7ba9935a6e
There is an initial policy check in the transfers accept API[1] which validates correctly if the user is authorized to perform the operation or not. However, we've a duplicate check in the volume API layer which passes a target object (volume) while authorizing which is wrong for this API. While authorizing, we enforce check on the project id of the target object i.e. volume in this case which, before the transfer operation is completed, contains the project id of source project hence making the validation wrong. In the case of transfers API, any project is able to accept the transfer given they've the auth key required to secure the transfer accept So this patch removes the duplicate policy check. [1] https://opendev.org/openstack/cinder/src/branch/master/cinder/transfer/api.py#L225 Closes-Bug: #1950474 Change-Id: I3930bff90df835d9d8bbf7e6e91458db7e5654be |
||
|---|---|---|
| .. | ||
| notes | ||
| source | ||
| README.rst | ||
Release notes
The release notes for a patch should be included in the patch. The intended audience for release notes include deployers, administrators and end-users.
A release note is required if the patch has upgrade or API impact. It is also required if the patch adds a feature or fixes a long-standing or security bug.
Please see https://docs.openstack.org/cinder/latest/contributor/releasenotes.html for more details.