There is a huge bug in the BioTrackTHC API in Washington (and NM, HI, IL). We’ve raised this issue with both the WSLCB and with BioTrack and yet BioTrackTHC refuses to address the issue at all. Even worse, if you are affected by the bug BioTrackTHC refuses to help.

Reproduction:

From the BioTrack API it’s possible to adjust user permissions, with a fairly granular set of permissions including: user_add and user_modify permissions. Using an “Administrative” level account it’s possible to lock yourself out by removing these permissions from your administrative level account! Of course, other (smarter) software prevents this from occurring, by enforcing that at least one account remain with full permissions (eg: Google Apps, Microsoft Windows). What’s even worse for third-party integrators there is no method to determine which account has these permissions so that our software could out-smart the issues in BioTrash (a nickname folks in Washington have given to the software).

From the limited software that BioTrackTHC provides to the State this granularity is not visible but the bug still is present it just happens in with a different UI. Simply sign in, then modify your user to remove the ‘Admin’ privilege using the checkbox. Boom, you’ve locked yourself out, with no way to restore.

To add insult to injury if you ask the LCB to fix the issue they don’t have the proper control and must ask BioTrack. BioTrack’s response is basically: “too bad, it must be a bug in the third party software”.

And the root cause of all is this is because BioTrack API is designed to require the use of the same username and password as the human sign in – a known “worst practice” of software design.

Of course, we’ve already observed that BioTrack doesn’t follow best practices, or fix their bugs.