Comment 2 for bug 1955627

The problem here seems to be the "reset_status" logic doesn't check if the requester has permission to retrieve/manipulate the resource.

https://opendev.org/openstack/manila/src/commit/3ce3854ae9193d94537857737b961576386978b6/manila/api/openstack/wsgi.py#L1239-L1254

Before we perform the _update in that method, we could performa policy check with the resource as the target..

  resource = self._get(context, id)
  policy.check_policy(context, "%s:%s" % (resource_name, reset_status), resource)