Backups - GET backup - does not restrict access to the owner of the backup
Bug #1188822 reported by
David Fecker
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack DBaaS (Trove) |
Fix Released
|
Critical
|
Nikhil Manchanda |
Bug Description
Backups - GET backup - does not restrict access to the owner of the backup
Any user can "get" a backup from another user if they know the id of the backup
Changed in reddwarf: | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in reddwarf: | |
assignee: | nobody → Nikhil Manchanda (slicknik) |
Changed in reddwarf: | |
milestone: | none → havana-2 |
Changed in trove: | |
status: | Fix Committed → Fix Released |
Changed in trove: | |
milestone: | havana-2 → 2013.2 |
To post a comment you must log in.
Just reviewed the code and looks like this is an issue. We're not checking that the tenant who owns the backup is the same as the tenant who is trying to GET the backup by ID.
We need to fix this.