|
Return-Path: <rbarlow@redhat.com>
|
|
Received: from mi024.mc1.hosteurope.de ([80.237.138.231]) by wp245.webpack.hosteurope.de running ExIM with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) id 1YXY4n-0000g2-Nj; Mon, 16 Mar 2015 17:41:13 +0100
|
|
Received: from mx1.redhat.com ([209.132.183.28]) by mx0.webpack.hosteurope.de (mi024.mc1.hosteurope.de) with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) id 1YXY4m-0004k9-PC for dropbox+pulp+c71e@plan.io; Mon, 16 Mar 2015 17:41:13 +0100
|
|
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t2GGf8g6006716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <dropbox+pulp+c71e@plan.io>; Mon, 16 Mar 2015 12:41:08 -0400
|
|
Received: from where.usersys.redhat.com (ovpn-113-56.phx2.redhat.com [10.3.113.56]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t2GGf6S2028522 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for <dropbox+pulp+c71e@plan.io>; Mon, 16 Mar 2015 12:41:07 -0400
|
|
Date: Mon, 16 Mar 2015 12:41:06 -0400
|
|
From: Randy Barlow <rbarlow@redhat.com>
|
|
To: Pulp <dropbox+pulp+c71e@plan.io>
|
|
Message-ID: <550707A2.5080506@redhat.com>
|
|
In-Reply-To: <redmine.journal-2198.20150316155233.21faaa35b299acb2@plan.io>
|
|
References: <redmine.issue-761.20150315182455@plan.io>
|
|
<redmine.journal-2198.20150316155233.21faaa35b299acb2@plan.io>
|
|
Subject: Re: [Pulp - Issue #761] Pulp allows "search" as a user's login ID
|
|
Mime-Version: 1.0
|
|
Content-Type: text/plain;
|
|
charset=utf-8
|
|
Content-Transfer-Encoding: quoted-printable
|
|
Delivery-date: Mon, 16 Mar 2015 17:41:13 +0100
|
|
Organization: Red Hat, Inc.
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
|
|
Thunderbird/31.5.0
|
|
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
|
|
X-HE-Spam-Level: ----------
|
|
X-HE-Spam-Score: -10.0
|
|
X-HE-Spam-Report: Content analysis details: (-10.0 points) pts rule name
|
|
description ---- ----------------------
|
|
-------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL:
|
|
Sender listed at http://www.dnswl.org/, high trust [209.132.183.28 listed in
|
|
list.dnswl.org] -5.0 PGP_MESSAGE RAW: Contains a PGP signed or encrypted
|
|
message
|
|
X-HE-SPF: PASSED
|
|
Envelope-to: dropbox+pulp+c71e@plan.io
|
|
|
|
On 03/16/2015 11:52 AM, bmbouter wrote:
|
|
> You're right it is worse then that. Is the fix for this issue to
|
|
> disallow 'search' as a user's login ID in the API? What about the CLI?
|
|
> Also how does the fix for this similar or different from a fix needed
|
|
> for #760 <https://pulp.plan.io/issues/760>?
|
|
|
|
I think the fix is either to change the URL structure (which requires
|
|
waiting until 3.0.0, or to disallow "search" as the user's login ID
|
|
until then. I don't feel strongly one way or the other, but I wanted to
|
|
at least document the issue via a ticket.
|
|
|
|
#760 is not really related to this. I did try to create a user named
|
|
"search" as an example there, but it turns out that no user of any name
|
|
can be created. I mentioned it here because I was unable to verify for
|
|
sure that it was true that a user named "search" can be created. After
|
|
reviewing some code, I do believe it's possible, but I wanted to just
|
|
try it to find out.
|
|
> --- Please write your response above this line ---
|
|
> =
|
|
|
|
> Issue #761 has been updated by bmbouter.
|
|
> =
|
|
|
|
> rbarlow wrote:
|
|
> =
|
|
|
|
> Agreed, I hinted at this in my comment.
|
|
> =
|
|
|
|
> Indeed you did. I created #763 <https://pulp.plan.io/issues/763> so tha=
|
|
t
|
|
> we could track that broader effort and set backwards incompatible =3D T=
|
|
rue.
|
|
> =
|
|
|
|
> I believe it's worse than that - if we reorder the URLs, it will be=
|
|
|
|
> impossible to search regardless of whether a user named search exis=
|
|
ts,
|
|
> as "search" will always match as a user ID, and then the View for
|
|
> dealing with individual users will always be used.
|
|
> =
|
|
|
|
> You're right it is worse then that. Is the fix for this issue to
|
|
> disallow 'search' as a user's login ID in the API? What about the CLI?
|
|
> Also how does the fix for this similar or different from a fix needed
|
|
> for #760 <https://pulp.plan.io/issues/760>?
|
|
> =
|
|
|
|
> -----------------------------------------------------------------------=
|
|
-
|
|
> =
|
|
|
|
> =
|
|
|
|
> Issue #761: Pulp allows "search" as a user's login ID
|
|
> <https://pulp.plan.io/issues/761#change-2198>
|
|
> =
|
|
|
|
> * Author: rbarlow
|
|
> * Status: NEW
|
|
> * Priority: Normal
|
|
> * Assignee:
|
|
> * Category: API
|
|
> * Sprint/Milestone:
|
|
> * Severity: Medium
|
|
> * Triaged: No
|
|
> * Target Release:
|
|
> * Backwards Incompatible: No
|
|
> * Tags: Easy Fix
|
|
> * Version: Master
|
|
> * QA Contact:
|
|
> * Bugzilla: =
|
|
|
|
> =
|
|
|
|
> I noticed that we have a problem with our REST interface's URL
|
|
> structure. In our urls.py, the following two lines are present:
|
|
> =
|
|
|
|
> | url(r'^v2/users/search/$', users.UserSearchView.as_view(),
|
|
> name=3D'user_search'),
|
|
> url(r'^v2/users/(?P<login>[^/]+)/$', users.UserResourceView.as_view=
|
|
(), name=3D'user_resource')
|
|
> |
|
|
> =
|
|
|
|
> If there were a user named "search", it would be impossible to retrieve=
|
|
|
|
> that user because the first URL would match and it would be assumed tha=
|
|
t
|
|
> the REST call was requesting a search, rather than a user named "search=
|
|
".
|
|
> =
|
|
|
|
> However, I did not see anything in our user creation code preventing a
|
|
> user named "search" from being created. However, I was unable to test
|
|
> this, due to #760 <https://pulp.plan.io/issues/760>.
|
|
> =
|
|
|
|
> -----------------------------------------------------------------------=
|
|
-
|
|
> =
|
|
|
|
> You have received this notification because you have either subscribed
|
|
> to or are involved in a project on Pulp Planio.
|
|
> To change your notification preferences, please click here:
|
|
> https://pulp.plan.io/my/account
|
|
> =
|
|
|
|
> =
|
|
|
|
> =
|
|
|
|
> This notification was cheerfully delivered by <https://plan.io/>
|
|
> =
|
|
|
|
> Planio <https://plan.io/>
|
|
> =
|
|
|
|
|
|
|
|
-- =
|
|
|
|
Randy Barlow
|