. And then there's ThrowCoreError instead of ThrowCodeError.

::: Bugzilla/WebService/Server/JSONRPC.pm
@@ +417,5 @@
>      }
>  
> +    # Only allowed methods to be used from our whitelist
> +    if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
> +        ThrowCoreError('unknown_method', { method => $self->bz_method_name });

Interesting typo here.

Comment 3

[David Lawrence [:dkl]]

Sorry bout this. I had actually done the work last night but I had to stop before I had finished testing everything. Thanks for taking it up.

Comment 4

[:glob ✱]

Attachment: 1124437_2.patch

oops :)

Comment 5

[Dylan Hardison [:dylan] (he/him)]

Comment on attachment 8553559 [details] [diff] [review]
1124437_2.patch

Review of attachment 8553559 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

with the note that I haven't exhaustively called every method. I did spot check and compare the public methods to the apparent public methods of the classes (especially in the case of extensions)

Comment 6

[:glob ✱]

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   cd92366..a748745  master -> master