[users at bb.net] Restrict user access to /json and other magic urls
Narunas Krasauskas
narun4sk at gmail.com
Fri Aug 19 19:37:23 UTC 2016
Hi Pierre,
Thanks for the comment.
The security schemes implemented in buildbot was mainly done to prevent
> users to do some restricted actions on the bot.
>
> I was not aware of the view restriction functionality in buildbot eight.
> Indeed it looks like to very well implemented if the json api is not
> accounting for this restriction.
>
I hope you have meant "Indeed it looks like NOT very well implemented",
otherwise I find it hard to understand how is that an advantage that
"/json" bypasses "basic auth"?
> You can in theory configure read restrictions in buildbot nine, however
> this is not supported by the UI, and might give you strange results.
>
So basically you are saying, that to control read access the best option I
have is indeed to put it behind reverse proxy or otherwise implement my own
web api (which would make it invisible to the internets anyway)?
Regards
Narunas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20160819/54fdb270/attachment.html>
More information about the users
mailing list