Pass the actual target in flavor access policy
Currently if target is not passed in context.can(), it use defauls target which is context.user_id, context.project_id. These defaults target are not useful as it pass the context's user_id and project_id only which means we tell oslo policy to verify the context data with context data. This commit pass the actual target for flavor access policies which is empty dict for policy with system scoped and context project_id for GET which is system and project scoped. Partial implement blueprint policy-defaults-refresh Change-Id: I178d619d54d50c9a3d615879e40ab8359f4227b6
This commit is contained in:
parent
a40c694125
commit
c375b541a5
|
@ -63,7 +63,7 @@ class FlavorActionController(wsgi.Controller):
|
|||
@validation.schema(flavor_access.add_tenant_access)
|
||||
def _add_tenant_access(self, req, id, body):
|
||||
context = req.environ['nova.context']
|
||||
context.can(fa_policies.POLICY_ROOT % "add_tenant_access")
|
||||
context.can(fa_policies.POLICY_ROOT % "add_tenant_access", target={})
|
||||
|
||||
vals = body['addTenantAccess']
|
||||
tenant = vals['tenant']
|
||||
|
@ -89,7 +89,7 @@ class FlavorActionController(wsgi.Controller):
|
|||
def _remove_tenant_access(self, req, id, body):
|
||||
context = req.environ['nova.context']
|
||||
context.can(
|
||||
fa_policies.POLICY_ROOT % "remove_tenant_access")
|
||||
fa_policies.POLICY_ROOT % "remove_tenant_access", target={})
|
||||
|
||||
vals = body['removeTenantAccess']
|
||||
tenant = vals['tenant']
|
||||
|
|
Loading…
Reference in New Issue