Comment 5 for bug 1779003

Sorry for the delay, Hongbin, I was on a vacation for a while.

If you are using the default policy.json file you won't see the problem. In my company's policy file, we specify that a certain user role is not allowed to get or update a network. It is that role that illuminates the problem. Here is a sample policy file excerpt that will help you understand and reproduce the problem:

    ...
    "admin_or_owner": "rule:context_is_admin or (rule:owner and not role:anotherrole)",
    "context_is_advsvc": "role:advsvc",
    ...
    "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc",
    ...
    "update_network": "rule:admin_or_owner",
    "update_network:shared": "rule:admin_only",
    ...

Notice above that the role "anotherrole" is not allowed to execute "admin_or_owner" types of actions. This includes update network and also getting/showing a network, except the case where the network is shared or is an external network. For this test, ensure that the network is neither shared nor external to begin with.

Now grab a token as a user with the role "anotherrole", and then try to do the update network curl command:
  curl -g -i -X PUT "http://localhost:9696/v2.0/networks/$NET_ID" \
    -H "Accept: application/json" -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN" \
 -d '{"network": {"shared": true}}'

You will see that you will get a 403 Forbidden response because the user with "anotherrole" was allowed to perform "get_network" when in fact, it should not have been because at the time of the update, the network was not shared and not external. Expectation was 404.

You should be able to understand and reproduce the bug now. Please let me know if you have further questions.