Lance Bragstad 2d7bf10a5a Use app cred user ID in policy enforcement
The application credential policies use the `rule:owner` policy to allow
users to manage their own credentials. The policy engine pulled the
user_id attribute from the request path instead of the actual
application credential. This allowed for users to exploit the
enforcement and view or delete application credentials they don't own.

This commit attempts to resolve the issue by updating the flask
parameters before they're translated to policy arguments and target
data, prior to policy enforcement.

Change-Id: I903d20fa41270499ca1c39d296120dd97cef5405
Closes-Bug: 1901207
2020-11-11 11:01:20 -06:00
..
2020-03-06 12:52:15 +05:30
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-04-15 07:17:58 +02:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00
2020-01-30 06:06:51 +00:00