Queries for fetching quotas are not scoped
Bug #1505406 reported by
Salvatore Orlando
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Low
|
Salvatore Orlando |
Bug Description
get_tenant_quotas retrieves quotas for a tenant without scoping the query with the tenant_id issuing the request [1]; even if the API extension has an explicit authorisation check (...) [2], it is advisable to scope the query so that this problem is avoided.
This is particularly relevant as with the pecan framework quota management APIs are not anymore "special" from an authZ perspective, but use the same authorization hook as any other API.
[1] http://
[2] http://
Changed in neutron: | |
status: | New → In Progress |
tags: | added: api db |
Changed in neutron: | |
importance: | Medium → Low |
Changed in neutron: | |
milestone: | mitaka-1 → mitaka-2 |
To post a comment you must log in.
Is this backport material?