id summary reporter owner description type status priority milestone component resolution keywords cc parents 5356 Can't GET another user's outbox ayleph "When a pump client tries to GET the outbox of another user, the API always returns the outbox of the requesting user. The below patch addresses this issue. {{{ From c5f40d03a2ae6dd5f5c8ea67e441d4711e052c35 Mon Sep 17 00:00:00 2001 From: ayleph Date: Sat, 31 Oct 2015 04:18:44 -0400 Subject: [PATCH 2/2] Allow API client to GET another user's outbox --- mediagoblin/api/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mediagoblin/api/views.py b/mediagoblin/api/views.py index 671c3b3..dcd04cd 100644 --- a/mediagoblin/api/views.py +++ b/mediagoblin/api/views.py @@ -565,9 +565,9 @@ def feed_endpoint(request, outbox=None): # Create outbox if outbox is None: - outbox = Activity.query.filter_by(actor=request.user.id) + outbox = Activity.query.filter_by(actor=requested_user.id) else: - outbox = outbox.filter_by(actor=request.user.id) + outbox = outbox.filter_by(actor=requested_user.id) # We want the newest things at the top (issue: #1055) outbox = outbox.order_by(Activity.published.desc()) -- 2.6.2 }}} I think this change is safe to make because: * There is already code to check that the requesting user and the requested user match for PUT/POST requests. {{{ 421 # Check that the person trying to update the comment is 422 # the author of the comment. 423 if image.actor != request.user.id: 424 return json_error( 425 ""Only uploader of image is able to update image."", 426 status=403 427 ) }}} * There is code which throws an error if a request other than PUT, POST, or GET is made. {{{ 548 elif request.method != ""GET"": 549 return json_error( 550 ""Unsupported HTTP method {0}"".format(request.method), 551 status=501 552 }}} So theoretically only a GET request should be able to pass through with the requested user not the same as the requesting user." defect closed major 0.9.0 programming fixed api,pump tsyesika