It's possible for the client to assign calculation results to another user
Bug #1234350 reported by
Lars Butler
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenQuake Platform |
New
|
Undecided
|
Unassigned | ||
Bug Description
When a calculation is run, the owner username (the platform auth'ed user) is passed to the oq-engine-server, which is then passed back to the platform when the calculation finishes and it's time to import results from oq-engine-server into the `icebox`.
With the current implementation plan, this username will passed through code in the oq-platform client, which means that one registered user could create an annoyance by giving a calculation to another user. This should not be able to happen.
We need to come up with some way to prevent this.
Revision history for this message
| Lars Butler (lars-butler) wrote | #1 |
Revision history for this message
| Lars Butler (lars-butler) wrote | #2 |
To post a comment you must log in.
One possible solution is to simply
1) require authentication in the oq-engine-server, always
2) add middleware and configuration to the oq-engine-server to delegate authentication to the oq-platform (basically, we just need use the sessions and auth tables in the oq-platform)