diff --git a/manila/share/api.py b/manila/share/api.py index 594aeeda1b..7329f19ff1 100644 --- a/manila/share/api.py +++ b/manila/share/api.py @@ -1746,7 +1746,10 @@ class API(base.Base): def get(self, context, share_id): rv = self.db.share_get(context, share_id) if not rv['is_public']: - policy.check_policy(context, 'share', 'get', rv) + authorized = policy.check_policy( + context, 'share', 'get', rv, do_raise=False) + if not authorized: + raise exception.NotFound() return rv def get_all(self, context, search_opts=None, sort_key='created_at', diff --git a/manila/tests/api/v2/test_share_accesses.py b/manila/tests/api/v2/test_share_accesses.py index 2f3aa33baf..ab0586a9ee 100644 --- a/manila/tests/api/v2/test_share_accesses.py +++ b/manila/tests/api/v2/test_share_accesses.py @@ -137,7 +137,7 @@ class ShareAccessesAPITest(test.TestCase): mock.call(req.environ['manila.context'], 'share', 'access_get'), mock.call(req.environ['manila.context'], - 'share', 'get', mock.ANY)]) + 'share', 'get', mock.ANY, do_raise=False)]) policy_check_call_args_list = policy.check_policy.call_args_list[2][0] share_being_checked = policy_check_call_args_list[3] self.assertEqual('c3c5ec1ccc4640d0af1914cbf11f05ad', diff --git a/manila/tests/api/v2/test_share_instances.py b/manila/tests/api/v2/test_share_instances.py index 3462944280..29e02bf291 100644 --- a/manila/tests/api/v2/test_share_instances.py +++ b/manila/tests/api/v2/test_share_instances.py @@ -185,7 +185,7 @@ class ShareInstancesAPITest(test.TestCase): req = self._get_request('fake', version=version) req_context = req.environ['manila.context'] share_policy_check_call = mock.call( - req_context, 'share', 'get', mock.ANY) + req_context, 'share', 'get', mock.ANY, do_raise=False) get_instances_policy_check_call = mock.call( req_context, 'share_instance', 'index') diff --git a/manila/tests/share/test_api.py b/manila/tests/share/test_api.py index 667fc3f1e3..816c959513 100644 --- a/manila/tests/share/test_api.py +++ b/manila/tests/share/test_api.py @@ -2478,10 +2478,29 @@ class ShareAPITestCase(test.TestCase): result = self.api.get(self.context, 'fakeid') self.assertEqual(share, result) share_api.policy.check_policy.assert_called_once_with( - self.context, 'share', 'get', share) + self.context, 'share', 'get', share, do_raise=False) db_api.share_get.assert_called_once_with( self.context, 'fakeid') + def test_get_not_authorized(self): + share = db_utils.create_share( + is_public=False, + project_id='5db325fc4de14fe1a860ff69f190c78c') + share_api.policy.check_policy.return_value = False + ctx = context.RequestContext('df6d65cc1f8946ba86be06b8140ec4b3', + 'e8133457b853436591a7e4610e7ce679', + is_admin=False) + with mock.patch.object(db_api, 'share_get', + mock.Mock(return_value=share)): + + self.assertRaises(exception.NotFound, + self.api.get, + ctx, + share['id']) + share_api.policy.check_policy.assert_called_once_with( + ctx, 'share', 'get', share, do_raise=False) + db_api.share_get.assert_called_once_with(ctx, share['id']) + @mock.patch.object(db_api, 'share_snapshot_get_all_by_project', mock.Mock()) def test_get_all_snapshots_admin_not_all_tenants(self): diff --git a/releasenotes/notes/bug-1901210-return-404-if-share-access-forbidden-02ca9a9552ad3e15.yaml b/releasenotes/notes/bug-1901210-return-404-if-share-access-forbidden-02ca9a9552ad3e15.yaml new file mode 100644 index 0000000000..80f72c7916 --- /dev/null +++ b/releasenotes/notes/bug-1901210-return-404-if-share-access-forbidden-02ca9a9552ad3e15.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + The GET /shares/{share_id} API now responds with HTTP 404 (Not Found) + for inaccessible resources. See `bug 1901210 + `_ for further information.