Pass the actual target in tenant networks policy
Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for tenant networks policies which is context.project_id itself as nova cannot verify the owner of network. Neutron will return the authorise error is requester is not owner of network. Partial implement blueprint policy-defaults-refresh-deprecated-apis Change-Id: I1efb4aec986cee3ab65aa80559e57b2a407ca444
This commit is contained in:
parent
cade031eb3
commit
3423d44c5e
|
@ -71,7 +71,8 @@ class TenantNetworkController(wsgi.Controller):
|
|||
@wsgi.expected_errors(())
|
||||
def index(self, req):
|
||||
context = req.environ['nova.context']
|
||||
context.can(tn_policies.POLICY_NAME % 'list')
|
||||
context.can(tn_policies.POLICY_NAME % 'list',
|
||||
target={'project_id': context.project_id})
|
||||
networks = list(self.network_api.get_all(context))
|
||||
if not self._default_networks:
|
||||
self._refresh_default_networks()
|
||||
|
@ -82,7 +83,8 @@ class TenantNetworkController(wsgi.Controller):
|
|||
@wsgi.expected_errors(404)
|
||||
def show(self, req, id):
|
||||
context = req.environ['nova.context']
|
||||
context.can(tn_policies.POLICY_NAME % 'show')
|
||||
context.can(tn_policies.POLICY_NAME % 'show',
|
||||
target={'project_id': context.project_id})
|
||||
try:
|
||||
network = self.network_api.get(context, id)
|
||||
except exception.NetworkNotFound:
|
||||
|
|
Loading…
Reference in New Issue