Comment 7 for bug 978896

After thoroughly investigating the Django end of things, I'm forced to conclude this is a Horizon bug, and a serious one. I can reproduce the effect in Horizon, and during testing noticed that Horizon's use of Django's sessions and its connection to keystone seem to bypass some of the assumptions I've made about the protection provided by Django.

In light of that, I don't currently have enough information about this bug to estimate how serious it is, other than that it is at least as serious as indicated above, likely much worse, and I need to spend more time looking at the code and testing. I will try to work on that tomorrow.