[users at bb.net] Restrict user access to /json and other magic urls
Pierre Tardy
tardyp at gmail.com
Fri Aug 19 20:33:03 UTC 2016
Le ven. 19 août 2016 à 21:37, Narunas Krasauskas <narun4sk at gmail.com> a
écrit :
> Hi Pierre,
>
> Thanks for the comment.
>
> The security schemes implemented in buildbot was mainly done to prevent
>> users to do some restricted actions on the bot.
>>
>> I was not aware of the view restriction functionality in buildbot eight.
>> Indeed it looks like to very well implemented if the json api is not
>> accounting for this restriction.
>>
>
> I hope you have meant "Indeed it looks like NOT very well implemented",
> otherwise I find it hard to understand how is that an advantage that
> "/json" bypasses "basic auth"?
>
Indeed, sorry the json api does not take auth into account.
>
>
>> You can in theory configure read restrictions in buildbot nine, however
>> this is not supported by the UI, and might give you strange results.
>>
>
> So basically you are saying, that to control read access the best option I
> have is indeed to put it behind reverse proxy or otherwise implement my own
> web api (which would make it invisible to the internets anyway)?
>
I was rather hoping that if someone ever need read access restriction in
buildbot, he/she would contribute it to the open source project.
Like I said, this will mostly be a matter of testing it, and make sure the
UI properly reacts to 401 errors.
Regards
Pierre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20160819/2f554fc0/attachment.html>
More information about the users
mailing list