As far as I can tell, when creating users, if the is_server_owner field is provided in the POST data, then it will always be set to true. Is this the intended behaviour? I was trying to create users and explcitly setting it to False and wondering why they were being created as server_owners anyway.
I suppose this is a security issue although I imagine its unlikely any applications are using that field yet. The potential problem I suppose is that in the field there may be installations in which users created via POST have is_server_owner set to true. See the commands below to see the problem in action: # DELETE user to make sure its not present (venv3.4)ubuntu@mail:~/mailmania$ curl -X DELETE --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users/mailmanad...@example.org # create user via POST with POSTed field value is_server_owner=anyoldvaluewilldo (venv3.4)ubuntu@mail:~/mailmania$ curl -X POST --data "email=mailmanad...@example.org" --data "display_name=displayname" --data "is_server_owner=anyoldvaluewilldo" --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users # GET user - you can now see that is_server_owner is true (venv3.4)ubuntu@mail:~/mailmania$ curl --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users/mailmanad...@example.org {"display_name": "displayname", "password": "$6$rounds=105489$ToJ.XV3yw0Mvee8r$pbMEE/6e1Xw8PPOunQGX1IL21NmNLrSwl3VFwZNtsoxwCjZ7iWZ.SjDmX7rs9nlM7pglz54GFjB8hmn.rOI.d/", "http_etag": "\"7891a3ea8a2c71a67e738aede9b9d2cfbf438073\"", "user_id": 264084494277271879132250546838180918030, "self_link": "http://localhost:8001/3.0/users/264084494277271879132250546838180918030";, "created_on": "2015-07-12T05:08:07.320945", "is_server_owner": true} # DELETE user to make sure its not present (venv3.4)ubuntu@mail:~/mailmania$ curl -X DELETE --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users/mailmanad...@example.org # create user via POST without any POSTed field value for is_server_owner (venv3.4)ubuntu@mail:~/mailmania$ curl -X POST --data "email=mailmanad...@example.org" --data "display_name=displayname" --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users # GET user - you can now see that is_server_owner is false (venv3.4)ubuntu@mail:~/mailmania$ curl --header "authorization: Basic cmVzdGFkbWluOnJlc3RwYXNz" http://localhost:8001/3.0/users {"total_size": 2, "start": 0, "entries": [{"display_name": "Insecure Testuser", "password": "$6$rounds=107421$p9wIIl6zAEHEe5ZC$JH0MhieMJr8URXGsQ5I6zLa3l4whbRsMhjKOntfDlxOrfstxaRvlMgPvuEYU05ptNnSJdSnB43Elw0zAshFux1", "http_etag": "\"6394e37e623cbfa20445201f091c4aabaaa01340\"", "user_id": 309469782534072420914095048754305489000, "self_link": "http://localhost:8001/3.0/users/309469782534072420914095048754305489000";, "created_on": "2015-07-12T04:49:17.499529", "is_server_owner": true}, {"display_name": "displayname", "password": "$6$rounds=98938$pOH6NcMh5RN1mNs0$8wUWsaEXVaqiA6z/B2qTXIYVDMVMunzaMmWCL3JmxL/EnknA4A0PFisJZA0VcDOzY0KqiU2sljlBPXuNrEypl.", "http_etag": "\"3c81af299b5b36b104d9c7066fed63273a72bf48\"", "user_id": 176959263898569148772584820722098620353, "self_link": "http://localhost:8001/3.0/users/176959263898569148772584820722098620353";, "created_on": "2015-07-12T05:09:12.043209", "is_server_owner": false}], "http_etag": "\"943acca65a65afd2c1c40b6fc1e010b337e1bad6\”"} _______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
