ac2631ae33
This change hides the AccountLocked exception from being returned to the end user to hide sensitive information that a potential malicious person could gain insight from. The notification handler catches the AccountLocked exception as before, but after sending the audit notification, it instead bubbles up Unauthorized rather than AccountLocked. Co-Authored-By: Samuel de Medeiros Queiroz <samueldmq@gmail.com> Change-Id: Id51241989b22c52810391f3e8e1cadbf8613d873 Related-Bug: #1688137
9 lines
354 B
YAML
9 lines
354 B
YAML
---
|
|
fixes:
|
|
- |
|
|
[`bug 1688137 <https://bugs.launchpad.net/keystone/+bug/1688137>`_]
|
|
Fixed the AccountLocked exception being shown to the end user since
|
|
it provides some information that could be exploited by a
|
|
malicious user. The end user will now see Unauthorized instead of
|
|
AccountLocked, preventing user info oracle exploitation.
|