yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1741051] Re: Views accessible via url even if user doesn't match policy rules

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1741051@xxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Feb 2018 14:08:57 -0000
Reply-to: Bug 1741051 <1741051@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/530928
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=3f585d3b1efca1b2379d6c0a80246fd6e5a87640
Submitter: Zuul
Branch:    master

commit 3f585d3b1efca1b2379d6c0a80246fd6e5a87640
Author: David Gutman <david.gutman@xxxxxxxxxxxxxxx>
Date:   Wed Jan 3 14:25:46 2018 +0100

    Views accessible via url even if user doesn't match policy rules
    
    When a user doesn't match the policy rules of a panel then the panel tab
    is removed from the menu of the left, but panel views are still
    accessible using directly the url (ex /admin/flavors/).
    
    In most of the case, views won't work correctly because of the lack of
    right in the backend, but it may cause trouble when you play with
    policies.
    
    I think it could be more elegant to return directly a "You are not
    authorized to access this page" from the frontend when user try to
    access a view of a panel (via url) without matching the policy rules.
    
    Change-Id: I7bc93fed29568adfc14d5bcadfc8728d3b5cf633
    Closes-Bug: #1741051


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1741051

Title:
  Views accessible via url even if user doesn't match policy rules

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  When a user doesn't match the policy rules of a panel then the panel
  tab is removed from the menu of the left, but panel views are still
  accessible using directly the url (ex /admin/flavors/).

  In most of the case, views won't work correctly because of the lack of
  right in the backend, but it may cause trouble when you play with
  policies.

  I think it could be more elegant to return directly a "You are not
  authorized to access this page" from the frontend when user try to
  access a view of a panel (via url) without matching the policy rules.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1741051/+subscriptions

References

[Bug 1741051] [NEW] Views accessible via url even if user doesn't match policy rules
From: David Gutman, 2018-01-03