Difficult to understand message when using incorrect role against object in Neutron
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Invalid
|
Undecided
|
Sudipta Biswas |
Bug Description
When a user runs an action against an object in neutron for which they
don't have authority to (perhaps their role allows read of the object,
but not update), they get the message "The resource could not be found".
For example: User doesn't have the privilege to edit a network and
attempts doing that but ends up getting the resource not found message.
This is a bad message because the object they just read in is now
stating that it does not exist. This is not true, the root issue is that they
do not have authority to it.
One can argue that for security reasons, we should state that the object
does not exist. However, it creates a odd scenario where you have
certain roles that can read an object, but then not write to it.
I'm proposing that we change the message to "The resource could not be
found or user's role does not have sufficient privileges to run the
operation."
Two identified test cases applicable to this would be the remove/edit
networks.
Changed in neutron: | |
assignee: | nobody → Sudipta Biswas (sbiswas7) |
That's an intended behavior. User that doesn't have access to a resource should not know whether it exists or not