Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-11271

Reduce the scope of editor data passed to the template renderer

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2020-12-16
    • Component/s: Refactoring
    • Labels:
      None

      Description

      When serializing an editor object to JSON for passing to the template renderer (via the TO_JSON method in MusicBrainz::Server::Entity::Editor), we include all kinds of (potentially private) information that may be unneeded by the particular component, like email address and birth date. This can lead to situations where we accidentally do something stupid with the JSON, like what happened here.

      I'd propose to refactor the defaultĀ TO_JSON implementation to only return a minimal set of non-sensitive information about the editor (id, name, etc.) and be more careful about when we are including fields like email and birth date. This can be done by adding separate methods for outputting "unsanitized" data (which have to be called explicitly, rather than implicitly like TO_JSON currently is), and by checking the current authorized user before outputting the email or birth date.

        Attachments

          Activity

            People

            Assignee:
            bitmap Michael Wiencek
            Reporter:
            bitmap Michael Wiencek
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                2020-12-16