Comment 21 for bug 1824248

Slawek Kaplonski (slaweq) wrote :

@Robin: thx for info.
I know that "GET /v2.0/security-groups/79d6ff90-598c-425a-b0b9-bfaa370dcbc9" is call to neutron API for sure and this one don't shows rules which not belongs to user's tenant.
But I have no idea what is GET /api/network/securitygroups - is it some call to Nova's api maybe, or is it something "internal" for Horizon?

@Jeremy: based on what I wrote above, I'm not sure that it isn't security issue from Neutron point of view. I don't know the way how user would be able to see such "extra" rules created by admin for his SG.
But I also don't think that this should still be keeped as private bug. It may also be "vulnerable" if admin user want's it. And if someone is admin already than probably he can do much more than only add some "hidden" security group rule.