yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #19981
[Bug 1352907] Re: response of normal user update the "shared" property of network
** Changed in: neutron
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1352907
Title:
response of normal user update the "shared" property of network
Status in OpenStack Neutron (virtual network service):
Fix Released
Bug description:
I used a normal user to create a network successfully,then I wanted to update the "shared" property of the network.
It failed,and response 404 erorr,the message is :The resource could not be found.But I have created the network,it is so strange.
I check the policy.json of neutron, the rule is: "update_network:shared": "rule:admin_only", so the normal user can't update it.
So the error information is wrong.
Check the code:
def update(self, request, id, body=None, **kwargs):
"""Updates the specified entity's attributes."""
......
......
try:
policy.enforce(request.context,
action,
orig_obj)
except exceptions.PolicyNotAuthorized:
# To avoid giving away information, pretend that it
# doesn't exist
msg = _('The resource could not be found.')
raise webob.exc.HTTPNotFound(msg)
I think we couldn't provide the wrong response information to avoid
giving away information,and there isn't any information that need to
avoid giving away here, So I think it is a bug.
I suggest to modify the code like this:
try:
policy.enforce(request.context,
action,
orig_obj)
except exceptions.PolicyNotAuthorized:
# To avoid giving away information, pretend that it
# doesn't exist
# msg = _('The resource could not be found.')
raise webob.exc.HTTPForbidden(exceptions.PolicyNotAuthorized.message)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1352907/+subscriptions
References
