4398c11a5f
In the backports to fix the policy of the original change, Dmitry noted that it was actually wrong, because we should have instead raised NotAuthorized. Dmitry was absolutely correct, because in hind sight I made the change trying to keep exactly the same behavior, but the reality is this is a case where we should be explicit, and tell the user they have done something forbidden. This revert of the revert fixes that change. Original Change: https://review.opendev.org/c/openstack/ironic/+/905038 Dmitry's Review Feedback: https://review.opendev.org/c/openstack/ironic/+/905088 Change-Id: I5727df00b8c4ae9495ed14b5cea1c0734b5f688d
9 lines
330 B
YAML
9 lines
330 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Fixes an issue when listing allocations as a project scoped user when
|
|
the legacy RBAC policies have been disabled which forced an HTTP 406
|
|
error being erroneously raised. Users attempting to list allocations
|
|
with a specific owner, different from their own, will now receive
|
|
an HTTP 403 error.
|