Enforce policy checks getting share-type by name
Policy checks are skipped when looking up a share-type by name. This causes share creation attempts that specify a valid share-type to pass the early API check on share type even if the share type named is private and not shared with the user's project. The share creation fails later, but after the database record for the share is created. Although the operation fails with an ERROR, the share is stuck in CREATING state. Fix this issue by checking the user's project in the database API just as we do for share type lookups by uuid. Closes-bug: #1885956 Change-Id: If5fe32c155fe0861b3ed86b862335e062796056b
This commit is contained in:
parent
03cb8a39ef
commit
f877deed51
@ -364,7 +364,8 @@ class ShareMixin(object):
|
|||||||
else:
|
else:
|
||||||
share_type = share_types.get_share_type(
|
share_type = share_types.get_share_type(
|
||||||
context, req_share_type)
|
context, req_share_type)
|
||||||
except exception.ShareTypeNotFound:
|
except (exception.ShareTypeNotFound,
|
||||||
|
exception.ShareTypeNotFoundByName):
|
||||||
msg = _("Share type not found.")
|
msg = _("Share type not found.")
|
||||||
raise exc.HTTPNotFound(explanation=msg)
|
raise exc.HTTPNotFound(explanation=msg)
|
||||||
elif not snapshot:
|
elif not snapshot:
|
||||||
|
@ -4233,8 +4233,7 @@ def share_type_get(context, id, inactive=False, expected_fields=None):
|
|||||||
|
|
||||||
|
|
||||||
def _share_type_get_by_name(context, name, session=None):
|
def _share_type_get_by_name(context, name, session=None):
|
||||||
result = (model_query(context, models.ShareTypes, session=session).
|
result = (_share_type_get_query(context, session=session).
|
||||||
options(joinedload('extra_specs')).
|
|
||||||
filter_by(name=name).
|
filter_by(name=name).
|
||||||
first())
|
first())
|
||||||
|
|
||||||
|
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixed `launchpad bug #1885956 <https://bugs.launchpad.net/manila/+bug/1885956>`_
|
||||||
|
by ensuring that policy checks are enforced when looking up a share-type
|
||||||
|
by name. This prevents a problem where shares could be stuck in CREATING
|
||||||
|
status when a user attempts to create a share using the name of a private
|
||||||
|
share-type to which the user lacks access.
|
Loading…
Reference in New Issue
Block a user