[API] Return 403 for POST requests when user is not authorized
In the policy_enforcement module if policy.enforce() will raise
PolicyNotAuthorized exception, there is additional check if user is
trying to modify own or someone else resource. In case when user is not
allowed to show resource even, error 404 is raised to "hide" any
information about requested resource.
But that was also the case for POST (create resource) requests and 404
error when user is trying e.g. create network is confusing.
So this patch modifies that logic and in case of "create_" actions it
will return 403 if user was not authorized to do such operation.
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/834171 /opendev. org/openstack/ neutron/ commit/ 60bc6c7a992383c ecaf7dcf425668a 6ea92b151b
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 60bc6c7a992383c ecaf7dcf425668a 6ea92b151b
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 17 14:33:41 2022 +0100
[API] Return 403 for POST requests when user is not authorized
In the policy_enforcement module if policy.enforce() will raise thorized exception, there is additional check if user is
PolicyNotAu
trying to modify own or someone else resource. In case when user is not
allowed to show resource even, error 404 is raised to "hide" any
information about requested resource.
But that was also the case for POST (create resource) requests and 404
error when user is trying e.g. create network is confusing.
So this patch modifies that logic and in case of "create_" actions it
will return 403 if user was not authorized to do such operation.
Closes-Bug: #1965294 a564361137b2a00 ff86dcbdf1c
Change-Id: I80b0616c335134