When login_api::logout is called, or login_api::login is called again but failed, or succeeded but the new user has access to fewer API sets, ideally, we should clean up the API sets that the previous user registered but is no longer available.
However, the shared pointers to these objects are already saved elsewhere (in FC), so we are unable to clean up.
That means the API set IDs for the registered API sets are still accessible even if the new user should not have access to.
Bug Description
When
login_api::logoutis called, orlogin_api::loginis called again but failed, or succeeded but the new user has access to fewer API sets, ideally, we should clean up the API sets that the previous user registered but is no longer available.However, the shared pointers to these objects are already saved elsewhere (in FC), so we are unable to clean up.
That means the API set IDs for the registered API sets are still accessible even if the new user should not have access to.
https://github.com/bitshares/bitshares-core/blob/8c93d58d38db8debd8c39467169fa01ea147e1d3/libraries/app/api.cpp#L80-L83
https://github.com/bitshares/bitshares-core/blob/8c93d58d38db8debd8c39467169fa01ea147e1d3/libraries/app/api.cpp#L91-L93
Impacts Describe which portion(s) of BitShares Core may be impacted by this bug. Please tick at least one box.
Host Environment Please provide details about the host environment. Much of this information can be found running:
witness_node --version.CORE TEAM TASK LIST