Comment 10 for bug 1872733
Revision history for this message
| Colleen Murphy (krinkle) wrote Re: Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID | #10 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
Protecting the POST case is more complicated because not all credential types use project_id and so the credentials policy only checks against the credential's owner, not their scope. Since this behavior is longstanding and can't be exploited to elevate the user's privileges, I'm inclined not to fix it.