Could you link to the offending change(s) please, so we can see what doing it wrong looks like?
On 2 December 2015 at 09:28, William Reade <[email protected]> wrote: > I just noticed that the unitassigner facade-constructor drops the authorizer > on the floor; and I caught a similar case in a review yesterday (that had > already been LGTMed by someone else). > > Doing that means that *any* api connection can use the thus-unprotected > facade -- clients, agents, and malicious code running in a compromised > machine and using the agent credentials. I don't think we have any APIs > where this is actually a good idea; the best I could say about any such case > is that it's not *actively* harmful *right now*. But big exploits are made > of little holes, let's make an effort not to open them in the first place. > > Moonstone, please fix the unitassigner facade ASAP; everyone else, be told, > and keep an extra eye out for this issue in reviews :). > > Cheers > William > > -- > Juju-dev mailing list > [email protected] > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/juju-dev > -- Juju-dev mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/juju-dev
