Repository :
http://git.fedorahosted.org/cgit/copr.git
On branch : master
---------------------------------------------------------------
commit 3dc860ed701a363d872f1f2d2504b095d73dc2bf
Author: Bohuslav Kabrda <bkabrda(a)redhat.com>
Date: Tue Jan 8 13:33:33 2013 +0100
Use explicit enumeration for serialialized user attributes to prevent possible
exposure of credentials
---------------------------------------------------------------
coprs_frontend/coprs/models.py | 3 ++-
.../coprs/views/backend_ns/backend_general.py | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/coprs_frontend/coprs/models.py b/coprs_frontend/coprs/models.py
index c7120a1..cf1397e 100644
--- a/coprs_frontend/coprs/models.py
+++ b/coprs_frontend/coprs/models.py
@@ -95,7 +95,8 @@ class User(db.Model, Serializer):
@property
def serializable_attributes(self):
- return super(User, self).serializable_attributes + ['name']
+ # enumerate here to prevent exposing credentials
+ return ['id', 'name']
class Copr(db.Model, Serializer):
diff --git a/coprs_frontend/coprs/views/backend_ns/backend_general.py
b/coprs_frontend/coprs/views/backend_ns/backend_general.py
index 1c15595..c315cde 100644
--- a/coprs_frontend/coprs/views/backend_ns/backend_general.py
+++ b/coprs_frontend/coprs/views/backend_ns/backend_general.py
@@ -13,7 +13,7 @@ def waiting_builds():
query = builds_logic.BuildsLogic.get_waiting_builds(None)
builds = query[0:10]
- return flask.jsonify({'builds': [build.to_dict(options = {'copr':
{'owner': {'__columns_except__': ['openid_name', 'proven',
'admin', 'mail'] },
+ return flask.jsonify({'builds': [build.to_dict(options = {'copr':
{'owner': {},
'__columns_except__': ['chroots', 'repos',
'build_count'],
'__included_ids__': False},
'__included_ids__':
False}) for build in builds]})