7391070474
Generally, we have to pass target object to ``authorize`` when enforce policy check, but this is ignored during our develop and review process for a long time, and the potential issue is anyone can handle the target resource as ``authorize`` will always succeed if rule is defined ``admin_or_owner`` [1]. Luckily, for most of those APIs this security concern is protected by our database access code [2] that only project scope resource is allowed. However, there is one API that do have security issue when administrator change the rule into "admin_or_owner". 1. "volume reset_status", which cinder will update the resource directly in the database, procedure to reproduce bug is described on the launchpad. This patch intends to correct most of cases which can be easily figured out in case of future code changes. [1]: |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| api.py | ||