Comment 3 for bug 644092
Revision history for this message
| Michael Gundlach (gundlach) wrote Re: [Bug 644092] Re: authorization not checked in ec2 api | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
On Tue, Sep 21, 2010 at 8:16 AM, Soren Hansen <email address hidden> wrote:
> Now that I think about it, I'm not sure how they're supposed to work?
> They're applied before the object(s) being accessed are even known, so
> it only really checks if context.user has the given role on
> context.project, right? So any checks further down should check whether
> the object being accessed belongs to context.project. Is that accurate?
>
Yep, that's accurate. The conversion from Tornado to eventlet (as of yet
unmerged to trunk) moves all that into an "Authorization" middleware. It
might help clarify the code if that were renamed to "MethodAuthenti
and we do data authentication somewhere else.
Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is prohibited.
If you receive this transmission in error, please notify us immediately by e-mail
at <email address hidden>, and delete the original message.
Your cooperation is appreciated.