[users at bb.net] Restrict user access to /json and other magic urls

Narunas Krasauskas narun4sk at gmail.com
Fri Aug 19 19:37:23 UTC 2016


Hi Pierre,

Thanks for the comment.

The security schemes implemented in buildbot was mainly done to prevent
> users to do some restricted actions on the bot.
>
> I was not aware of the view restriction functionality in buildbot eight.
> Indeed it looks like to very well implemented if the json api is not
> accounting for this restriction.
>

I hope you have meant "Indeed it looks like NOT very well implemented",
otherwise I find it hard to understand how is that an advantage that
"/json" bypasses "basic auth"?


> You can in theory configure read restrictions in buildbot nine, however
> this is not supported by the UI, and might give you strange results.
>

So basically you are saying, that to control read access the best option I
have is indeed to put it behind reverse proxy or otherwise implement my own
web api (which would make it invisible to the internets anyway)?

Regards

Narunas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20160819/54fdb270/attachment.html>


More information about the users mailing list