Comment 1 for bug 1256983
Revision history for this message
| Steven Hardy (shardy) wrote Re: Heat ReST API doesn't respect tenant scoping | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
So the simplest possible fix is to remove the line which overwrites the context tenant_id:
https:/
This just means the tenant_id in the path is ignored, and User1 always gets the same data regardless of the tenant specified in the path (solving the immediate problem)
However we should probably consider a more robust fix, where we deny any request where the tenant_id specified in the path doesn't match the tenant_id in the context, either directly in the API, or via a policy rule (I'm working on making the ReST API policy.json aware atm).