Restricted Content Available to Unauthorized User

Hmm, I wasn't able to recreate this with a wiki page. *Perhaps* this
is related to the thing where you clicked on "logout" via the
Forbidden screen, but it didn't actually log you out?

If possible, could we have a phone call tomorrow (Friday) morning and
go through this? I'd like to jump on this fast.

--Paul

On Apr 30, 2009, at 3:16 PM, Anthony wrote:

> Public bug reported:
>
> First, as 'user 1' who has access to a restricted community, I visit
> the
> restricted pages and copy the URL of that page.
>
> Next, logoff and login as 'user 2' who does not have access to the
> restricted community. Visit the community page and verify that you
> are
> not able to see this restricted community. All okay.
>
> Next, paste the copied URL from step 1 listed above in the browser and
> the restricted content is displayed to 'user 2' eventhough he is not a
> member of this restricted community.
>
> I verified that this does not occur in KARL 2.
>
> ** Affects: karl3
> Importance: Undecided
> Assignee: Paul Everitt (paul-agendaless)
> Status: New
>
> ** Changed in: karl3
> Milestone: None => m12
>
> ** Changed in: karl3
> Assignee: (unassigned) => Paul Everitt (paul-agendaless)
>
> --
> Restricted Content Available to Unauthorized User
> https://bugs.launchpad.net/bugs/370019
> You received this bug notification because you are a bug assignee.
>
> Status in Porting KARL to a new architecture: New
>
> Bug description:
> First, as 'user 1' who has access to a restricted community, I visit
> the restricted pages and copy the URL of that page.
>
> Next, logoff and login as 'user 2' who does not have access to the
> restricted community. Visit the community page and verify that you
> are not able to see this restricted community. All okay.
>
> Next, paste the copied URL from step 1 listed above in the browser
> and the restricted content is displayed to 'user 2' eventhough he is
> not a member of this restricted community.
>
> I verified that this does not occur in KARL 2.

Anthony and I discussed it this morning and I was able to recreate it. When you paste the URL, you are able to get to that item in a community. However, you will never be able to get somewhere else: clicking any links, editing the URL, or even hitting reload will (correctly) give Forbidden.

My guess is that we have some lag in our algorithm for storing login tickets as secure cookies. This would mean that our "leakage" would be restricted to:

1) One user.

2) On one computer.

3) In one brower.

4) Switching between user accounts.

5) For only one HTTP request.

6) Done by pasting a URL.

7) Without closing their browser in between.

This is a very narrow scenario. Moreover, while it is a "leakage" between 2 KARL "users", they almost always will be the same human user.

Thus, my recommendation is that we look at this, but not ahead of other issues.

Chris, I'm waiting to hear back from OSI on my recommendation for this (in the comment on this issue from this morning.) For now I'm marking it as Low, to be done after next week's push for migration.

ChrisM's fix for LP #369958 (forcing the login form to clear the authtkt cookie)
fixes this problem.