Enforce policy checks getting share-type by name
Policy checks are skipped when looking up a share-type
by name. This causes share creation attempts that specify
a valid share-type to pass the early API check on share type
even if the share type named is private and not shared with
the user's project. The share creation fails later, but after
the database record for the share is created. Although the
operation fails with an ERROR, the share is stuck in CREATING
state.
Fix this issue by checking the user's project in the database
API just as we do for share type lookups by uuid.
Closes-bug: #1885956
Change-Id: If5fe32c155fe0861b3ed86b862335e062796056b
(cherry picked from commit f877deed51
)
This commit is contained in:
parent
2dbdace661
commit
e02cc6d6bc
|
@ -364,7 +364,8 @@ class ShareMixin(object):
|
||||||
else:
|
else:
|
||||||
share_type = share_types.get_share_type(
|
share_type = share_types.get_share_type(
|
||||||
context, req_share_type)
|
context, req_share_type)
|
||||||
except exception.ShareTypeNotFound:
|
except (exception.ShareTypeNotFound,
|
||||||
|
exception.ShareTypeNotFoundByName):
|
||||||
msg = _("Share type not found.")
|
msg = _("Share type not found.")
|
||||||
raise exc.HTTPNotFound(explanation=msg)
|
raise exc.HTTPNotFound(explanation=msg)
|
||||||
elif not snapshot:
|
elif not snapshot:
|
||||||
|
|
|
@ -4233,8 +4233,7 @@ def share_type_get(context, id, inactive=False, expected_fields=None):
|
||||||
|
|
||||||
|
|
||||||
def _share_type_get_by_name(context, name, session=None):
|
def _share_type_get_by_name(context, name, session=None):
|
||||||
result = (model_query(context, models.ShareTypes, session=session).
|
result = (_share_type_get_query(context, session=session).
|
||||||
options(joinedload('extra_specs')).
|
|
||||||
filter_by(name=name).
|
filter_by(name=name).
|
||||||
first())
|
first())
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixed `launchpad bug #1885956 <https://bugs.launchpad.net/manila/+bug/1885956>`_
|
||||||
|
by ensuring that policy checks are enforced when looking up a share-type
|
||||||
|
by name. This prevents a problem where shares could be stuck in CREATING
|
||||||
|
status when a user attempts to create a share using the name of a private
|
||||||
|
share-type to which the user lacks access.
|
Loading…
Reference in New Issue