normal user create alarm with user-id or project-id specified will success instead of return 401
Bug #1297677 reported by
ZhiQiang Fan
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ceilometer |
Fix Released
|
High
|
Eoghan Glynn |
Bug Description
if a user post to /alarms with user-id and/or project id specified to another user or project, it will success, the user-id and project-id will be set to the user's current user-id and project-d
this is bad because it against the user's expectation, the user does want something so he sets it, but it is not authorized, so we should return a 401 and tell the user he cannot set those value because he has no such privilege
see: https:/
Changed in ceilometer: | |
assignee: | nobody → ZhiQiang Fan (aji-zqfan) |
Changed in ceilometer: | |
status: | Triaged → Confirmed |
Changed in ceilometer: | |
milestone: | none → icehouse-rc1 |
Changed in ceilometer: | |
status: | Fix Committed → Fix Released |
Changed in ceilometer: | |
milestone: | icehouse-rc1 → 2014.1 |
To post a comment you must log in.
If that's true, that's a serious problem, but I doubt it is, _unless_ you're admin.