projects / arvados.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: aae62bd) | patch
8079: Prevent users from looking up other users' tokens by UUID.
authorTom Clegg <tom@curoverse.com>
Fri, 4 Mar 2016 22:30:53 +0000 (17:30 -0500)
committerTom Clegg <tom@curoverse.com>
Mon, 14 Mar 2016 19:05:52 +0000 (15:05 -0400)
commit024e430aececb9017466f4738753d5009124a245
tree2e35e31610eb45532498e33290e4c99f6e266abctree | snapshot
parentaae62bde2b57761995499add1a5799173da2d64dcommit | diff
8079: Prevent users from looking up other users' tokens by UUID.

Previous code was allowing any user logging in through a "trusted
client" (typically Workbench) to retrieve the secret token for any
ApiClientAuthorization whose UUID is known.  This won't be acceptable
when Container records start including those UUIDs.

Also added permission for any user to update (e.g., change expiration)
and delete their current token, even if the token wasn't assigned
through a "trusted client".
services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb diff | blob | history
services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb diff | blob | history