Can't remove authorised oauth tokens

Bug #511567 reported by Peter Clifton on 2010-01-23
50
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Unassigned

Bug Description

I have bughugger authorised as an application which can access launchpad on my behalf.

Out of curiosity, I tried to remove its authorisation from launchpad:

(Button on this page: https://edge.launchpad.net/~pcjc2/+oauth-tokens )

This links to this page:
https://edge.launchpad.net/~pcjc2/+oauth-tokens

And I get the following error:

Not allowed here
Sorry, you don't have permission to access this page.

You are logged in as Peter Clifton.

Related branches

Curtis Hovey (sinzui) on 2010-01-23
affects: launchpad → launchpad-foundations
Curtis Hovey (sinzui) wrote :

I get
    Unauthorized: (<OAuthAccessToken at 0xde96b90>, 'date_expires', 'launchpad.Edit')

I can see that the permissions are
    <require
          permission="launchpad.Edit"
          set_schema="canonical.launchpad.interfaces.IOAuthAccessToken"/>

I can see the definition of EditOAuthAccessToken to be
    return self.obj.person == user or user.in_admin

Maybe the interface inherritance is bad: IOAuthToken < IOAuthAccessToken?

Changed in launchpad-foundations:
importance: Undecided → Critical
milestone: none → 10.01
status: New → Triaged
Max Bowsher (maxb) on 2010-01-28
summary: - Can't remove authorised app
+ Can't remove authorised oauth tokens
Diogo Matsubara (matsubara) wrote :

Why is this critical Curtis?

Changed in launchpad-foundations:
milestone: 10.01 → 10.02
Changed in launchpad-foundations:
importance: Critical → High
assignee: nobody → Curtis Hovey (sinzui)
Curtis Hovey (sinzui) wrote :

Hi Diogo.

I marked it as critical because there is no way to disable a destructive script that is in the wild.

I do not have time to work on this; my team's work is more critical.

Changed in launchpad-foundations:
assignee: Curtis Hovey (sinzui) → nobody
Curtis Hovey (sinzui) wrote :

The security checker was broken recently:
    return self.obj.person == user or user.in_admin
should be
    return self.obj.person == user.person or user.in_admin

The tests passed because the user salgado is an admin.

Changed in launchpad-foundations:
assignee: nobody → Curtis Hovey (sinzui)
status: Triaged → In Progress
Changed in launchpad-foundations:
status: In Progress → Fix Committed
Curtis Hovey (sinzui) on 2010-02-26
tags: added: qa-ok

Fixed released in launchpad-project 10.02.

Changed in launchpad-foundations:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui) on 2017-05-15
Changed in launchpad:
assignee: Curtis Hovey (sinzui) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers