Mailinglist Archive: opensuse-buildservice (272 mails)

< Previous Next >
Re: [opensuse-buildservice] [api] ACL 'access' rewrite for 2.2
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Mon, 29 Nov 2010 12:06:59 +0100
  • Message-id: <20101129110702.51AF93C539A9@xxxxxxxxxxxx>
On Saturday 27 November 2010 23:35:08 Jan-Simon Möller wrote:
...
Adrian will roll new unstable packages shortly.

Packages from openSUSE:Tools:Unstable with version 2.1.66 contain this first
snapshot.

It contains also a fix for OBS interconnect. The client side support was
broken in last weeks "git master" code branch.

Testing and feedback very welcome.

Todo:
* add support for Vivian's LDAP group patches
* cleanups
* remoteprojects need testing
* bugfixing

We currently know that there is a leak in the webui. It does cache independend
of the user and may grant access or show content of hidden projects to others.

Otherwise the protection should be complete, even though there are still some
documented broken test cases and also some wanted logic changes.

If you have an idea to expose content of an "access" disable project, feel
free to try it and to report.

And of course, there can't be enough people to review this security relevant
code ;)

thanks
adrian

--
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
References