Launchpad itself

Can't remove authorised oauth tokens

Bug #511567 reported by Peter Clifton
50
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Unassigned
Launchpad itself 10.02

Bug Description

I have bughugger authorised as an application which can access launchpad on my behalf.

Out of curiosity, I tried to remove its authorisation from launchpad:

(Button on this page: https://edge.launchpad.net/~pcjc2/+oauth-tokens )

This links to this page:
https://edge.launchpad.net/~pcjc2/+oauth-tokens

And I get the following error:

Not allowed here
Sorry, you don't have permission to access this page.

You are logged in as Peter Clifton.

Related branches

lp:~sinzui/launchpad/expire-oauth-token
Michael Nelson (community): Approve (code)
Diff: 33 lines (+11/-1)
2 files modified
lib/canonical/launchpad/doc/oauth.txt (+10/-0)
lib/canonical/launchpad/security.py (+1/-1)
Curtis Hovey (sinzui)
affects: launchpad → launchpad-foundations
Revision history for this message
Curtis Hovey (sinzui) wrote :

I get
    Unauthorized: (<OAuthAccessToken at 0xde96b90>, 'date_expires', 'launchpad.Edit')

I can see that the permissions are
    <require
          permission="launchpad.Edit"
          set_schema="canonical.launchpad.interfaces.IOAuthAccessToken"/>

I can see the definition of EditOAuthAccessToken to be
    return self.obj.person == user or user.in_admin

Maybe the interface inherritance is bad: IOAuthToken < IOAuthAccessToken?

Changed in launchpad-foundations:
importance: Undecided → Critical
milestone: none → 10.01
status: New → Triaged
Max Bowsher (maxb)
summary: - Can't remove authorised app
+ Can't remove authorised oauth tokens
Revision history for this message
Diogo Matsubara (matsubara) wrote :

Why is this critical Curtis?

Changed in launchpad-foundations:
milestone: 10.01 → 10.02
Diogo Matsubara (matsubara)
Changed in launchpad-foundations:
importance: Critical → High
assignee: nobody → Curtis Hovey (sinzui)
Revision history for this message
Curtis Hovey (sinzui) wrote :

Hi Diogo.

I marked it as critical because there is no way to disable a destructive script that is in the wild.

I do not have time to work on this; my team's work is more critical.

Changed in launchpad-foundations:
assignee: Curtis Hovey (sinzui) → nobody
Revision history for this message
Curtis Hovey (sinzui) wrote :

The security checker was broken recently:
    return self.obj.person == user or user.in_admin
should be
    return self.obj.person == user.person or user.in_admin

The tests passed because the user salgado is an admin.

Changed in launchpad-foundations:
assignee: nobody → Curtis Hovey (sinzui)
status: Triaged → In Progress
Revision history for this message
Diogo Matsubara (matsubara) wrote : Bug fixed by a commit

Fixed in devel r10397 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/devel/revision/10397>

Changed in launchpad-foundations:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
tags: added: qa-ok
Revision history for this message
Curtis Hovey (sinzui) wrote : Bug 511567 Fix released

Fixed released in launchpad-project 10.02.

Changed in launchpad-foundations:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui)
Changed in launchpad:
assignee: Curtis Hovey (sinzui) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.