enforce access to permissions and roles at the database layer

NEW
Unassigned

Status

Release Engineering
Balrog: Backend
P3
normal
a year ago
9 months ago

People

(Reporter: bhearsum, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [lang=python][ready])

(Reporter)

Description

a year ago
In https://github.com/mozilla/balrog/pull/218, we added a new endpoint that allows someone to query for the permissions and roles of a named user. Nick correctly pointed out that we should restrict this to admins, and those users who are able to manipulate permissions. I implemented this for the new endpoint as part of that PR, but we should move this enforcement down to the database level to make sure that it is obeyed by all endpoints.

We'll need to modiify the interface of AUSTable.select() to do this, because it requires knowing the current user. We already pass this as "changed_by" for insert/update/delete, so we should probably add an arg like that to select().
Assignee: nobody → varunj.1011
(Reporter)

Comment 1

11 months ago
Varun, are you still planning to look at this?
Flags: needinfo?(varunj.1011)
(Reporter)

Comment 2

11 months ago
Unassigning due to inactivity. If you want to pick it up again, feel free to.
Assignee: varunj.1011 → nobody
Flags: needinfo?(varunj.1011)
(Reporter)

Updated

9 months ago
Priority: P2 → P3
You need to log in before you can comment on or make changes to this bug.