Climate V2 API lets a non admin user list all leases
Bug #1306231 reported by
Pablo Andres Fuente
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Blazar |
Won't Fix
|
Medium
|
Pablo Andres Fuente | ||
Bug Description
The V2 API lets a non admin user list all leases. This can be reproduced creating a lease using admin user, another lease using a non admin user, and then if you try to get all the leases using the non admin user, you will can get the admin lease too.
This could not be reproduced using the climate client, because it supports V1 API only.
Revision history for this message
| Dina Belova (dbelova) wrote | #1 |
| Changed in climate: | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in climate: | |
| assignee: | nobody → Pablo Andres Fuente (pablo-a-fuente) |
| Changed in blazar: | |
| status: | Confirmed → In Progress |
Revision history for this message
| fatemehj (f-jabbari) wrote | #2 |
Revision history for this message
| Masahito Muroi (muroi-masahito) wrote | #3 |
| Changed in blazar: | |
| status: | In Progress → Won't Fix |
Revision history for this message
| Pierre Riteau (priteau) wrote | #4 |
Revision history for this message
| Pierre Riteau (priteau) wrote | #5 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on blazar (master) | #6 |
To post a comment you must log in.
Connected with https:/
Fix should fix both of them.