Sebb (Jira) wrote on 3/8/22 7:10 AM:
...
> Sebb commented on WHIMSY-383:
> -----------------------------
>
> Infra will need to update the SVN auth (pit-auth) as well.
> Whimsy cannot grant access that it does not have.
...
Is there any way this change - either in whimsy or by infra - could
result in other security issues? Sam's if statement seems OK, and
Secretary can already see ICLAs, but I'm wondering why/how infra would
need to change the svn auth as well.
Question: how, is a user authorized in each step of this case?
- User navigates to /roster/curcuru (or various other pages)
- httpd auths the user via LDAP (pretty simple & secure)
- roster app loads, and might use our model to also auth specific roles
(or _self_) of the user gotten from httpd to choose code paths to go down
- roster app tries to display my data, which means it goes into various
parts of the model(s) to possibly auth me again (in ruby) for specific
data from the model (like here; secretary + root bypass some things)
- roster app gets here, decides I'm OK, and then ALSO goes and reads my
icla file or membership file from svn
-- When it reads from svn, what user is it acting as?
- Anything else?
I worry about two things:
- Code bugs in Whimsy, where our code grants the wrong people access
- Subtle bugs in Whimsy that could allow our applications access to
sensitive files because our tools have whimsysvn or whatever access to
SVN or other sources
--
- Shane
Apache Whimsy PMC
The Apache Software Foundation
--
- Shane
Member
The Apache Software Foundation
