Comment 8 for bug 1166670
Revision history for this message
| Dolph Mathews (dolph) wrote Re: Deleted user can still create instances | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
> Still trying to make up my mind whether to consider this a "vulnerability".
I'm leaning towards yes.
> I suspect those tokens end up being denied after their validity period?
I don't believe that option existing in Folsom - UUID tokens should be denied immediately.
> Is there a way for the admin to disable the tokens manually?
Yes, you can delete tokens one at a time if you know the token ( DELETE :35357/
My guess is that there is a difference in behavior between disabling a user and deleting a user (both should result in all associated tokens being revoked). As a workaround, I'd suggest disabling the user prior to deletion.
> Is that only affecting Folsom?
Probably, but grizzly needs to be tested as well.