Join 34,000+ subscribers and receive articles from our blog about software quality, testing, QA and security.
 

Security for API Access


#1

I was just wondering if the API is enabled to work with a test automation tool can anyone with a valid account interact with it? Is there anyway to control who has the permission to write scripts that “get” or “push” test results?

If not what are the risks that this could affect performance or cause any other damage" Are they basically limited to their global role? Can testers push results or does the user need to be a lead?

We are on a self hosted server running on https using version 3.1.1.3130. We are also behind a proxy that receives the https requests on port 443 and then forwards the requests to the TestRail server running Apache but listening on port 80 via http. This is required as the Apache server recieving the https traffic sits in a different zone taking external traffic then forwards it through a firewall where the app and db servers reside.


#2

Hello Amorin,

When you enable API access, then every user would be able to authenticate with and use the API, similar to most other applications such as JIRA. The user access would still be subject to the user permissions. Please note that this wouldn’t really have any security implications, as the user would theoretically already be able to automatically access data or post changes in an automated way using the normal login session (e.g. by automating the browser or using a normal HTTP library). The API just makes this more convenient. The user would be able to do everything via the API he or she is allowed via the UI. So a tester needs to be able to add test results in order to use the relevant API methods.

Regarding your Apache/proxy set up: we usually recommend using direct access to the web server via HTTPS without using a reverse proxy. If you are using such a setup it’s important that the reverse proxy doesn’t change TestRail’s HTML code or other resources.

Thanks,
Dennis