Closed Bug 1237702 Opened 5 years ago Closed 5 years ago
Write a test for the permissions checking of our ldap association endpoint
58 bytes, text/x-review-board-request
https://reviewboard.mozilla.org/r/28445 concerns me - we should make sure we have a test that checks a user cannot associate ldap email addresses with their own account, or other accounts, unless they have the special permission.
It concerned me too. At one point I had a security bug half filed. But debug logging seemed to indicate there is no security issue. We should still add the tests though.
https://reviewboard.mozilla.org/r/28445 reminded me we don't actually have tests that make sure random users cannot change ldap associations. I've added tests for an unprivileged user changing their own ldap association, as well as changing another users. Review commit: https://reviewboard.mozilla.org/r/29915/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/29915/
Attachment #8705273 - Flags: review?(gps)
Comment on attachment 8705273 [details] MozReview Request: mozreview: test security of ldap assocations (Bug 1237702). r?gps https://reviewboard.mozilla.org/r/29915/#review26727 Bonus points if you add tests for an unauthenticated request. ::: hgext/reviewboard/tests/test-ldap-association.t:65 (Diff revision 1) > + $ mozreview create-user email@example.com password 'User Two [:user2]' --uid 2001 --scm-level 1 Please use a unique password. The sharing of "password" caused me all kinds of grief tracking down issues with other tests.
Comment on attachment 8705273 [details] MozReview Request: mozreview: test security of ldap assocations (Bug 1237702). r?gps Review request updated; see interdiff: https://reviewboard.mozilla.org/r/29915/diff/1-2/
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.