steps to reproduce: 1. Submit a packaged app 2. Reject this app from the Reviewer tools 3. Try to download the app from its Manage Status page - https://marketplace-dev.allizom.org/developers/app/test-app-subdomain-4/status 4. Load https://marketplace-dev.allizom.org/reviewers/apps/review/test-app-subdomain-4 and click to view the Contents expected behavior: Reviewers and developers can still see/download of a rejected app observed behavior: We don't allow this anymore. This used to work.
I tried to reproduce locally but couldn't. Which role can't download the file? The author? The reviewer? Perhaps admins can and that's why it's working for me locally?
The file doesn't appear to be on the file system: >>> from apps.files.models import File >>> f = File.objects.get(pk=185395) >>> f.file_path u'/mnt/netapp_amo_dev/addons-dev.allizom.org/files/415223/test-app-subdomain-4-1.0.zip' $ ls /mnt/netapp_amo_dev/addons-dev.allizom.org/files/415223/test-app-subdomain-4-1.0.zip ls: cannot access /mnt/netapp_amo_dev/addons-dev.allizom.org/files/415223/test-app-subdomain-4-1.0.zip: No such file or directory
(In reply to Rob Hudson [:robhudson] from comment #1) > I tried to reproduce locally but couldn't. > > Which role can't download the file? The author? The reviewer? Perhaps admins > can and that's why it's working for me locally? I tried as an admin, reviewer and developer.
Why are we giving developers access to apps that have been explicitly rejected?
(In reply to Matt Basta [:basta] from comment #4) > Why are we giving developers access to apps that have been explicitly > rejected? ....why wouldn't we? They are the ones that uploaded them
If you uploaded your package and then immediately deleted your source code and you don't have a backup, then that sounds a lot like a really low priority issue. We also shouldn't be encouraging developers to take their rejected packages, unzip them, fix the issues, and submit them back to us. We should be encouraging them to use version control, have clean build processes, and be mindful of the changes they make. Plus, there's a whole host of pitfalls that could happen along the way: they forget to remove the signature directory (validation error), they introduce hidden files (validation warning, iirc), file encodings change, two files with the same name in the zip (potentially a validation error depending on how they do it). On top of that, it increases our attack surface area. If we're hosting rejected packages, all it takes is one bug in the way we grant access to those packages for someone to start linking to them remotely and distributing signed (!) malware from our servers. Also note that other app stores don't let you download your rejected submissions (partly because they're useless binary blobs) for precisely these reasons.
(In reply to Matt Basta [:basta] from comment #6) > On top of that, it increases our attack surface area. If we're hosting > rejected packages, all it takes is one bug in the way we grant access to > those packages for someone to start linking to them remotely and > distributing signed (!) malware from our servers. The downloads should never link to the signed packages (and if the app was rejected it didn't get signed). The intention was always to link to the original uploaded zip file, which we keep separate from the publicly signed app and the reviewer signed app.
Thanks for filing, but we don't think this is something we are concerned with fixing.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
Created attachment 8484744 [details] error.png even the download status of the apps in the marketplace cannot the seen in the New version of the marketplace...please reopen this bug.check the screenshots.
That's unrelated to this bug (and I'm pretty sure is in a fix going out this week or next, but I don't have the bug number)
You need to log in before you can comment on or make changes to this bug.