POST /v1/actions with "user_id" specified in body silently overwrites user_id in stored action
Bug #1588364 reported by
Domhnall Walsh
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Backup/Restore and DR (Freezer) |
In Progress
|
Undecided
|
Domhnall Walsh |
Bug Description
Looking at the API-WG guidelines on this, "If a request contains an unexpected attribute in the body, the server should return a 400 Bad Request response".
In the case of an action in freezer, "user_id" is such an attribute because it'll get overwritten with the user id pulled from Keystone based on the provided auth token, so if the user passes the user_id as a parameter the API _should_ return a HTTP 400 response rather than silently overwriting the value.
Changed in freezer: | |
assignee: | nobody → Domhnall Walsh (domhnall-walsh) |
To post a comment you must log in.
Fix proposed to branch: master /review. openstack. org/328942
Review: https:/