The problem here seems to be the "reset_status" logic doesn't check if the requester has permission to retrieve/manipulate the resource.
https://opendev.org/openstack/manila/src/commit/3ce3854ae9193d94537857737b961576386978b6/manila/api/openstack/wsgi.py#L1239-L1254
Before we perform the _update in that method, we could performa policy check with the resource as the target..
resource = self._get(context, id) policy.check_policy(context, "%s:%s" % (resource_name, reset_status), resource)
The problem here seems to be the "reset_status" logic doesn't check if the requester has permission to retrieve/manipulate the resource.
https:/ /opendev. org/openstack/ manila/ src/commit/ 3ce3854ae9193d9 4537857737b9615 76386978b6/ manila/ api/openstack/ wsgi.py# L1239-L1254
Before we perform the _update in that method, we could performa policy check with the resource as the target..
resource = self._get(context, id) check_policy( context, "%s:%s" % (resource_name, reset_status), resource)
policy.