[bug] avoid cross uuid checks on incoming

Incoming API is supposed to be able to, given a valid service token, write a incoming document into any user database. Leaving the parameter as 'uuid' triggers defensive code against unauthorized accesses between users. This commit renames the parameter so this isn't checked. -- Related: #8867
author: Victor Shyba <victor1984@riseup.net> 2017-08-30 23:54:55 -0300
committer: drebs <drebs@riseup.net> 2017-09-05 11:08:48 -0300
commit: 7dcdfdfa66605e4cb2249746f2c157e768f3afe8 (patch)
tree: 6679e649e15db18e43f72e9ef5271856fecc54a0
parent: 75b5f4131b912325f2e7ee9d7e75b51d12a5270d (diff)
2 files changed, 2 insertions, 1 deletions
diff --git a/src/leap/soledad/server/auth.py b/src/leap/soledad/server/auth.py
index 89626ead..65e1adaf 100644
--- a/src/leap/soledad/server/auth.py
+++ b/src/leap/soledad/server/auth.py
@@ -123,6 +123,7 @@ class FileTokenChecker(object):
                 line = line.strip()
                 if not line.startswith('#'):
                     service, token = line.split(':')
+                    log.info("Loaded credentials for service: %s" % service)
                     self._trusted_services_tokens[service] = token
 
     def requestAvatarId(self, credentials):
diff --git a/src/leap/soledad/server/url_mapper.py b/src/leap/soledad/server/url_mapper.py
index 423472b9..20f22510 100644
--- a/src/leap/soledad/server/url_mapper.py
+++ b/src/leap/soledad/server/url_mapper.py
@@ -78,4 +78,4 @@ class URLMapper(object):
         self._connect('/blobs/{uuid}/', ['GET'])
 
         # incoming resource
-        self._connect('/incoming/{uuid}/{incoming_id}', ['PUT'])
+        self._connect('/incoming/{target_user_uuid}/{incoming_id}', ['PUT'])
author	Victor Shyba <victor1984@riseup.net>	2017-08-30 23:54:55 -0300
committer	drebs <drebs@riseup.net>	2017-09-05 11:08:48 -0300
commit	7dcdfdfa66605e4cb2249746f2c157e768f3afe8 (patch)
tree	6679e649e15db18e43f72e9ef5271856fecc54a0
parent	75b5f4131b912325f2e7ee9d7e75b51d12a5270d (diff)