Issue #761
closedPulp allows "search" as a user's login ID
Description
redux of comments: The fix for this should be to disallow the user search from being created in the API, and adding a doc note in the authentication section about 'search' being disallowed as a username. I think having the API error is enough, the bindings and CLI should just show that error as a normal server side Pulp error.
Original report from rbarlow:
I noticed that we have a problem with our REST interface's URL structure. In our urls.py, the following two lines are present:
url(r'^v2/users/search/$', users.UserSearchView.as_view(),
name='user_search'),
url(r'^v2/users/(?P<login>[^/]+)/$', users.UserResourceView.as_view(), name='user_resource')
If there were a user named "search", it would be impossible to retrieve that user because the first URL would match and it would be assumed that the REST call was requesting a search, rather than a user named "search".
However, I did not see anything in our user creation code preventing a user named "search" from being created. However, I was unable to test this, due to #760.
Related issues