craton

It is now possible to set created_at and updated_at on POST

Bug #1662848 reported by git-harry on 2017-02-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	craton	Fix Released	High	Sulochan Acharya	craton v0.1.0 "cmdb"

Bug Description

https://review.openstack.org/#/c/426278/ has introduced a bug whereby it is possible to set the values for created_at and updated_at in POST requests and potentially other types of request. This appears to be the result of the way filters and validators sometimes share schemata in schemas.py

Sulochan Acharya (sulochan-acharya) on 2017-02-08

Changed in craton:
assignee:	nobody → Sulochan Acharya (sulochan-acharya)
importance:	Undecided → High

Revision history for this message

Sulochan Acharya (sulochan-acharya) wrote on 2017-02-10:

It is also possible to set, id among other things. We need better separation of validators and filters to ensure we dont create a security hole.

Sulochan Acharya (sulochan-acharya) on 2017-02-22

Changed in craton:
milestone:	none → v0.1.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-23: Fix proposed to craton (master)

Fix proposed to branch: master
Review: https://review.openstack.org/437606

Changed in craton:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-24: Fix merged to craton (master)

Reviewed: https://review.openstack.org/437606
Committed: https://git.openstack.org/cgit/openstack/craton/commit/?id=78136334daea63214a895039b4deb7a72675fc0a
Submitter: Jenkins
Branch: master

commit 78136334daea63214a895039b4deb7a72675fc0a
Author: Sulochan Acharya <email address hidden>
Date: Thu Feb 23 20:26:51 2017 +0000

Ensures no extra property is allowed on creates

    Currently we have validators and filters that ensure
    certain propeties on GET/POST/PUT calls. So far we
    have been using the same schema for GET and POST calls
    as a result it was possible to post id, created_at etc
    when creating resources. This patch fixes this by dividing
    the schema to match get and creates.

    This adds black listed properties on creates, which can
    be expanded according to the resource in question in the
    future in needed.

Functional tests are addded.

Closes Bug: 1662848

Change-Id: I9226c18187064b310c811164e146da4909295768

Changed in craton:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.