947315f090
At the moment, the share_network database API which the web API layer interacts with directly does not have any checking for project_id which means that a user has the ability to run operations against any other share_network if they have the ID. This patch implements the usage of project_only in the database query which ensures that administrators still have the behaviour of getting any share network they want, but users can only pull up those which are part of their context/authenticated project. This patch also adjusts a few other tests due to the fact that the existing tests would run a lot of inserts with a different project_id than the context, which is not allowed in this new API behaviour. Therefore, the instances that involved projects different than the context were converted to elevated ones. There was also an instance where they were being created with a project_id that did not match the fake context, therefore the context was adjusted accordingly as well. Closes-Bug: #1861485 Change-Id: Id67a939a475c4ac06d546b7e095bd10f1a6d2619
8 lines
272 B
YAML
8 lines
272 B
YAML
---
|
|
security:
|
|
- |
|
|
CVE-2020-9543: An issue with share network retrieval has been addressed
|
|
in the API by scoping unprivileged access to project only. Please see
|
|
`launchpad bug #1861485 <https://bugs.launchpad
|
|
.net/manila/+bug/1861485>`_ for more details.
|