Lock down API for shared accounts

RESOLVED FIXED in 2013-10-28

Status

Marketplace
Payments/Refunds
P3
normal
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: andym, Assigned: andym)

Tracking

2013-10-28
x86
Mac OS X
Points:
---

Details

(Assignee)

Description

4 years ago
This is very much like bug 925835 but is to ensure that the API cannot do anything nasty to a shared account unless its the person who owns it. 

I'm sure its fine, but just to check can we just ensure that things like:

http://firefox-marketplace-api.readthedocs.org/en/latest/topics/payment.html#delete--api-v1-payments-account-%28int-id%29-

Can't happen.
(Assignee)

Updated

4 years ago
Priority: -- → P3
(Assignee)

Updated

4 years ago
Assignee: nobody → amckay
Target Milestone: --- → 2013-10-28
(Assignee)

Comment 1

4 years ago
https://github.com/mozilla/zamboni/commit/0a349d8
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED

Comment 2

4 years ago
Can you please add some STRs to this bug or mark it as [qa-] ?
(Assignee)

Comment 3

4 years ago
1. As user X create a payment account using developer tools.
2. Make the payment account shared (you will need someone with db access to do this and flip the switch).
3. As user Y assign the payment account to your app using developer tools.
4. Try to delete the payment account as user Y using the API mentioned in comment #0.

It should fail.
You need to log in before you can comment on or make changes to this bug.