This is very much like bug 925835 but is to ensure that the API cannot do anything nasty to a shared account unless its the person who owns it. I'm sure its fine, but just to check can we just ensure that things like: http://firefox-marketplace-api.readthedocs.org/en/latest/topics/payment.html#delete--api-v1-payments-account-%28int-id%29- Can't happen.
Assignee: nobody → amckay
Target Milestone: --- → 2013-10-28
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Can you please add some STRs to this bug or mark it as [qa-] ?
1. As user X create a payment account using developer tools. 2. Make the payment account shared (you will need someone with db access to do this and flip the switch). 3. As user Y assign the payment account to your app using developer tools. 4. Try to delete the payment account as user Y using the API mentioned in comment #0. It should fail.
You need to log in before you can comment on or make changes to this bug.