Search API returns an add-on result that leads to a 403

[kumar303]

Describe the problem and steps to reproduce it:

(Please include as many details as possible.)

Search for "bitbucket":

curl 'https://addons.mozilla.org/api/v3/addons/search/?app=firefox&appversion=59.0&platform=mac&q=bitbucket&lang=en-US' | jq '.results[0]'

Show response

```json { "id": 845907, "authors": [ { "id": 13215875, "name": "Pavel V", "url": "https://addons.mozilla.org/en-US/firefox/user/corkscreewe/", "username": "corkscreewe" } ], "average_daily_users": 22, "categories": { "android": [ "user-interface" ], "firefox": [ "other" ] }, "contributions_url": null, "current_beta_version": null, "current_version": { "id": 2223971, "compatibility": { "android": { "max": "*", "min": "48.0" }, "firefox": { "max": "*", "min": "48.0" } }, "edit_url": "https://addons.mozilla.org/en-US/developers/addon/bitbucket-server-reviewers/versions/2223971", "files": [ { "id": 765172, "created": "2017-11-09T12:23:31Z", "hash": "sha256:04dc9685f3a85fdb65be273447c819691674f0e2526c2517875d13780c450dde", "is_restart_required": false, "is_webextension": true, "is_mozilla_signed_extension": false, "platform": "all", "size": 200734, "status": "public", "url": "https://addons.mozilla.org/firefox/downloads/file/765172/bitbucket_server_reviewers_groups-2.2.12-an+fx.xpi?src=", "permissions": [ "storage", "alarms", "tabs", "http://*/*", "https://*/*", "" ] } ], "is_strict_compatibility_enabled": false, "reviewed": null, "url": "https://addons.mozilla.org/en-US/firefox/addon/bitbucket-server-reviewers/versions/2.2.12", "version": "2.2.12" }, "default_locale": "en-US", "description": null, "developer_comments": null, "edit_url": "https://addons.mozilla.org/en-US/developers/addon/bitbucket-server-reviewers/edit", "guid": "{afbf9a79-a425-485a-95e6-6dfd813f27ff}", "has_eula": false, "has_privacy_policy": false, "homepage": null, "icon_url": "https://addons.cdn.mozilla.net/static/img/addon-icons/default-64.png", "is_disabled": false, "is_experimental": false, "is_featured": false, "is_source_public": true, "last_updated": "2017-11-09T12:30:12Z", "name": "Bitbucket Server Reviewers Groups", "previews": [], "public_stats": false, "ratings": { "bayesian_average": 3.28306, "count": 4, "average": 4, "text_count": 4 }, "requires_payment": false, "review_url": "https://addons.mozilla.org/en-US/reviewers/review/845907", "slug": "bitbucket-server-reviewers", "status": "public", "summary": "Allow to add group of reviewers for pull request in bitbucket server + other features", "support_email": "corkscreewe@gmail.com", "support_url": "https://outgoing.prod.mozaws.net/v1/721ade76b052ec2bcb22a8fe65cfb6caea9613c1642d3f15c48d810bf2e98432/https%3A//github.com/dragouf/Stash-Reviewers-Chrome-Extension/issues", "tags": [ "firefox57" ], "type": "extension", "url": "https://addons.mozilla.org/en-US/firefox/addon/bitbucket-server-reviewers/", "weekly_downloads": 2 } ```

Load the detail for that add-on:

curl 'https://addons.mozilla.org/api/v3/addons/addon/bitbucket-server-reviewers/?lang=en-US' -H "Content-Type: application/json"

What happened?

You get a 403 which is also not JSON:

<?xml version="1.0" encoding="utf-8" ?>
      <error>Not allowed</error>

What did you expect to happen?

Since it's a public add-on, it should not be a 403

Anything else we should know?

(Please include a link to the page, screenshots and any relevant files.)

Reported in https://github.com/mozilla/addons/issues/11277

[eviljeff]

The add-on's listing page is visible on the legacy front-end, and at a glance looks "normal" - it's Approved; visible; non-deleted; with a current Version that's Approved; enabled; non-deleted; with a single All Platforms File.

[diox]

This is done by nginx. I bet this is somehow because the URL has "reviewers" in it...

[bqbn]

This may not be done by nginx, because when bypassing nginx entirely and access the app locally, there is still a 403 error.

$ curl -I -H "content-type: application/json" -H "host: addons.mozilla.org" 'localhost:9000/api/v3/addons/addon/bitbucket-server-reviewers/?lang=en-US'
HTTP/1.1 403 FORBIDDEN
x-xss-protection: 1; mode=block
Content-Security-Policy: script-src https://ssl.google-analytics.com/ga.js https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://addons.cdn.mozilla.net; style-src 'self' 'unsafe-inline' https://addons.cdn.mozilla.net; default-src 'self'; frame-src 'self' https://www.google.com/recaptcha/; child-src 'self' https://www.google.com/recaptcha/; img-src 'self' data: blob: https://ssl.google-analytics.com https://addons.cdn.mozilla.net https://static.addons.mozilla.net https://sentry.prod.mozaws.net; media-src https://videos.cdn.mozilla.net; object-src 'none'; connect-src 'self' https://sentry.prod.mozaws.net; font-src 'self' https://addons.cdn.mozilla.net; form-action 'self' https://developer.mozilla.org; base-uri 'self' https://addons.mozilla.org; report-uri /__cspreport__
x-content-type-options: nosniff
ETag: "1a9bf500fe643d719bc92054df9b8685"
X-Frame-Options: DENY
Content-Type: text/xml

[diox]

Good catch! This is actually done by addons-server, sorry.

This is because of this:

url('^reviewers/', include('olympia.reviewers.urls')),

It's missing the ^ at the beginning (Same for editors, and pages/appversions/, though that's less of a problem there.

[AlexandraMoga]

Verified as fixed on AMO-dev with FF57 (Win10) Scenarios tested:

• add-on URL containing /reviewers/ - https://addons-dev.allizom.org/en-US/firefox/addon/reviewers/
• collection URL containing /reviewers/ - https://addons-dev.allizom.org/en-US/firefox/collections/AlexandraMoga/reviewers/
• checked link functionality and navigation in Reviewer Tools