Comment 8 for bug 1042037

I think the hardcoded behavior you are referring to is the one implemented in QuantumDBPluginv2 as far as queries on the db are concerned.

I agree that providers might want to apply more strict authZ criteria, and the policy engine is the right place to do that.
The policy engine should already provide mechanism for associating rules with action.
For instance "create_router" : [["rule:admin_only"]] should automatically allow only admins to create routers , without requiring any change to the code.
If the above is not correct, then we have an issue with the policy engine, and I'd rather fix that issue so that the policy engine works as expect.

The other point I had is that policy checks should not be performed in the plugin; as they affect they way the user interacts with Quantum, you might want to ensure a consistent behavior regardless of the plugin used.

Finally, on subnet and port ownership, Akihiro correctly observed that add_router_interface and its dual call the method for retrieving port/subnet with the user context. These method will filter the query on context.tenant_id. So I think we can consider ourselves safe as far as Folsom is concerned, unless I am missing something.