Glance

Artifacts: public artifact may be modified by any user

Bug #1489902 reported by Alexander Tivelkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Undecided
Alexander Tivelkov
Glance 11.0.0 "liberty"

Bug Description

Artifacts should be editable only by their owner and admins. However, is seems like it is not enforced, and if the user has an access to an artifact (e.g. if the artifact is public) she may modify it even without being an admin or artifact's owner.

Tags: artifacts
Alexander Tivelkov (ativelkov)
Changed in glance:
assignee: nobody → Alexander Tivelkov (ativelkov)
Mike Fedosin (mfedosin)
Changed in glance:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/218379

Changed in glance:
status: Confirmed → In Progress
Nikhil Komawar (nikhil-komawar)
Changed in glance:
milestone: none → liberty-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/218379
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=0a9611962d0fb6bdffa9c65c9021ff96972eda90
Submitter: Jenkins
Branch: master

commit 0a9611962d0fb6bdffa9c65c9021ff96972eda90
Author: Alexander Tivelkov <email address hidden>
Date: Fri Aug 28 19:10:04 2015 +0300

    Fixed non-owner write-access to artifacts

    There was no check for write-access priviledges during all the
    mutating operations with artifacts (updates, patches, deletes,
    actiovations etc), so any user who has an access to an artifact could
    modify it. Because of this, non-owners could modify public artifacts
    which was a major security issue.

    Now this is addressed and an appropriate set of tests added to
    prevent possible regressions.

    FastTrack
    Change-Id: I2f4c2d70b74ae39ababed2ba9b97559ef5ea6d6c
    Closes-bug: #1489902

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: liberty-rc1 → 11.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.