oauth controller calls are not protected

Bug #1231709 reported by Steve Martinelli on 2013-09-26
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Steve Martinelli

Bug Description

It's open season for the oauth controllers, and anyone can call anything they want.
None of the controllers are protected. The policy.json file needs to be updated accordingly.

Fix proposed to branch: master
Review: https://review.openstack.org/48534

Changed in keystone:
assignee: nobody → Steve Martinelli (stevemar)
status: New → In Progress
Dolph Mathews (dolph) on 2013-09-26
Changed in keystone:
milestone: none → havana-rc1
importance: Undecided → High

Reviewed: https://review.openstack.org/48534
Committed: http://github.com/openstack/keystone/commit/65f292144f2b8569c64d3fd479863d58d475fec9
Submitter: Jenkins
Branch: master

commit 65f292144f2b8569c64d3fd479863d58d475fec9
Author: Steve Martinelli <email address hidden>
Date: Thu Sep 26 17:03:24 2013 -0500

    Protect oauth controller calls and update policy.json

    We need to call controller.protected for most of the oauth_calls.
    With the exception of the public ones (create_request_token,
    create_access_token, and authenticate_access_token).
    Also need to update the policy.json accordingly.

    fixes bug 1231709

    Change-Id: Ica111aa3ed82499d2de50d472754a0b5b3c5cc71

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers