Skip to content
This repository has been archived by the owner. It is now read-only.

Collections in ProtectedResource are always isolated by user #549

Closed
leplatrem opened this issue Nov 4, 2015 · 0 comments

Comments

@leplatrem
Copy link
Contributor

commented Nov 4, 2015

Source: #543 (comment)

Create a record that everyone can read:

echo '{"data": {"name": "haha"}, "permissions": {"read": ["system.Everyone"]}}' | http post http://localhost:8888/v0/psilos Origin:http://localhost:3000 --auth='boff:'
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff
Content-Length: 228
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Nov 2015 10:54:36 GMT
Server: waitress

{
    "data": {
        "edible": true, 
        "id": "1f98ea4f-9ea0-4ee7-911f-8a4d20a80d22", 
        "last_modified": 1446634476086
    }, 
    "permissions": {
        "read": [
            "system.Everyone"
        ], 
        "write": [
            "basicauth:6ed95f2dc094706c11c28f35c4883c834b31367f774803e3c406dfeeb91ff86e"
        ]
    }
}

BUG: It is not available to others:

http get http://localhost:8888/v0/psilos Origin:http://localhost:3000 --auth='boff:dd'
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length, Expires, Alert, Retry-After, Last-Modified, Total-Records, ETag, Pragma, Cache-Control, Backoff, Next-Page
Content-Length: 11
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Nov 2015 10:54:40 GMT
Etag: "1446634480636"
Last-Modified: Wed, 04 Nov 2015 10:54:40 GMT
Server: waitress
Total-Records: 0

{
    "data": []
}
http get http://localhost:8888/v0/psilos/1f98ea4f-9ea0-4ee7-911f-8a4d20a80d22 Origin:http://localhost:3000 --auth='boff:dd'
HTTP/1.1 404 Not Found
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Content-Length, Expires, Alert, Retry-After, Last-Modified, ETag, Pragma, Cache-Control, Backoff
Content-Length: 110
Content-Type: application/json; charset=UTF-8
Date: Wed, 04 Nov 2015 10:49:03 GMT
Server: waitress

{
    "code": 404, 
    "errno": 111, 
    "error": "Not Found", 
    "message": "The resource your are looking for could not be found."
}

The 404 here is a hint. If it was a matter of permissions, it should be 403.

The 404 indicates that the user has the permission to read it, but the record is not found.

It is because the ProtectedResource code does not override the base get_parent_id() method. This one is in charge of isolating collections by user in the base class. In protected resource, it should return a constant value to make sure the collection content is not isolated by user.

@leplatrem leplatrem added the bug label Nov 4, 2015

@leplatrem leplatrem self-assigned this Nov 4, 2015

@leplatrem leplatrem closed this in d88a4f5 Nov 4, 2015

Natim added a commit that referenced this issue Nov 4, 2015
Merge pull request #550 from mozilla-services/549-fix-isolated-protec…
…ted-resource

Fix sharing records with ProtectedResource (fixes #549)

@leplatrem leplatrem removed the in progress label Nov 4, 2015

Natim added a commit that referenced this issue Nov 10, 2015
Merge pull request #550 from mozilla-services/549-fix-isolated-protec…
…ted-resource

Fix sharing records with ProtectedResource (fixes #549)
glasserc pushed a commit that referenced this issue May 20, 2016
Merge pull request #554 from Kinto/549-strip-fields
Strip internal fields before validating JSON schema (fixes #549)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
1 participant
You can’t perform that action at this time.