Triggering a backup via admin API causes the api_key to become only valid for system user


(Michael Brown) #1

Before:

Reproduction:

$ api_key=340496f95ab2f28cc45f575cbfcc28edd10db076beb1139da14b3fa80bb23dd2
$ curl -XPOST -H 'Content-Type: application/json' "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=michael" -d '{ "with_uploads": true }'
{"success":"OK"}
$ curl "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=michael"
(HTML error page as I'm in development mode)
$ curl "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=system"
[{"filename":"discourse-2018-01-12-112341-v20180111092141.sql.gz","size":3216556,"link":"//discourse/admin/backups/discourse-2018-01-12-112341-v20180111092141.sql.gz"}]

After:


(Sam Saffron) #2

Can you look at the underlying table, before and after?

bin/rails c
> ApiKey.all

(Michael Brown) #3

Before

[4] pry(main)> ApiKey.all
  ApiKey Load (0.4ms)  SELECT "api_keys".* FROM "api_keys"
=> [#<ApiKey:0x0000000d615e38
  id: 3,
  key: "scoobydoowhereareyou",
  user_id: nil,
  created_by_id: -1,
  created_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  updated_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  allowed_ips: nil,
  hidden: false>]

Operation

○ → curl -XPOST -H 'Content-Type: application/json' \
  "http://discoursedev:3000/admin/backups.json?api_key=scoobydoowhereareyou&api_username=michael" \
  -d '{ "with_uploads": true }'
{"success":"OK"}

After

[5] pry(main)> ApiKey.all
  ApiKey Load (0.3ms)  SELECT "api_keys".* FROM "api_keys"
=> [#<ApiKey:0x000000064318d0
  id: 3,
  key: "scoobydoowhereareyou",
  user_id: -1,
  created_by_id: -1,
  created_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  updated_at: Mon, 15 Jan 2018 16:20:31 UTC +00:00,
  allowed_ips: nil,
  hidden: false>]

(Jeff Atwood) #4

How urgent is this to fix @supermathie? I’m unclear who this bug affects?


(Michael Brown) #5

It’s likely not urgent to fix (I only came across it by accident), but it concern me that the codepath has an unintended side effect of modifying the API key used to access it.


(Sam Saffron) #6

Maybe @zogstrip can have a quick look here, my guess is that something about the restore process may be fussing with api keys post restore.


(Régis Hanol) #7

I don’t think it’s related to the restore process since @supermathie is just doing a backup :flushed:

But yeah, I’ll have a look.


(Gerhard Schlager) #9

I gave it a quick try since I was working on backups. I can’t reproduce it. I’m closing it for now.


(Gerhard Schlager) #10