snap download does not allow store viewers to download essential snaps per revision
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snap Store Server |
Fix Released
|
Medium
|
Natalia Bidart | ||
snapd |
Confirmed
|
Low
|
Unassigned |
Bug Description
We got a customer report saying that they couldn't access snapd revision 13640 by using a command like this one:
UBUNTU_
A few months ago, we changed the store ACLs so store viewers could access any previously released revision for any snap available in their store. This change was introduced because when brand store users build their images, they usually need a specific revision of some snaps which is usually the latest revision they have validated, which is in most cases not a currently released one (but certainly was released some time in the past).
This report from the customer showed that we had a bug in our logic, since snapd wasn't allowed to be downloaded. I investigated further and the snap store ACL API endpoint was returning "false" for "allowed_
{
"user_
"permissions": {
}
}
}
Checking deep in our backend code, the checks need to consider essential snaps as part of any store (so far they only check among all the snaps that are showing in a store the user has viewer role in).
Separately, the help for `snap download` should be extended to say that any user with store viewer role can access snaps by revision if the snap is available from their store:
--revision= Download the given revision of a snap, to which you must have developer access
Changed in snapstore-server: | |
status: | New → Triaged |
importance: | Undecided → Medium |
description: | updated |
Changed in snapstore-server: | |
assignee: | nobody → Natalia Bidart (nataliabidart) |
status: | Triaged → In Progress |
Changed in snapstore-server: | |
status: | In Progress → Fix Released |
If the specified account is not a colloborator on the snapd snap why should they be able to download any arbitrary revision of the snapd snap? I think this is by design that they cannot access any arbitrary revision of a snap, even if that snap is included in their brand store.