Comment 0 for bug 1472031

create() API in cinder/volume/api.py does not call decorator nor it calls check_policy unlike other APIs there. Instead, it does the authority check in cinder/volume/flows/api/create_volume.py by calling
   flow_engine = create_volume.get_flow*
which happens after a number of error checks in the api.py itself.
It is better to do authority check right away. Otherwise, we are allowing some operations to proceed that user might not have authority to (e.g. we are disclosing information in error messages).

Jay mentioned that "for some reason it appears that create has never used the decorator function but it used to do a policy check early in the create function: (See line 111) https://review.openstack.org/#/c/29862/66/cinder/volume/api.py So, I think the problem goes back to commit e78ba969494560f99b75524304ed8ffea59db560 ."

We should change the code to use decorator for create() so that authority for create volume operation is checked right away.