Wave
  1. Wave
  2. WAVE-207

Private activity is broadcast to other users by WIAB authentication

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Cannot Reproduce
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      <b>What steps will reproduce the problem?</b>
      1. Run a fresh WIAB server, no accounts.
      2. On one machine, create account A and log in.
      3. On machine B, go to the WIAB URL.

      EXPECTED: B's screen should be the login page.
      ACTUAL: Instead, it is the logged-in client of A, with A's user id in the status bar.

      This tells B the identity of the last user to log in on that machine. Fortunately, the search panel on B is blank, so it appears that wave content is not sent to B.

      @Joseph: any ideas?


      Issue imported from http://code.google.com/p/wave-protocol/issues/detail?id=206

      Owner: hearn...@google.com
      Cc: jose...@gmail.com
      Label: Type-Defect
      Label: Priority-Critical
      Stars: 1
      State: open
      Status: Accepted

        Activity

        Yuri Zelikov made changes -
        Field Original Value New Value
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Cannot Reproduce [ 5 ]
        Hide
        Ulrich Stärk added a comment -

        Comment 1 by hearn...@google.com:
        Actually, it's far worse than that. When I tried before it was probably some transient index-wave problem.

        B's screen does show A's set of waves, and B can open and view all of A's waves, with streaming updates.

        Attempts by B to edit the wave cause shinies.

        Label: -Priority-Medium

        Label: Priority-Critical


        Comment 2 by hearn...@google.com:

        Alex suggested this may be a proxy caching issue. Perhaps we need to double-check the headers to make sure that no authenticated page is cacheable?


        Comment 3 by jose...@gmail.com:
        Yeah, thats what I thought too. Worth checking out.


        Comment 4 by vega113:
        Strange, I couldn't replicate this issue. However, it is possible to view other people waves by pasting the wave URL in the address bar.

        Show
        Ulrich Stärk added a comment - Comment 1 by hearn...@google.com: Actually, it's far worse than that. When I tried before it was probably some transient index-wave problem. B's screen does show A's set of waves, and B can open and view all of A's waves, with streaming updates. Attempts by B to edit the wave cause shinies. Label: -Priority-Medium Label: Priority-Critical — Comment 2 by hearn...@google.com: Alex suggested this may be a proxy caching issue. Perhaps we need to double-check the headers to make sure that no authenticated page is cacheable? — Comment 3 by jose...@gmail.com: Yeah, thats what I thought too. Worth checking out. — Comment 4 by vega113: Strange, I couldn't replicate this issue. However, it is possible to view other people waves by pasting the wave URL in the address bar.
        Anonymous created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            Anonymous
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development