A share export location can be retrieved from any project when its ID is known
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Medium
|
Daria Fortunato | ||
Bug Description
Description
===========
If a share export location ID becomes known, it is possible to get information about it from another project even if a user has no admin rights (like context.
Steps to reproduce
==================
* Create a share inside a project A
* Get share' export locations
* Create a share inside a project B
* Try to get one of export locations from the first share (from project A) using second share (from project B) inside the URL path
GET /v2/{project_
Expected result
===============
The export location should not be returned.
Actual result
=============
Share export location information is returned.
Environment
===========
Manila version: 2024.1 Caracal
N.B. I didn't see any new changes inside `master` branch that would prevent this from happening inside newer versions.
I'll try to submit a patch to fix this.
| Changed in manila: | |
| assignee: | nobody → Daria Kobtseva (dkobtsev) |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to manila (master) | #1 |
| Changed in manila: | |
| status: | New → In Progress |
| Daria Fortunato (dkobtsev) wrote | #2 |
| Changed in manila: | |
| importance: | Undecided → Medium |
| milestone: | none → flamingo-3 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to manila (master) | #3 |
| Changed in manila: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to manila (master) | #4 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to manila (master) | #5 |
Fix proposed to branch: master
Review: https:/