← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1352907] Re: response of normal user update the "shared" property of network

 

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1352907

Title:
  response of normal user update the "shared" property of network

Status in OpenStack Neutron (virtual network service):
  Fix Released

Bug description:
  I used a normal user to create a network successfully,then I wanted to update the "shared" property of the network.
  It failed,and response 404 erorr,the message is :The resource could not be found.But I have created the network,it is so strange.

  I check the policy.json of neutron, the rule is: "update_network:shared": "rule:admin_only", so the normal user can't update it.
  So the error information is wrong.

  Check the code:
      def update(self, request, id, body=None, **kwargs):
          """Updates the specified entity's attributes."""
        ......
        ......
          try:
              policy.enforce(request.context,
                             action,
                             orig_obj)
          except exceptions.PolicyNotAuthorized:
              # To avoid giving away information, pretend that it
              # doesn't exist
              msg = _('The resource could not be found.')
              raise webob.exc.HTTPNotFound(msg)

  I think we couldn't provide the wrong response information to avoid
  giving away information,and there isn't any information that need to
  avoid giving away here, So I think it is a bug.

  I suggest to modify the code like this:
         try:
              policy.enforce(request.context,
                             action,
                             orig_obj)
          except exceptions.PolicyNotAuthorized:
              # To avoid giving away information, pretend that it
              # doesn't exist
              # msg = _('The resource could not be found.')
  			
              raise webob.exc.HTTPForbidden(exceptions.PolicyNotAuthorized.message)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1352907/+subscriptions


References