response of normal user update the "shared" property of network
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Kevin Benton |
Bug Description
I used a normal user to create a network successfully,then I wanted to update the "shared" property of the network.
It failed,and response 404 erorr,the message is :The resource could not be found.But I have created the network,it is so strange.
I check the policy.json of neutron, the rule is: "update_
So the error information is wrong.
Check the code:
def update(self, request, id, body=None, **kwargs):
"""Updates the specified entity's attributes."""
......
......
try:
except exceptions.
# To avoid giving away information, pretend that it
# doesn't exist
msg = _('The resource could not be found.')
raise webob.exc.
I think we couldn't provide the wrong response information to avoid giving away information,and there isn't any information that need to avoid giving away here, So I think it is a bug.
I suggest to modify the code like this:
try:
except exceptions.
# To avoid giving away information, pretend that it
# doesn't exist
# msg = _('The resource could not be found.')
raise webob.exc.
affects: | openstack-manuals → neutron |
Changed in neutron: | |
importance: | Undecided → Medium |
milestone: | none → juno-3 |
tags: | added: neutron-core |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | juno-3 → 2014.2 |
The problem is that this is the same enforcement error that someone will receive if they try to update someone else's network. By returning a 403 instead of a 404, we would reveal information about which networks exist.