Addons-server: Search API returns an add-on result that leads to a 403

Created on 13 Dec 2017  路  5Comments  路  Source: mozilla/addons-server

Describe the problem and steps to reproduce it:

(Please include as many details as possible.)

Search for "bitbucket":

curl 'https://addons.mozilla.org/api/v3/addons/search/?app=firefox&appversion=59.0&platform=mac&q=bitbucket&lang=en-US' | jq '.results[0]'

Show response

{
  "id": 845907,
  "authors": [
    {
      "id": 13215875,
      "name": "Pavel V",
      "url": "https://addons.mozilla.org/en-US/firefox/user/corkscreewe/",
      "username": "corkscreewe"
    }
  ],
  "average_daily_users": 22,
  "categories": {
    "android": [
      "user-interface"
    ],
    "firefox": [
      "other"
    ]
  },
  "contributions_url": null,
  "current_beta_version": null,
  "current_version": {
    "id": 2223971,
    "compatibility": {
      "android": {
        "max": "*",
        "min": "48.0"
      },
      "firefox": {
        "max": "*",
        "min": "48.0"
      }
    },
    "edit_url": "https://addons.mozilla.org/en-US/developers/addon/bitbucket-server-reviewers/versions/2223971",
    "files": [
      {
        "id": 765172,
        "created": "2017-11-09T12:23:31Z",
        "hash": "sha256:04dc9685f3a85fdb65be273447c819691674f0e2526c2517875d13780c450dde",
        "is_restart_required": false,
        "is_webextension": true,
        "is_mozilla_signed_extension": false,
        "platform": "all",
        "size": 200734,
        "status": "public",
        "url": "https://addons.mozilla.org/firefox/downloads/file/765172/bitbucket_server_reviewers_groups-2.2.12-an+fx.xpi?src=",
        "permissions": [
          "storage",
          "alarms",
          "tabs",
          "http://*/*",
          "https://*/*",
          "<all_urls>"
        ]
      }
    ],
    "is_strict_compatibility_enabled": false,
    "reviewed": null,
    "url": "https://addons.mozilla.org/en-US/firefox/addon/bitbucket-server-reviewers/versions/2.2.12",
    "version": "2.2.12"
  },
  "default_locale": "en-US",
  "description": null,
  "developer_comments": null,
  "edit_url": "https://addons.mozilla.org/en-US/developers/addon/bitbucket-server-reviewers/edit",
  "guid": "{afbf9a79-a425-485a-95e6-6dfd813f27ff}",
  "has_eula": false,
  "has_privacy_policy": false,
  "homepage": null,
  "icon_url": "https://addons.cdn.mozilla.net/static/img/addon-icons/default-64.png",
  "is_disabled": false,
  "is_experimental": false,
  "is_featured": false,
  "is_source_public": true,
  "last_updated": "2017-11-09T12:30:12Z",
  "name": "Bitbucket Server Reviewers Groups",
  "previews": [],
  "public_stats": false,
  "ratings": {
    "bayesian_average": 3.28306,
    "count": 4,
    "average": 4,
    "text_count": 4
  },
  "requires_payment": false,
  "review_url": "https://addons.mozilla.org/en-US/reviewers/review/845907",
  "slug": "bitbucket-server-reviewers",
  "status": "public",
  "summary": "Allow to add group of reviewers for pull request in bitbucket server + other features",
  "support_email": "[email protected]",
  "support_url": "https://outgoing.prod.mozaws.net/v1/721ade76b052ec2bcb22a8fe65cfb6caea9613c1642d3f15c48d810bf2e98432/https%3A//github.com/dragouf/Stash-Reviewers-Chrome-Extension/issues",
  "tags": [
    "firefox57"
  ],
  "type": "extension",
  "url": "https://addons.mozilla.org/en-US/firefox/addon/bitbucket-server-reviewers/",
  "weekly_downloads": 2
}

Load the detail for that add-on:

curl 'https://addons.mozilla.org/api/v3/addons/addon/bitbucket-server-reviewers/?lang=en-US' -H "Content-Type: application/json"

What happened?

You get a 403 which is also not JSON:

<?xml version="1.0" encoding="utf-8" ?>
      <error>Not allowed</error>

What did you expect to happen?

Since it's a public add-on, it should not be a 403

Anything else we should know?

(Please include a link to the page, screenshots and any relevant files.)

Reported in https://github.com/mozilla/addons-frontend/issues/4071

api verified fixed triaged

Most helpful comment

Good catch! This is actually done by addons-server, sorry.

This is because of this:

url('^reviewers/', include('olympia.reviewers.urls')),

It's missing the ^ at the beginning (Same for editors, and pages/appversions/, though that's less of a problem there.

All 5 comments

The add-on's listing page is visible on the legacy front-end, and at a glance looks "normal" - it's Approved; visible; non-deleted; with a current Version that's Approved; enabled; non-deleted; with a single All Platforms File.

This is done by nginx. I bet this is somehow because the URL has "reviewers" in it...

This may not be done by nginx, because when bypassing nginx entirely and access the app locally, there is still a 403 error.

$ curl -I -H "content-type: application/json" -H "host: addons.mozilla.org" 'localhost:9000/api/v3/addons/addon/bitbucket-server-reviewers/?lang=en-US'
HTTP/1.1 403 FORBIDDEN
x-xss-protection: 1; mode=block
Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://addons.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; default-src 'self'; frame-src 'self' https://www.google.com/recaptcha/; child-src 'self' https://www.google.com/recaptcha/; img-src 'self' data: blob: https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org; report-uri /__cspreport__
x-content-type-options: nosniff
ETag: "1a9bf500fe643d719bc92054df9b8685"
X-Frame-Options: DENY
Content-Type: text/xml

Good catch! This is actually done by addons-server, sorry.

This is because of this:

url('^reviewers/', include('olympia.reviewers.urls')),

It's missing the ^ at the beginning (Same for editors, and pages/appversions/, though that's less of a problem there.

Verified as fixed on AMO-dev with FF57 (Win10)
Scenarios tested:

Was this page helpful?
0 / 5 - 0 ratings