Closed Bug 1237702 Opened 5 years ago Closed 5 years ago

Write a test for the permissions checking of our ldap association endpoint

Categories

(MozReview Graveyard :: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: smacleod, Assigned: smacleod)

Details

Attachments

(1 file)

https://reviewboard.mozilla.org/r/28445 concerns me - we should make sure we have a test that checks a user cannot associate ldap email addresses with their own account, or other accounts, unless they have the special permission.
It concerned me too. At one point I had a security bug half filed. But debug logging seemed to indicate there is no security issue. We should still add the tests though.
https://reviewboard.mozilla.org/r/28445 reminded me we don't actually
have tests that make sure random users cannot change ldap associations.
I've added tests for an unprivileged user changing their own ldap
association, as well as changing another users.

Review commit: https://reviewboard.mozilla.org/r/29915/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/29915/
Attachment #8705273 - Flags: review?(gps)
Attachment #8705273 - Flags: review?(gps) → review+
Comment on attachment 8705273 [details]
MozReview Request: mozreview: test security of ldap assocations (Bug 1237702). r?gps

https://reviewboard.mozilla.org/r/29915/#review26727

Bonus points if you add tests for an unauthenticated request.

::: hgext/reviewboard/tests/test-ldap-association.t:65
(Diff revision 1)
> +  $ mozreview create-user user2@example.com password 'User Two [:user2]' --uid 2001 --scm-level 1

Please use a unique password. The sharing of "password" caused me all kinds of grief tracking down issues with other tests.
Comment on attachment 8705273 [details]
MozReview Request: mozreview: test security of ldap assocations (Bug 1237702). r?gps

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/29915/diff/1-2/
autolanded
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: Developer Services → MozReview
You need to log in before you can comment on or make changes to this bug.