In https://github.com/mozilla/balrog/pull/218, we added a new endpoint that allows someone to query for the permissions and roles of a named user. Nick correctly pointed out that we should restrict this to admins, and those users who are able to manipulate permissions. I implemented this for the new endpoint as part of that PR, but we should move this enforcement down to the database level to make sure that it is obeyed by all endpoints. We'll need to modiify the interface of AUSTable.select() to do this, because it requires knowing the current user. We already pass this as "changed_by" for insert/update/delete, so we should probably add an arg like that to select().
Varun, are you still planning to look at this?
Unassigning due to inactivity. If you want to pick it up again, feel free to.
Assignee: varunj.1011 → nobody
You need to log in before you can comment on or make changes to this bug.