[Secure RBAC] Fix policy to get flavors
Flavors are resources which don't have owner and should be able to be listed/showed by any user with READER role. This patch fixes policy for "get_flavor" action to match this requirement. Additionall it removes "project_id" field from the target object in the flavor policy unit tests. Closes-Bug: #2004017 Change-Id: I254e88f7c32343034f4799b63b1088c3f966d7a6
This commit is contained in:
parent
06e2e22d31
commit
1c27d8b5b4
@ -47,7 +47,11 @@ rules = [
|
||||
),
|
||||
policy.DocumentedRuleDefault(
|
||||
name='get_flavor',
|
||||
check_str=base.ADMIN_OR_PROJECT_READER,
|
||||
# NOTE: it can't be ADMIN_OR_PROJECT_READER constant from the base
|
||||
# module because that is using "project_id" in the check string and the
|
||||
# service_provider resource don't belongs to any project thus such
|
||||
# check string would fail enforcement.
|
||||
check_str='role:reader',
|
||||
description='Get a flavor',
|
||||
operations=[
|
||||
{
|
||||
|
@ -23,7 +23,7 @@ class FlavorAPITestCase(base.PolicyBaseTestCase):
|
||||
|
||||
def setUp(self):
|
||||
super(FlavorAPITestCase, self).setUp()
|
||||
self.target = {'project_id': self.project_id}
|
||||
self.target = {}
|
||||
|
||||
|
||||
class SystemAdminTests(FlavorAPITestCase):
|
||||
|
Loading…
Reference in New Issue
Block a user