5d0853567f
Currently, project authorization check in _verify_query_segregation only checks query field 'project_id', so normal user can pass the check with query field 'project'. And the check also checks query operator, which seems not right, because user will get 401 when project is his own but with wrong operator, 400 wrong operator can be more precise. This patch adds project field check and remove the operator check which can be done in _validate_query. Change-Id: I82439e4c02afd04d26ab5d419ef67bde1f4aa1ca Closes-Bug: #1322111 |
||
|---|---|---|
| .. | ||
| controllers | ||
| __init__.py | ||
| acl.py | ||
| app.py | ||
| app.wsgi | ||
| config.py | ||
| hooks.py | ||
| middleware.py | ||