Closed
Bug 925842
Opened 11 years ago
Closed 11 years ago
Lock down API for shared accounts
Categories
(Marketplace Graveyard :: Payments/Refunds, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
2013-10-28
People
(Reporter: andy+bugzilla, Assigned: andy+bugzilla)
Details
This is very much like bug 925835 but is to ensure that the API cannot do anything nasty to a shared account unless its the person who owns it. I'm sure its fine, but just to check can we just ensure that things like: http://firefox-marketplace-api.readthedocs.org/en/latest/topics/payment.html#delete--api-v1-payments-account-%28int-id%29- Can't happen.
Assignee | ||
Updated•11 years ago
|
Priority: -- → P3
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → amckay
Target Milestone: --- → 2013-10-28
Assignee | ||
Comment 1•11 years ago
|
||
https://github.com/mozilla/zamboni/commit/0a349d8
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 2•11 years ago
|
||
Can you please add some STRs to this bug or mark it as [qa-] ?
Assignee | ||
Comment 3•11 years ago
|
||
1. As user X create a payment account using developer tools. 2. Make the payment account shared (you will need someone with db access to do this and flip the switch). 3. As user Y assign the payment account to your app using developer tools. 4. Try to delete the payment account as user Y using the API mentioned in comment #0. It should fail.
You need to log in
before you can comment on or make changes to this bug.
Description
•