Bug #11837
closed
[API][Workbench] user can see other users' trash
Updated by Radhika Chippada over 7 years ago
Due to the update made @ https://dev.arvados.org/projects/arvados/repository/revisions/695a100d4bd3bf4f5534c7e489c118c2917bf35a/diff/services/api/app/controllers/arvados/v1/collections_controller.rb, the readable_by filter is no longer working with unscoped and a user can see other users' trash.
Updated by Radhika Chippada over 7 years ago
- Status changed from New to In Progress
Branch 11837-trash-access has two failing tests, one each in controllers/trash_items_controller_test.rb and integration/trash_test.rb
Updated by Radhika Chippada over 7 years ago
- Assigned To set to Radhika Chippada
- Target version set to 2017-06-21 sprint
Updated by Radhika Chippada over 7 years ago
- Status changed from In Progress to Resolved
- % Done changed from 0 to 100
Applied in changeset arvados|commit:0e3369b7179c4e483faf681e67279d762feaa33c.
Updated by Nico César over 7 years ago
Radhika ... how can I test if the bug is present ?
I see that the test failed for it
https://ci.curoverse.com/job/run-tests-services-nodemanager/344//console
I don't know if it is temporary or not. I'm re-running those tests and let's see tomorrow
Updated by Radhika Chippada over 7 years ago
Nico asked: Radhika ... how can I test if the bug is present ?
Nico, I am sorry. I forgot to send you the instructions (as promised) before merging the code into master.
To test: need to login as a non-admin user and visit the https://workbench.4xphq.arvadosapi.com/trash page. Now you will see trashed collections in this user's projects or any other shared collections. Before the fix, the page listed the same collections as when an admin user accesses this page.