Skip to content
This repository has been archived by the owner on Mar 28, 2019. It is now read-only.

Collections in ProtectedResource are always isolated by user #549

Closed
leplatrem opened this issue Nov 4, 2015 · 0 comments
Closed

Collections in ProtectedResource are always isolated by user #549

leplatrem opened this issue Nov 4, 2015 · 0 comments
Assignees
@leplatrem
Labels
bug

Comments

@leplatrem
Copy link
Contributor

Source: #543 (comment)

Create a record that everyone can read:

echo '{"data": {"name": "haha"}, "permissions": {"read": ["system.Everyone"]}}' | http post http://localhost:8888/v0/psilos Origin:http://localhost:3000 --auth='boff:'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff
Content-Length: 228
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Nov 2015 10:54:36 GMT
Server: waitress

{
    "data": {
        "edible": true, 
        "id": "1f98ea4f-9ea0-4ee7-911f-8a4d20a80d22", 
        "last_modified": 1446634476086
    }, 
    "permissions": {
        "read": [
            "system.Everyone"
        ], 
        "write": [
            "basicauth:6ed95f2dc094706c11c28f35c4883c834b31367f774803e3c406dfeeb91ff86e"
        ]
    }
}

BUG: It is not available to others:

http get http://localhost:8888/v0/psilos Origin:http://localhost:3000 --auth='boff:dd'
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length, Expires, Alert, Retry-After, Last-Modified, Total-Records, ETag, Pragma, Cache-Control, Backoff, Next-Page
Content-Length: 11
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Nov 2015 10:54:40 GMT
Etag: "1446634480636"
Last-Modified: Wed, 04 Nov 2015 10:54:40 GMT
Server: waitress
Total-Records: 0

{
    "data": []
}

http get http://localhost:8888/v0/psilos/1f98ea4f-9ea0-4ee7-911f-8a4d20a80d22 Origin:http://localhost:3000 --auth='boff:dd'
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length, Expires, Alert, Retry-After, Last-Modified, ETag, Pragma, Cache-Control, Backoff
Content-Length: 110
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Nov 2015 10:49:03 GMT
Server: waitress

{
    "code": 404, 
    "errno": 111, 
    "error": "Not Found", 
    "message": "The resource your are looking for could not be found."
}

The 404 here is a hint. If it was a matter of permissions, it should be 403.

The 404 indicates that the user has the permission to read it, but the record is not found.

It is because the ProtectedResource code does not override the base get_parent_id() method. This one is in charge of isolating collections by user in the base class. In protected resource, it should return a constant value to make sure the collection content is not isolated by user.
@leplatrem leplatrem added the bug label Nov 4, 2015
@leplatrem leplatrem mentioned this issue Nov 4, 2015
Closed
@leplatrem leplatrem self-assigned this Nov 4, 2015
Natim added a commit that referenced this issue Nov 4, 2015
@Natim
Merge pull request #550 from mozilla-services/549-fix-isolated-protec…
d8919fa 
…ted-resource

Fix sharing records with ProtectedResource (fixes #549)
Natim added a commit that referenced this issue Nov 10, 2015
@Natim @leplatrem
Merge pull request #550 from mozilla-services/549-fix-isolated-protec…
feb62a3 
…ted-resource

Fix sharing records with ProtectedResource (fixes #549)
glasserc pushed a commit that referenced this issue May 20, 2016
@leplatrem
Strip internal fields before validating JSON schema (fixes #549)
e884c91
glasserc pushed a commit that referenced this issue May 20, 2016
@Natim
Merge pull request #554 from Kinto/549-strip-fields
6589eef 
Strip internal fields before validating JSON schema (fixes #549)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@leplatrem leplatrem

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@leplatrem